REJECT!: [PATCH 0/1x2] [CVE-2011-4131] NFSv4: include bitmap in nfsv4 get acl data
Brad Figg
brad.figg at canonical.com
Tue May 1 22:48:57 UTC 2012
On 05/01/2012 03:45 PM, Brad Figg wrote:
> The following two patches address this CVE for Oneiric and Natty. The CVE has
> been referred back to the security team for Lucid and Hardy.
>
>
> CVE-2011-4131
>
> BugLink: http://bugs.launchpad.net/bugs/893147
>
> The NFSv4 bitmap size is unbounded: a server can return an arbitrary
> sized bitmap in an FATTR4_WORD0_ACL request. Replace using the
> nfs4_fattr_bitmap_maxsz as a guess to the maximum bitmask returned by a server
> with the inclusion of the bitmap (xdr length plus bitmasks) and the acl data
> xdr length to the (cached) acl page data.
>
> This is a general solution to commit e5012d1f "NFSv4.1: update
> nfs4_fattr_bitmap_maxsz" and fixes hitting a BUG_ON in xdr_shrink_bufhead
> when getting ACLs.
>
> Fix a bug in decode_getacl that returned -EINVAL on ACLs > page when getxattr
> was called with a NULL buffer, preventing ACL > PAGE_SIZE from being retrieved.
>
>
--
Brad Figg brad.figg at canonical.com http://www.canonical.com
More information about the kernel-team
mailing list