Re: CVE request: kernel: problem with NFS v4 client handling of MAY_EXEC in nfs_permission

["Steven M. Christey" <coley () linus mitre org>]

On Wed, 13 May 2009, Eugene Teo wrote:

> Frank Filz reported: the problem is that permission checking is skipped
> if atomic open is possible, but when exec opens a file, it just opens it
> O_READONLY which means EXEC permission will not be checked at that time.

======================================================
Name: CVE-2009-1630
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1630
Reference: MLIST:[linux-nfs] 20090509 [NFS] [PATCH] nfs: Fix NFS v4 client handling of MAY_EXEC in nfs_permission.
Reference: URL:http://article.gmane.org/gmane.linux.nfs/26592
Reference: MLIST:[nfsv4] 20061116 Status of execute permissions in NFSv4 ACLs ?
Reference: URL:http://linux-nfs.org/pipermail/nfsv4/2006-November/005313.html
Reference: MLIST:[nfsv4] 20061117 [Patch] Re: Status of execute permissions in NFSv4 ACLs ?
Reference: URL:http://linux-nfs.org/pipermail/nfsv4/2006-November/005323.html
Reference: MLIST:[oss-security] 20090513 CVE request: kernel: problem with NFS v4 client handling of MAY_EXEC in 
nfs_permission
Reference: URL:http://www.openwall.com/lists/oss-security/2009/05/13/2
Reference: CONFIRM:http://bugzilla.linux-nfs.org/show_bug.cgi?id=131
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=500297
Reference: BID:34934
Reference: URL:http://www.securityfocus.com/bid/34934

The nfs_permission function in fs/nfs/dir.c in the NFS client
implementation in the Linux kernel 2.6.29.3 and earlier, when
atomic_open is available, does not check execute (aka EXEC or
MAY_EXEC) permission bits, which allows local users to bypass
permissions and execute files, as demonstrated by files on an NFSv4
fileserver.