New nfs server will process READDIR on non-directories. Kernel panic is almost certain if readdir is executed on regular file. Fix: Patch attached with submission follows:
Responsible Changed From-To: freebsd-bugs->freebsd-fs Over to maintainer(s).
Responsible Changed From-To: freebsd-fs->secteam
Author: des Date: Mon Apr 29 20:09:44 2013 New Revision: 250055 URL: http://svnweb.freebsd.org/changeset/base/250055 Log: Fix a bug that allows NFS clients to issue READDIR on files. PR: kern/178016 Security: CVE-2013-3266 Security: FreeBSD-SA-13:05.nfsserver Modified: head/sys/fs/nfsserver/nfs_nfsdport.c Modified: head/sys/fs/nfsserver/nfs_nfsdport.c ============================================================================== --- head/sys/fs/nfsserver/nfs_nfsdport.c Mon Apr 29 19:30:35 2013 (r250054) +++ head/sys/fs/nfsserver/nfs_nfsdport.c Mon Apr 29 20:09:44 2013 (r250055) @@ -1574,6 +1574,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd nd->nd_repstat = NFSERR_BAD_COOKIE; #endif } + if (!nd->nd_repstat && vp->v_type != VDIR) + nd->nd_repstat = NFSERR_NOTDIR; if (nd->nd_repstat == 0 && cnt == 0) { if (nd->nd_flag & ND_NFSV2) /* NFSv2 does not have NFSERR_TOOSMALL */ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Author: des Date: Mon Apr 29 20:15:43 2013 New Revision: 250058 URL: http://svnweb.freebsd.org/changeset/base/250058 Log: Fix a bug that allows NFS clients to issue READDIR on files. PR: kern/178016 Security: CVE-2013-3266 Security: FreeBSD-SA-13:05.nfsserver Approved by: so Modified: stable/8/sys/fs/nfsserver/nfs_nfsdport.c Modified: stable/8/sys/fs/nfsserver/nfs_nfsdport.c ============================================================================== --- stable/8/sys/fs/nfsserver/nfs_nfsdport.c Mon Apr 29 20:14:11 2013 (r250057) +++ stable/8/sys/fs/nfsserver/nfs_nfsdport.c Mon Apr 29 20:15:43 2013 (r250058) @@ -1569,6 +1569,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd nd->nd_repstat = NFSERR_BAD_COOKIE; #endif } + if (!nd->nd_repstat && vp->v_type != VDIR) + nd->nd_repstat = NFSERR_NOTDIR; if (nd->nd_repstat == 0 && cnt == 0) { if (nd->nd_flag & ND_NFSV2) /* NFSv2 does not have NFSERR_TOOSMALL */ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Author: des Date: Mon Apr 29 20:15:47 2013 New Revision: 250059 URL: http://svnweb.freebsd.org/changeset/base/250059 Log: Fix a bug that allows NFS clients to issue READDIR on files. PR: kern/178016 Security: CVE-2013-3266 Security: FreeBSD-SA-13:05.nfsserver Approved by: so Modified: releng/8.3/sys/fs/nfsserver/nfs_nfsdport.c Modified: releng/8.3/sys/fs/nfsserver/nfs_nfsdport.c ============================================================================== --- releng/8.3/sys/fs/nfsserver/nfs_nfsdport.c Mon Apr 29 20:15:43 2013 (r250058) +++ releng/8.3/sys/fs/nfsserver/nfs_nfsdport.c Mon Apr 29 20:15:47 2013 (r250059) @@ -1568,6 +1568,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd nd->nd_repstat = NFSERR_BAD_COOKIE; #endif } + if (!nd->nd_repstat && vp->v_type != VDIR) + nd->nd_repstat = NFSERR_NOTDIR; if (nd->nd_repstat == 0 && cnt == 0) { if (nd->nd_flag & ND_NFSV2) /* NFSv2 does not have NFSERR_TOOSMALL */ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Author: des Date: Mon Apr 29 20:15:55 2013 New Revision: 250060 URL: http://svnweb.freebsd.org/changeset/base/250060 Log: Fix a bug that allows NFS clients to issue READDIR on files. PR: kern/178016 Security: CVE-2013-3266 Security: FreeBSD-SA-13:05.nfsserver Approved by: so Modified: stable/9/sys/fs/nfsserver/nfs_nfsdport.c Modified: stable/9/sys/fs/nfsserver/nfs_nfsdport.c ============================================================================== --- stable/9/sys/fs/nfsserver/nfs_nfsdport.c Mon Apr 29 20:15:47 2013 (r250059) +++ stable/9/sys/fs/nfsserver/nfs_nfsdport.c Mon Apr 29 20:15:55 2013 (r250060) @@ -1575,6 +1575,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd nd->nd_repstat = NFSERR_BAD_COOKIE; #endif } + if (!nd->nd_repstat && vp->v_type != VDIR) + nd->nd_repstat = NFSERR_NOTDIR; if (nd->nd_repstat == 0 && cnt == 0) { if (nd->nd_flag & ND_NFSV2) /* NFSv2 does not have NFSERR_TOOSMALL */ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Author: des Date: Mon Apr 29 