From owner-freebsd-security@FreeBSD.ORG Sat Oct 21 00:29:49 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 044BB16A40F for ; Sat, 21 Oct 2006 00:29:49 +0000 (UTC) (envelope-from pbhooma@panasas.com) Received: from cassoulet.panasas.com (gw-e.panasas.com [65.194.124.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 558F043D78 for ; Sat, 21 Oct 2006 00:29:02 +0000 (GMT) (envelope-from pbhooma@panasas.com) Received: from laguna.int.panasas.com (localhost.localdomain [127.0.0.1]) by cassoulet.panasas.com (8.12.10/8.12.10) with ESMTP id k9L0T1aT011660 for ; Fri, 20 Oct 2006 20:29:01 -0400 Received: from 172.17.132.41 ([172.17.132.41] helo=laguna.int.panasas.com) by ASSP-nospam; 20 Oct 2006 20:29:01 -0400 Received: from panasas.com ([172.17.132.167]) by laguna.int.panasas.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 20 Oct 2006 17:29:00 -0700 Message-ID: <453969CC.6060809@panasas.com> Date: Fri, 20 Oct 2006 17:29:00 -0700 From: Padma Bhooma User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 21 Oct 2006 00:29:00.0922 (UTC) FILETIME=[E79D9DA0:01C6F4A7] X-Mailman-Approved-At: Sat, 21 Oct 2006 01:34:49 +0000 Subject: [patch] Memory leak from namei_zone in an error path in nfsrv_rename X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2006 00:29:49 -0000 Description: ------------ Memory leak in nfsrv_rename: In nfsrv_rename, every time a VOP_RENAME operation fails FreeBSD leaks 2 items from the namei_zone which is equal to 2K of kernel memory. Filing this as a security issue because a FreeBSD NFS server (versions 4.6.2 to 6.1) can be compromised by exhausting kernel memory if a user touches this error path many times. I have tried a simple test case against Freebsd nfs server versions 4.6.2, 5.3 and 6.1. How to reproduce: ---------------- From an NFS client running the following cmds against a 4.6.2 FreeBSD NFS server mount will cause the memory leak: $ mkdir a/b $ while (true) do > mv -f a a/b/ > done Again running the following cmds against 5.3 or 6.1 FreeBSD NFS server will cause the leak: $ mkdir -p a/b $ cd a $ whie (true) do > mv . ../a/b/ > done There are many other ways to reproduce it, but these are trivial test cases I could come up with. Patch to fix the problem : ________________________ --- nfs_serv.c 2005-11-25 06:32:38.000000000 -0800 +++ /tmp/nfs_serv.c 2006-09-22 14:41:39.000000000 -0700 @@ -2514,26 +2514,26 @@ /* * The VOP_RENAME function releases all vnode references & * locks prior to returning so we need to clear the pointers * to bypass cleanup code later on. */ error = VOP_RENAME(fromnd.ni_dvp, fromnd.ni_vp, &fromnd.ni_cnd, tond.ni_dvp, tond.ni_vp, &tond.ni_cnd); fromnd.ni_dvp = NULL; fromnd.ni_vp = NULL; tond.ni_dvp = NULL; tond.ni_vp = NULL; if (error) { - fromnd.ni_cnd.cn_flags &= ~HASBUF; - tond.ni_cnd.cn_flags &= ~HASBUF; + NDFREE(&fromnd, NDF_ONLY_PNBUF); + NDFREE(&tond, NDF_ONLY_PNBUF); } } else { if (error == -1) error = 0; } /* fall through */ I will be happy to answer any questions wrt this. Please provide me some feedback on this fix. Thanks, Padma Bhooma