Bug 63491 (CVE-2004-0946)

Summary: VUL-0: CVE-2004-0946: nfs-utils overflow on 64bit arch
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Ruediger Oertel <ro>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0946: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Sebastian Krahmer 2004-11-24 17:46:10 UTC 
Date: Mon, 22 Nov 2004 11:07:57 -0500
From: Josh Bressers <bressers@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] Additional nfs-utils security issue.
Parts/Attachments:
   1 Shown    46 lines  Text
   2   OK     29 lines  Text
----------------------------------------

This one was found by Arjan van de Ven.

struct dqblk
  {
    u_int32_t dqb_bhardlimit;   /* absolute limit on disk blks alloc */
    u_int32_t dqb_bsoftlimit;   /* preferred limit on disk blks */
    u_int32_t dqb_curblocks;    /* current block count */
    u_int32_t dqb_ihardlimit;   /* maximum # allocated inodes */
    u_int32_t dqb_isoftlimit;   /* preferred inode limit */
    u_int32_t dqb_curinodes;    /* current # allocated inodes */
    time_t dqb_btime;           /* time limit for excessive disk use */
    time_t dqb_itime;           /* time limit for excessive files */
  };

struct rquota {
        int rq_bsize;
        bool_t rq_active;
        u_int rq_bhardlimit;
        u_int rq_bsoftlimit;
        u_int rq_curblocks;
        u_int rq_fhardlimit;
        u_int rq_fsoftlimit;
        u_int rq_curfiles;
        u_int rq_btimeleft;
        u_int rq_ftimeleft;
};


rquota_server.c line 171 has the following memcpy:

memcpy((caddr_t *)&result.getquota_rslt_u.gqr_rquota.rq_bhardlimit,
                (caddr_t *)&dq_dqb, sizeof(struct dqblk));

the goal of the memcpy is to copy the 8 fields from struct dqblk to
the last 8 fields of the struct quota.
That is, 6 ints and 2 time_t's get copied to 8 ints.
On 32 bit machines, that's ok (but ugly) since a time_t is also a 32
bit value; on 64 bit machines time_t is 64 bit though, thus buffer
overflowing the stack.

This information should be assumed to be public.


This issue has been assigned the CVE id CAN-2004-0946.
Comment 1 Sebastian Krahmer 2004-11-24 17:46:11 UTC 
<!-- SBZ_reproduce  -->
Looks to me as he is correct. Our SL 9.2 which I reviewed seems to have this
problem.
Comment 2 Ruediger Oertel 2004-11-24 19:45:19 UTC 
any patch available already ?
Comment 3 Olaf Kirch 2004-11-24 19:50:01 UTC 
Does this really qualify as a security problem? Yes, it overflows, but the 
value that gets scribbled past the end of the struct (which should be a 
static variable BTW if it's standard rpcgen code) is dqb_itime. This is a 
time limit set by the administrator. I cannot even start to imagine how to 
exploit this bug in any security relevant way. 
 
Fixing this in STABLE should be sufficient, I think.
Comment 4 Sebastian Krahmer 2004-11-24 20:48:02 UTC 
Would be fine with me. However, you know how people read heise news
'overflow in rpc.quotad'.
Comment 5 Ruediger Oertel 2004-11-24 21:02:22 UTC 
now that you mention it: that's perfect ;-) 
 
we never used the quotad from nfs-utils (not even sles7), 
so this is completely unrelated for us. 
 
(please close this bug if you agree) 
 
PS: But it might be that package quota has a similar problem ...
Comment 6 Marcus Meissner 2004-11-24 21:03:27 UTC 
i have already checked the quota package, it is not affected. 
 
good to hear we never used it.
Comment 7 Sebastian Krahmer 2004-11-24 21:05:18 UTC 
Ok, so fix in STABLE will suffice.
Comment 8 Thomas Biege 2009-10-13 20:00:10 UTC 
CVE-2004-0946: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)