Bugzilla – Bug 880962
VUL-0: CVE-2014-0244: samba: nmbd denial of service
Last modified: 2014-07-30 18:44:59 UTC
via samba bugzilla, embargoed, no crd set yet. https://bugzilla.samba.org/show_bug.cgi?id=10633 .......... quoting comment 0 from Andreas Schneider .................... Core issue is a poll() returned "readable" but the read() then blocking, leading to an endless loop. A Red Hat user found a packet which could trigger nmbd to enter an infinite loop around recvfrom(). Stefan Cornelius <scorneli@redhat.com> investigated the issue. Here is the analysis: I managed to reproduce the issue. When nmbd hangs, it has the following backtrace: #0 0x00002ba5fb059d53 in __recvfrom_nocancel () from /lib64/libc.so.6 #1 0x00002ba5f85e506d in recvfrom (s=12, buf=0x7fff3cbe5940, len=576, flags=0, from=0x7fff3cbe5b80, fromlen=0x7fff3cbe5914) at /usr/include/bits/socket2.h:55 #2 sys_recvfrom (s=12, buf=0x7fff3cbe5940, len=576, flags=0, from=0x7fff3cbe5b80, fromlen=0x7fff3cbe5914) at lib/system.c:288 #3 0x00002ba5f85f6a73 in read_udp_v4_socket (fd=12, buf=0x7fff3cbe5940 "PW\276<\377\177", len=576, psa=0x7fff3cbe5b80) at lib/util_sock.c:259 #4 0x00002ba5f853ddb8 in read_packet (fd=12, packet_type=DGRAM_PACKET) at libsmb/nmblib.c:802 #5 0x00002ba5f84c7601 in listen_for_packets (run_election=<value optimized out>) at nmbd/nmbd_packets.c:1971 #6 0x00002ba5f84bae0b in process (argc=<value optimized out>, argv=<value optimized out>) at nmbd/nmbd.c:493 #7 main (argc=<value optimized out>, argv=<value optimized out>) at nmbd/nmbd.c:1020 read_udp_v4_socket has the following code: ret = (ssize_t)sys_recvfrom(fd,buf,len,0, (struct sockaddr *)psa,&socklen); if (ret <= 0) { /* Don't print a low debug error for a non-blocking socket. */ if (errno == EAGAIN) { DEBUG(10,("read_udp_v4_socket: returned EAGAIN\n")); } else { DEBUG(2,("read_udp_v4_socket: failed. errno=%s\n", strerror(errno))); } return 0; } So, we can see it calls sys_recvfrom() and wants to bail out if it encounters EAGAIN return values. Now, the interesting part is how sys_recvfrom() is implemented: ssize_t sys_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *from, socklen_t *fromlen) { ssize_t ret; do { ret = recvfrom(s, buf, len, flags, from, fromlen); #if defined(EWOULDBLOCK) } while (ret == -1 && (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)); #else } while (ret == -1 && (errno == EINTR || errno == EAGAIN)); #endif return ret; } We see that it simply loops the recvfrom() and continues doing so if it encounters -1 or EAGAIN, so there's a chance that we end up looping endlessly. Also, it will never propagate -1/EAGAIN errors up to read_udp_v4_socket, so the check in read_udp_v4_socket is essentially useless at this point.
From jeremy allison Ok, tracked this one down. It's a phantom wakeup from poll on a non-blocking socket. Corner case if this is a kernel bug or not. I have a very simple sample server code that can reproduce this without Samba being involved at all.
Created attachment 592981 [details] 0001-s3-nmbd-Fix-bug-10633-nmbd-denial-of-service.txt fix attached to samba bug
bugbot adjusting priority
Samba 3.4.3 (SLE 11 SP 1), 3.0.36 (SLE 10 SP3), and 3.0.26a (SLE9 SP 3 + 4) don't block on EAGAIN/EWOULDBLOCK
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-06-17. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/57651
Affected packages: SLE-11-SP3: samba
Fix merged to the branches 3.6.3 (SLE 11 SP 2 + 3) and 3.6.12 (openSUSE 12.3). https://build.suse.de/request/show/38965 SUSE:SLE-11-SP2:Update:Test https://build.suse.de/request/show/38966 SUSE:SLE-11-SP3:Update:Test
is public now http://www.samba.org/ 23 June 2014 Samba 4.1.9, 4.0.19 and 3.6.24 Security Releases Available for Download These are security releases in order to address CVE-2014-0244 (Denial of service - CPU loop) and CVE-2014-3493 (Denial of service - Server crash/memory corruption).
