Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 11 Jun 2014 19:20:09 -0700
From: Russ Allbery <eagle@...ie.org>
To: oss-security@...ts.openwall.com
Cc: openafs-gatekeepers@...nafs.org
Subject: CVE request: OpenAFS 1.6.8 TMAY fileserver crashes

New code introduced in OpenAFS 1.6.8 does not properly zero fields in the
host structure in the OpenAFS fileserver, leading to some variables in the
host structure being left initialized from recycled heap memory.  While no
mechanism for exploitation is currently known, the affected file server
provides a network service and this sort of problem tends to be
exploitable with sufficient effort.

Below is the public disclosure of this issue to one of the OpenAFS mailing
lists.  OpenAFS 1.6.7 is not affected.  I don't believe any stable
distribution is affected, but Debian unstable, testing, and
wheezy-backports are affected.

The upstream stable fix is at:

    http://gerrit.openafs.org/#change,11283

which reverts the newly-added code in its entirety.  (A more thorough fix
that eliminates a fragile way of initializing structures is being worked
on for the master branch.)  An OpenAFS 1.6.9 release with this fix is
expected in the near future.

Could we get a CVE assigned to this problem, please?

Here is the original report:

| From: Andrew Deason <adeason@...enomine.net>
| To: release-team@...nafs.org
| Subject: [OpenAFS release-team] 1.6.8 TMAY fileserver crashes
| Date: Wed, 11 Jun 2014 16:05:14 -0500
| 
| This change is broken: <http://gerrit.openafs.org/10759>
| 
| Briefly, 'host' structures are allocated without clearing all of the
| contents to '0'. Only part of the structure is cleared, according to the
| HOST_TO_ZERO macro. Unfortunately I put the new tmay_ fields right below
| the 'index' field for some reason, so this means they aren't zeroed and
| can contain garbage. This means we can easily segfault in the fileserver
| when we try to access the pointers in there.
| 
| This makes it very easy to crash the fileserver, so it seems like we
| may want to issue a new release quickly, or at least alert the community
| that this issue exists and warn against using 1.6.8 fileservers. Options
| are:
| 
|  (1) Fix the bug. This is easy to fix in a few ways; Mark Vitale is
|  writing a fix right now (while I notify you guys) and should be
|  submitting it shortly.
| 
|  (2) Rip out the TMAY caching stuff. It's not urgently pressing.
| 
| I don't know if people favor one or the other, or if this is urgent
| enough to warrant a single-issue 1.6.9 release.
| 
| And lastly, of course, this was purely a mistake (my mistake) and I am
| sorry. This didn't need to go into 1.6 so soon, or at all. (And it still
| doesn't, if the release team feels it is better to just rip this out
| completely.)
| 
| -- 
| Andrew Deason
| adeason@...enomine.net

-- 
Russ Allbery (eagle@...ie.org)              <http://www.eyrie.org/~eagle/>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