Bugzilla – Bug 851103
VUL-1: CVE-2013-4591: kernel: nfs missing check for buffer length
Last modified: 2016-04-27 19:10:49 UTC
CVE-2013-4591 commit 1f1ea6c (included in Red Hat Enterprise Linux 6 as part of CVE-2012-2375 fix) accidently dropped the checking for too small result buffer length. If someone uses getxattr on "system.nfs4_acl" on an NFSv4 mount supporting ACLs, the ACL has not been cached and the buffer suplied is too short, we still copy the complete ACL, resulting in kernel and user space memory corruption. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4591 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1f1ea6c2d9d8c0be9ec56454b05315273b5de8ce https://bugzilla.redhat.com/show_bug.cgi?id=1031678 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7d3e91a89b7adbc2831334def9e494dd9892f9af http://comments.gmane.org/gmane.comp.security.oss.general/11511
bugbot adjusting priority
neil, perhaps for you
This bug is not present in any of out kernels. I'm not sure if it ever was as I cannot find a particular patch which fixes it. But importantly the buffer test is there. Note that many of the above "update released" messages are bogus. https://build.suse.de/request/show/30353 mentions this bug number in the context of a completely different bug.
thanks for checking!
We backported the fix for CVE-2012-2375 differently, not removing the check that was the trigger for this issue. So no SUSE Linux Enterprise Server version contained the incorrect fix / missing check. So we were not affected by this problem.