[Glibc-bsd-commits] r5462 - in trunk/kfreebsd-10/debian: . patches

stevenc-guest at alioth.debian.org stevenc-guest at alioth.debian.org
Wed Apr 9 00:22:09 UTC 2014


Author: stevenc-guest
Date: 2014-04-09 00:22:09 +0000 (Wed, 09 Apr 2014)
New Revision: 5462

Added:
   trunk/kfreebsd-10/debian/patches/SA-14_05.nfsserver.patch
Modified:
   trunk/kfreebsd-10/debian/changelog
   trunk/kfreebsd-10/debian/patches/series
Log:
Pick SVN 264266 from FreeBSD 10-STABLE to fix SA-14:05 / CVE-2014-1453:
Deadlock in the NFS server


Modified: trunk/kfreebsd-10/debian/changelog
===================================================================
--- trunk/kfreebsd-10/debian/changelog	2014-04-09 00:01:16 UTC (rev 5461)
+++ trunk/kfreebsd-10/debian/changelog	2014-04-09 00:22:09 UTC (rev 5462)
@@ -1,3 +1,11 @@
+kfreebsd-10 (10.0-4) UNRELEASED; urgency=high
+
+  [ Steven Chamberlain ]
+  * Pick SVN 264266 from FreeBSD 10-STABLE to fix SA-14:05 / CVE-2014-1453:
+    Deadlock in the NFS server
+
+ -- Steven Chamberlain <steven at pyro.eu.org>  Wed, 09 Apr 2014 01:18:52 +0100
+
 kfreebsd-10 (10.0-3) experimental; urgency=low
 
   [ Steven Chamberlain ]

Added: trunk/kfreebsd-10/debian/patches/SA-14_05.nfsserver.patch
===================================================================
--- trunk/kfreebsd-10/debian/patches/SA-14_05.nfsserver.patch	                        (rev 0)
+++ trunk/kfreebsd-10/debian/patches/SA-14_05.nfsserver.patch	2014-04-09 00:22:09 UTC (rev 5462)
@@ -0,0 +1,75 @@
+Description:
+ Fix NFS deadlock vulnerability. [SA-14:05] (CVE-2014-1453)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-14:05/nfsserver.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-14:05.nfsserver.asc
+Bug-Debian: http://bugs.debian.org/743988
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=264266
+
+--- kfreebsd-10-10.0.orig/sys/fs/nfsserver/nfs_nfsdserv.c
++++ kfreebsd-10-10.0/sys/fs/nfsserver/nfs_nfsdserv.c
+@@ -1457,10 +1457,23 @@
+ 		nfsvno_relpathbuf(&fromnd);
+ 		goto out;
+ 	}
++	/*
++	 * Unlock dp in this code section, so it is unlocked before
++	 * tdp gets locked. This avoids a potential LOR if tdp is the
++	 * parent directory of dp.
++	 */
+ 	if (nd->nd_flag & ND_NFSV4) {
+ 		tdp = todp;
+ 		tnes = *toexp;
+-		tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred, p, 0);
++		if (dp != tdp) {
++			NFSVOPUNLOCK(dp, 0);
++			tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred,
++			    p, 0);	/* Might lock tdp. */
++		} else {
++			tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred,
++			    p, 1);
++			NFSVOPUNLOCK(dp, 0);
++		}
+ 	} else {
+ 		tfh.nfsrvfh_len = 0;
+ 		error = nfsrv_mtofh(nd, &tfh);
+@@ -1481,10 +1494,12 @@
+ 			tnes = *exp;
+ 			tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred,
+ 			    p, 1);
++			NFSVOPUNLOCK(dp, 0);
+ 		} else {
++			NFSVOPUNLOCK(dp, 0);
+ 			nd->nd_cred->cr_uid = nd->nd_saveduid;
+ 			nfsd_fhtovp(nd, &tfh, LK_EXCLUSIVE, &tdp, &tnes, NULL,
+-			    0, p);
++			    0, p);	/* Locks tdp. */
+ 			if (tdp) {
+ 				tdirfor_ret = nfsvno_getattr(tdp, &tdirfor,
+ 				    nd->nd_cred, p, 1);
+@@ -1499,7 +1514,7 @@
+ 		if (error) {
+ 			if (tdp)
+ 				vrele(tdp);
+-			vput(dp);
++			vrele(dp);
+ 			nfsvno_relpathbuf(&fromnd);
+ 			nfsvno_relpathbuf(&tond);
+ 			goto out;
+@@ -1514,7 +1529,7 @@
+ 		}
+ 		if (tdp)
+ 			vrele(tdp);
+-		vput(dp);
++		vrele(dp);
+ 		nfsvno_relpathbuf(&fromnd);
+ 		nfsvno_relpathbuf(&tond);
+ 		goto out;
+@@ -1523,7 +1538,7 @@
+ 	/*
+ 	 * Done parsing, now down to business.
+ 	 */
+-	nd->nd_repstat = nfsvno_namei(nd, &fromnd, dp, 1, exp, p, &fdirp);
++	nd->nd_repstat = nfsvno_namei(nd, &fromnd, dp, 0, exp, p, &fdirp);
+ 	if (nd->nd_repstat) {
+ 		if (nd->nd_flag & ND_NFSV3) {
+ 			nfsrv_wcc(nd, fdirfor_ret, &fdirfor, fdiraft_ret,

Modified: trunk/kfreebsd-10/debian/patches/series
===================================================================
--- trunk/kfreebsd-10/debian/patches/series	2014-04-09 00:01:16 UTC (rev 5461)
+++ trunk/kfreebsd-10/debian/patches/series	2014-04-09 00:22:09 UTC (rev 5462)
@@ -3,6 +3,7 @@
 accept_O_CLOEXEC_in_shm_open.diff
 radeonkms_abort_nofw.diff
 newcons.diff
+SA-14_05.nfsserver.patch
 
 # Patches that are in good shape for merging upstream
 mount_remount.diff




More information about the Glibc-bsd-commits mailing list