This is an autogenerated message for OBS integration: This bug (880962) was mentioned in https://build.opensuse.org/request/show/238390 12.3 / samba https://build.opensuse.org/request/show/238391 13.1 / samba
This is an autogenerated message for OBS integration: This bug (880962) was mentioned in https://build.opensuse.org/request/show/238432 Factory / samba
This is an autogenerated message for OBS integration: This bug (880962) was mentioned in https://build.opensuse.org/request/show/238618 13.1 / samba https://build.opensuse.org/request/show/238620 13.1 / samba
This is an autogenerated message for OBS integration: This bug (880962) was mentioned in https://build.opensuse.org/request/show/238632 Factory / samba
openSUSE-SU-2014:0857-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 685093,872396,879390,880962,883758 CVE References: CVE-2014-0178,CVE-2014-0244,CVE-2014-3493 Sources used: openSUSE 12.3 (src): samba-3.6.12-59.23.1, samba-doc-3.6.12-59.23.1
openSUSE-SU-2014:0859-1: An update that solves four vulnerabilities and has 13 fixes is now available. Category: security (moderate) Bug References: 846586,866354,866927,869707,870570,870607,870957,871701,872396,873177,873658,874180,874656,875046,879390,880962,883758 CVE References: CVE-2014-0178,CVE-2014-0239,CVE-2014-0244,CVE-2014-3493 Sources used: openSUSE 13.1 (src): samba-4.1.9-3.22.1
Update released for: cifs-mount, ldapsmb, libldb-devel, libldb1, libldb1-32bit, libldb1-64bit, libldb1-x86, libnetapi-devel, libnetapi0, libsmbclient-devel, libsmbclient0, libsmbclient0-32bit, libsmbclient0-64bit, libsmbclient0-x86, libsmbsharemodes-devel, libsmbsharemodes0, libtalloc-devel, libtalloc1, libtalloc1-32bit, libtalloc1-64bit, libtalloc1-x86, libtalloc2, libtalloc2-32bit, libtalloc2-64bit, libtalloc2-x86, libtdb-devel, libtdb1, libtdb1-32bit, libtdb1-64bit, libtdb1-x86, libtevent-devel, libtevent0, libtevent0-32bit, libtevent0-64bit, libtevent0-x86, libwbclient-devel, libwbclient0, libwbclient0-32bit, libwbclient0-64bit, libwbclient0-x86, samba, samba-32bit, samba-64bit, samba-client, samba-client-32bit, samba-client-64bit, samba-client-x86, samba-debuginfo, samba-debuginfo-32bit, samba-debuginfo-64bit, samba-debuginfo-x86, samba-debugsource, samba-devel, samba-doc, samba-krb-printing, samba-vscan, samba-winbind, samba-winbind-32bit, samba-winbind-64bit, samba-winbind-x86, samba-x86 Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
Update released for: cifs-mount, ldapsmb, libldb-devel, libldb1, libldb1-32bit, libldb1-x86, libnetapi-devel, libnetapi0, libsmbclient-devel, libsmbclient0, libsmbclient0-32bit, libsmbclient0-x86, libsmbsharemodes-devel, libsmbsharemodes0, libtalloc-devel, libtalloc1, libtalloc1-32bit, libtalloc1-x86, libtalloc2, libtalloc2-32bit, libtalloc2-x86, libtdb-devel, libtdb1, libtdb1-32bit, libtdb1-x86, libtevent-devel, libtevent0, libtevent0-32bit, libtevent0-x86, libwbclient-devel, libwbclient0, libwbclient0-32bit, libwbclient0-x86, samba, samba-32bit, samba-client, samba-client-32bit, samba-client-x86, samba-debuginfo, samba-debuginfo-32bit, samba-debuginfo-x86, samba-debugsource, samba-devel, samba-doc, samba-krb-printing, samba-vscan, samba-winbind, samba-winbind-32bit, samba-winbind-x86, samba-x86 Products: SLE-DEBUGINFO 11-SP2 (i386, s390x, x86_64) SLE-SERVER 11-SP2-LTSS (i386, s390x, x86_64)
SUSE-SU-2014:0899-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 872396,879390,880962,883758 CVE References: CVE-2014-0178,CVE-2014-0244,CVE-2014-3493 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): samba-3.6.3-0.52.5 SUSE Linux Enterprise Server 11 SP3 for VMware (src): samba-3.6.3-0.52.5, samba-doc-3.6.3-0.52.5 SUSE Linux Enterprise Server 11 SP3 (src): samba-3.6.3-0.52.5, samba-doc-3.6.3-0.52.5 SUSE Linux Enterprise Desktop 11 SP3 (src): samba-3.6.3-0.52.5, samba-doc-3.6.3-0.52.5
SUSE-SU-2014:0901-1: An update that solves four vulnerabilities and has 7 fixes is now available. Category: security (moderate) Bug References: 437293,726937,786677,844307,849224,863748,865561,872396,879390,880962,883758 CVE References: CVE-2013-4496,CVE-2014-0178,CVE-2014-0244,CVE-2014-3493 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): samba-3.4.3-1.54.4, samba-3.6.3-0.33.41.2, samba-doc-3.6.3-0.33.41.2
openSUSE-SU-2014:0944-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 880962,883758 CVE References: CVE-2014-0244,CVE-2014-3493 Sources used: openSUSE 11.4 (src): samba-3.6.3-134.1, samba-doc-3.6.3-134.1