[OpenAFS-devel] Recent Security Advisories.

[Simon Wilkinson]

Hi,

It's been brought to my attention that there may be people on this  
list who don't read openafs-announce, and may have missed the recent  
security advisories.

We recently released OpenAFS 1.4.9 (and 1.4.10, and 1.5.59) to  
address a couple of security issues in the Unix cache manager (one  
applies to any Unix cache manager with bulk stat enabled, the other  
to any Linux cache manager). These issue have been present in OpenAFS  
since 1.0

Abstracts are:

http://www.openafs.org/security/OPENAFS-SA-2009-001.txt
AFS's XDR data marshalling language permits the construction of  
arrays with a size constrained by the interface definition. The XDR  
decoding language will accept data from the server up to this maximum  
size, which in some cases is stored into a buffer allocated by the  
client. In several locations, the AFS client assumes that the server  
will never return more data than requested, and so allocates a buffer  
smaller than this maximum size. Whilst this causes no problems when  
communicating with valid servers, an attacker can return more data  
than expected, and overflow the client's buffer.

http://www.openafs.org/security/OPENAFS-SA-2009-002.txt
AFS may pass an error code obtained from the fileserver directly to  
the Linux kernel, using a Linux mechanism that merges error codes and  
pointers into a single value. However, this mechanism is unable to  
distinguish certain error codes from pointers. When AFS returns a  
code of this type to the kernel, the kernel treats it as a pointer  
and attempts to dereference it. This causes a kernel panic, and  
results in a denial of service attack.

I am not aware of a publicly available exploit for either issue at  
present.

Cheers,



Simon.