xorl %eax, %eax

CVE-2009-1630: Linux kernel NFS Security Bypass

leave a comment »

This is a kind of funny design flaw in the NFS implementation of the Linux kernel. The bug was reported on 9 May 2009 by Frank Filz and affects Linux kernel from 2.6 up to, and including 2.6.30-rc3 release. Here is the code from 2.6.29 release (fs/nfs/dir.c):

6 *  nfs directory handling functions
    ...
1928 int nfs_permission(struct inode *inode, int mask)
1929 {
1930        struct rpc_cred *cred;
1931        int res = 0;
    ...
1941        switch (inode->i_mode & S_IFMT) {
1942                case S_IFLNK:
1943                        goto out;
1944                case S_IFREG:
1945                        /* NFSv4 has atomic_open... */
1946                        if (nfs_server_capable(inode, NFS_CAP_ATOMIC_OPEN)
1947                                        && (mask & MAY_OPEN))
1948                                goto out;
1949                        break;
    ...
1980        goto out;
1981 }


This function is responsible for the file permissions in the NFS. As you can read at line 1941, if the mode is that of a regular file (line 1944), it checks the capabilities on that file as well as that the file has open (MAY_OPEN) attribute set (line 1947). However, there is no check if that file is executable (MAY_EXEC) or not. Because of that missing check, NFS of the Linux kernel completely ignores the executable flag of an application and allows all users to execute files even if they do not have that flag set. Here is the patch to fix this:

             if (nfs_server_capable(inode, NFS_CAP_ATOMIC_OPEN)
-                    && (mask & MAY_OPEN))
+                    && (mask & MAY_OPEN)
+                    && !(mask & MAY_EXEC))
                 goto out;

Written by xorl

May 18, 2009 at 14:25

Posted in bugs, linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s