20:16:00 2013 New Revision: 250061 URL: http://svnweb.freebsd.org/changeset/base/250061 Log: Fix a bug that allows NFS clients to issue READDIR on files. PR: kern/178016 Security: CVE-2013-3266 Security: FreeBSD-SA-13:05.nfsserver Approved by: so Modified: releng/9.1/sys/fs/nfsserver/nfs_nfsdport.c Modified: releng/9.1/sys/fs/nfsserver/nfs_nfsdport.c ============================================================================== --- releng/9.1/sys/fs/nfsserver/nfs_nfsdport.c Mon Apr 29 20:15:55 2013 (r250060) +++ releng/9.1/sys/fs/nfsserver/nfs_nfsdport.c Mon Apr 29 20:16:00 2013 (r250061) @@ -1574,6 +1574,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd nd->nd_repstat = NFSERR_BAD_COOKIE; #endif } + if (!nd->nd_repstat && vp->v_type != VDIR) + nd->nd_repstat = NFSERR_NOTDIR; if (nd->nd_repstat == 0 && cnt == 0) { if (nd->nd_flag & ND_NFSV2) /* NFSv2 does not have NFSERR_TOOSMALL */ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Author: des Date: Mon Apr 29 20:16:25 2013 New Revision: 250062 URL: http://svnweb.freebsd.org/changeset/base/250062 Log: Fix a bug that allows NFS clients to issue READDIR on files. PR: kern/178016 Security: CVE-2013-3266 Security: FreeBSD-SA-13:05.nfsserver Approved by: re Modified: releng/8.4/sys/fs/nfsserver/nfs_nfsdport.c Modified: releng/8.4/sys/fs/nfsserver/nfs_nfsdport.c ============================================================================== --- releng/8.4/sys/fs/nfsserver/nfs_nfsdport.c Mon Apr 29 20:16:00 2013 (r250061) +++ releng/8.4/sys/fs/nfsserver/nfs_nfsdport.c Mon Apr 29 20:16:25 2013 (r250062) @@ -1569,6 +1569,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd nd->nd_repstat = NFSERR_BAD_COOKIE; #endif } + if (!nd->nd_repstat && vp->v_type != VDIR) + nd->nd_repstat = NFSERR_NOTDIR; if (nd->nd_repstat == 0 && cnt == 0) { if (nd->nd_flag & ND_NFSV2) /* NFSv2 does not have NFSERR_TOOSMALL */ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Author: des Date: Mon Apr 29 20:53:58 2013 New Revision: 41519 URL: http://svnweb.freebsd.org/changeset/doc/41519 Log: Fix a bug that allows NFS clients to issue READDIR on files. PR: kern/178016 Security: CVE-2013-3266 Security: FreeBSD-SA-13:05.nfsserver Approved by: so Added: head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc (contents, props changed) head/share/security/patches/SA-13:05/ head/share/security/patches/SA-13:05/nfsserver.patch (contents, props changed) head/share/security/patches/SA-13:05/nfsserver.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc Mon Apr 29 20:53:58 2013 (r41519) @@ -0,0 +1,139 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-13:05.nfsserver Security Advisory + The FreeBSD Project + +Topic: Insufficient input validation in the NFS server + +Category: core +Module: nfsserver +Announced: 2013-04-29 +Credits: Adam Nowacki +Affects: All supported versions of FreeBSD. +Corrected: 2013-04-29 20:15:43 UTC (stable/8, 8.4-PRERELEASE) + 2013-04-29 20:15:47 UTC (releng/8.3, 8.3-RELEASE-p8) + 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC1-p1) + 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC2-p1) + 2013-04-29 20:15:55 UTC (stable/9, 9.1-STABLE) + 2013-04-29 20:16:00 UTC (releng/9.1, 9.1-RELEASE-p3) +CVE Name: CVE-2013-3266 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The Network File System (NFS) allows a host to export some or all of its +file systems so that other hosts can access them over the network and mount +them as if they were on local disks. FreeBSD includes server and client +implementations of NFS. + +FreeBSD 8.0 and onward has two NFS implementations: the original CSRG +NFSv2 and NFSv3 implementation and a new implementation which also +supports NFSv4. + +FreeBSD 9.0 and onward uses the new NFS implementation by default. + +II. Problem Description + +When processing READDIR requests, the NFS server does not check that +it is in fact operating on a directory node. An attacker can use a +specially modified NFS client to submit a READDIR request on a file, +causing the underlying filesystem to interpret that file as a +directory. + +III. Impact + +The exact consequences of an attack depend on the amount of input +validation in the underlying filesystem: + + - If the file resides on a UFS filesystem on a little-endian server, + an attacker can cause random heap corruption with completely + unpredictable consequences. + + - If the file resides on a ZFS filesystem, an attacker can write + arbitrary data on the stack. It is believed, but has not been + confirmed, that this can be exploited to run arbitrary code in + kernel context. + +Other filesystems may also be vulnerable. + +IV. Workaround + +Systems that do not provide NFS service are not vulnerable. Neither +are systems that do but use the old NFS implementation, which is the +default in FreeBSD 8.x. + +To determine which implementation an NFS server is running, run the +following command: + +# kldstat -v | grep -cw nfsd + +This will print 1 if the system is running the new NFS implementation, +and 0 otherwise. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch +# fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch.asc +# gpg --verify nfsserver.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r250058 +releng/8.3/ r250059 +releng/8.4/ r250062 +stable/9/ r250060 +releng/9.1/ r250061 +- ------------------------------------------------------------------------- + +VII. References + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3266 + +The latest revision of this advisory is available at +http://security.FreeBSD.org/advisories/FreeBSD-SA-13:05.nfsserver.asc +-----BEGIN PGP SIGNATURE----- + +iEYEARECAAYFAlF+18oACgkQFdaIBMps37J1PACgm+zcbGd6xF1hkpvFVJbbwR0Q +9PoAnivbP1R0qXFyTlF/t3+sUYcxBtfQ +=polM +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-13:05/nfsserver.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-13:05/nfsserver.patch Mon Apr 29 20:53:58 2013 (r41519) @@ -0,0 +1,13 @@ +Index: sys/fs/nfsserver/nfs_nfsdport.c +=================================================================== +--- sys/fs/nfsserver/nfs_nfsdport.c (revision 249651) ++++ sys/fs/nfsserver/nfs_nfsdport.c (working copy) +@@ -1568,6 +1568,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd, int isdg + nd->nd_repstat = NFSERR_BAD_COOKIE; + #endif + } ++ if (!nd->nd_repstat && vp->v_type != VDIR) ++ nd->nd_repstat = NFSERR_NOTDIR; + if (nd->nd_repstat == 0 && cnt == 0) { + if (nd->nd_flag & ND_NFSV2) + /* NFSv2 does not have NFSERR_TOOSMALL */ Added: head/share/security/patches/SA-13:05/nfsserver.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-13:05/nfsserver.patch.asc Mon Apr 29 20:53:58 2013 (r41519) @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iEYEABECAAYFAlF+1+sACgkQFdaIBMps37J22ACeM6TTZjh94AhbnwqTaCfcMjnO +F74AnAiX1rUC1Zvo3XU42efklaBo6F1g +=yQwz +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Mon Apr 29 16:02:00 2013 (r41518) +++ head/share/xml/advisories.xml Mon Apr 29 20:53:58 2013 (r41519) @@ -14,6 +14,14 @@ <name>2</name> <advisory> + <name>FreeBSD-SA-13:05.bind</name> + </advisory> + + <advisory> + <name>FreeBSD-SA-13:04.bind</name> + </advisory> + + <advisory> <name>FreeBSD-SA-13:04.bind</name> </advisory> _______________________________________________ svn-doc-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-doc-all To unsubscribe, send any mail to "svn-doc-all-unsubscribe@freebsd.org"
Author: des Date: Mon Apr 29 21:10:49 2013 New Revision: 250068 URL: http://svnweb.freebsd.org/changeset/base/250068 Log: Fix a bug that allows NFS clients to issue READDIR on files. (files missing from previous commit) PR: kern/178016 Security: CVE-2013-3266 Security: FreeBSD-SA-13:05.nfsserver Approved by: so Modified: stable/8/UPDATING Modified: stable/8/UPDATING ============================================================================== --- stable/8/UPDATING Mon Apr 29 21:05:12 2013 (r250067) +++ stable/8/UPDATING Mon Apr 29 21:10:49 2013 (r250068) @@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20130429: + Fix a bug that allows NFS clients to issue READDIR on files. + 20130225: A new compression method (lz4) has been merged. Please refer to zpool-features(7) for more information. _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Author: des Date: Mon Apr 29 21:10:53 2013 New Revision: 250069 URL: http://svnweb.freebsd.org/changeset/base/250069 Log: Fix a bug that allows NFS clients to issue