Fix a bug that allows NFS clients to issue READDIR on files.

PR:		kern/178016
Security:	CVE-2013-3266
Security:	FreeBSD-SA-13:05.nfsserver
Approved by:	so

share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc

@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-13:05.nfsserver                                  Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Insufficient input validation in the NFS server
+
+Category:       core
+Module:         nfsserver
+Announced:      2013-04-29
+Credits:        Adam Nowacki
+Affects:        All supported versions of FreeBSD.
+Corrected:      2013-04-29 20:15:43 UTC (stable/8, 8.4-PRERELEASE)
+                2013-04-29 20:15:47 UTC (releng/8.3, 8.3-RELEASE-p8)
+                2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC1-p1)
+                2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC2-p1)
+                2013-04-29 20:15:55 UTC (stable/9, 9.1-STABLE)
+                2013-04-29 20:16:00 UTC (releng/9.1, 9.1-RELEASE-p3)
+CVE Name:       CVE-2013-3266
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+The Network File System (NFS) allows a host to export some or all of its
+file systems so that other hosts can access them over the network and mount
+them as if they were on local disks.  FreeBSD includes server and client
+implementations of NFS.
+
+FreeBSD 8.0 and onward has two NFS implementations: the original CSRG
+NFSv2 and NFSv3 implementation and a new implementation which also
+supports NFSv4.
+
+FreeBSD 9.0 and onward uses the new NFS implementation by default.
+
+II.  Problem Description
+
+When processing READDIR requests, the NFS server does not check that
+it is in fact operating on a directory node.  An attacker can use a
+specially modified NFS client to submit a READDIR request on a file,
+causing the underlying filesystem to interpret that file as a
+directory.
+
+III. Impact
+
+The exact consequences of an attack depend on the amount of input
+validation in the underlying filesystem:
+
+ - If the file resides on a UFS filesystem on a little-endian server,
+   an attacker can cause random heap corruption with completely
+   unpredictable consequences.
+
+ - If the file resides on a ZFS filesystem, an attacker can write
+   arbitrary data on the stack.  It is believed, but has not been
+   confirmed, that this can be exploited to run arbitrary code in
+   kernel context.
+
+Other filesystems may also be vulnerable.
+
+IV.  Workaround
+
+Systems that do not provide NFS service are not vulnerable.  Neither
+are systems that do but use the old NFS implementation, which is the
+default in FreeBSD 8.x.
+
+To determine which implementation an NFS server is running, run the
+following command:
+
+# kldstat -v | grep -cw nfsd
+
+This will print 1 if the system is running the new NFS implementation,
+and 0 otherwise.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch
+# fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch.asc
+# gpg --verify nfsserver.patch.asc
+
+b) Apply the patch.
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r250058
+releng/8.3/                                                       r250059
+releng/8.4/                                                       r250062
+stable/9/                                                         r250060
+releng/9.1/                                                       r250061
+- -------------------------------------------------------------------------
+
+VII. References
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3266
+
+The latest revision of this advisory is available at
+http://security.FreeBSD.org/advisories/FreeBSD-SA-13:05.nfsserver.asc
+-----BEGIN PGP SIGNATURE-----
+
+iEYEARECAAYFAlF+18oACgkQFdaIBMps37J1PACgm+zcbGd6xF1hkpvFVJbbwR0Q
+9PoAnivbP1R0qXFyTlF/t3+sUYcxBtfQ
+=polM
+-----END PGP SIGNATURE-----

share/security/patches/SA-13:05/nfsserver.patch

@@ -0,0 +1,13 @@
+Index: sys/fs/nfsserver/nfs_nfsdport.c
+===================================================================
+--- sys/fs/nfsserver/nfs_nfsdport.c	(revision 249651)
++++ sys/fs/nfsserver/nfs_nfsdport.c	(working copy)
+@@ -1568,6 +1568,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd, int isdg
+ 			nd->nd_repstat = NFSERR_BAD_COOKIE;
+ #endif
+ 	}
++	if (!nd->nd_repstat && vp->v_type != VDIR)
++		nd->nd_repstat = NFSERR_NOTDIR;
+ 	if (nd->nd_repstat == 0 && cnt == 0) {
+ 		if (nd->nd_flag & ND_NFSV2)
+ 			/* NFSv2 does not have NFSERR_TOOSMALL */

share/security/patches/SA-13:05/nfsserver.patch.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iEYEABECAAYFAlF+1+sACgkQFdaIBMps37J22ACeM6TTZjh94AhbnwqTaCfcMjnO
+F74AnAiX1rUC1Zvo3XU42efklaBo6F1g
+=yQwz
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -13,6 +13,14 @@
       <day>
 	<name>2</name>
 
+	<advisory>
+	  <name>FreeBSD-SA-13:05.bind</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-13:04.bind</name>
+	</advisory>
+
 	<advisory>
 	  <name>FreeBSD-SA-13:04.bind</name>
 	</advisory>