Resubmit: [PATCH 0/1x2] [CVE-2011-4131] NFSv4: include bitmap in nfsv4 get acl data
Brad Figg
brad.figg at canonical.com
Tue May 1 22:49:48 UTC 2012
The following two patches address this CVE for Oneiric and Natty. The CVE has
been referred back to the security team for Lucid and Hardy.
CVE-2011-4131
BugLink: http://bugs.launchpad.net/bugs/893147
The NFSv4 bitmap size is unbounded: a server can return an arbitrary
sized bitmap in an FATTR4_WORD0_ACL request. Replace using the
nfs4_fattr_bitmap_maxsz as a guess to the maximum bitmask returned by a server
with the inclusion of the bitmap (xdr length plus bitmasks) and the acl data
xdr length to the (cached) acl page data.
This is a general solution to commit e5012d1f "NFSv4.1: update
nfs4_fattr_bitmap_maxsz" and fixes hitting a BUG_ON in xdr_shrink_bufhead
when getting ACLs.
Fix a bug in decode_getacl that returned -EINVAL on ACLs > page when getxattr
was called with a NULL buffer, preventing ACL > PAGE_SIZE from being retrieved.
--
1.7.9.5
More information about the kernel-team
mailing list