READDIR on files. (files missing from previous commit) PR: kern/178016 Security: CVE-2013-3266 Security: FreeBSD-SA-13:05.nfsserver Approved by: so Modified: releng/8.3/UPDATING releng/8.3/sys/conf/newvers.sh Modified: releng/8.3/UPDATING ============================================================================== --- releng/8.3/UPDATING Mon Apr 29 21:10:49 2013 (r250068) +++ releng/8.3/UPDATING Mon Apr 29 21:10:53 2013 (r250069) @@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20130429: p8 FreeBSD-SA-13:05.nfsserver + Fix a bug that allows NFS clients to issue READDIR on files. + 20130402: p7 FreeBSD-SA-13:03.openssl Fix multiple vulnerabilities in OpenSSL. Modified: releng/8.3/sys/conf/newvers.sh ============================================================================== --- releng/8.3/sys/conf/newvers.sh Mon Apr 29 21:10:49 2013 (r250068) +++ releng/8.3/sys/conf/newvers.sh Mon Apr 29 21:10:53 2013 (r250069) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.3" -BRANCH="RELEASE-p7" +BRANCH="RELEASE-p8" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Author: des Date: Mon Apr 29 21:11:01 2013 New Revision: 250070 URL: http://svnweb.freebsd.org/changeset/base/250070 Log: Fix a bug that allows NFS clients to issue READDIR on files. (files missing from previous commit) PR: kern/178016 Security: CVE-2013-3266 Security: FreeBSD-SA-13:05.nfsserver Approved by: so Modified: stable/9/UPDATING Modified: stable/9/UPDATING ============================================================================== --- stable/9/UPDATING Mon Apr 29 21:10:53 2013 (r250069) +++ stable/9/UPDATING Mon Apr 29 21:11:01 2013 (r250070) @@ -11,6 +11,9 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20130429: + Fix a bug that allows NFS clients to issue READDIR on files. + 20130315: The install(1) option -M has changed meaning and now takes an argument that is a file or path to append logs to. In the _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Author: des Date: Mon Apr 29 21:11:05 2013 New Revision: 250071 URL: http://svnweb.freebsd.org/changeset/base/250071 Log: Fix a bug that allows NFS clients to issue READDIR on files. (files missing from previous commit) PR: kern/178016 Security: CVE-2013-3266 Security: FreeBSD-SA-13:05.nfsserver Approved by: so Modified: releng/9.1/UPDATING releng/9.1/sys/conf/newvers.sh Modified: releng/9.1/UPDATING ============================================================================== --- releng/9.1/UPDATING Mon Apr 29 21:11:01 2013 (r250070) +++ releng/9.1/UPDATING Mon Apr 29 21:11:05 2013 (r250071) @@ -9,6 +9,9 @@ handbook. Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20130429: p3 FreeBSD-SA-13:05.nfsserver + Fix a bug that allows NFS clients to issue READDIR on files. + 20130402: p2 FreeBSD-SA-13:03.openssl FreeBSD-SA-13:04.bind Fix multiple vulnerabilities in OpenSSL. Modified: releng/9.1/sys/conf/newvers.sh ============================================================================== --- releng/9.1/sys/conf/newvers.sh Mon Apr 29 21:11:01 2013 (r250070) +++ releng/9.1/sys/conf/newvers.sh Mon Apr 29 21:11:05 2013 (r250071) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.1" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Author: des Date: Mon Apr 29 21:11:31 2013 New Revision: 250073 URL: http://svnweb.freebsd.org/changeset/base/250073 Log: Fix a bug that allows NFS clients to issue READDIR on files. (files missing from previous commit) PR: kern/178016 Security: CVE-2013-3266 Security: FreeBSD-SA-13:05.nfsserver Approved by: re Modified: releng/8.4/UPDATING Modified: releng/8.4/UPDATING ============================================================================== --- releng/8.4/UPDATING Mon Apr 29 21:11:21 2013 (r250072) +++ releng/8.4/UPDATING Mon Apr 29 21:11:31 2013 (r250073) @@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20130429: + Fix a bug that allows NFS clients to issue READDIR on files. + 20130225: A new compression method (lz4) has been merged. Please refer to zpool-features(7) for more information. _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed This PR can be closed, it has been released as security advisory FreeBSD-SA-13:05.nfsserver (CVE-2013-3266)