Project

General

Profile

Bug #8106

authloopback_marshal() can violate the RPC specification

Added by Marcel Telka almost 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
kernel
Start date:
2017-04-25
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

In a case a user is in a large number of groups, let say 80, and the machine nodename is long enough, let say 100 characters long, the authloopback_marshal() could create too long authentication body that won't fit to the opaque_auth structure. The size of the auth body is limited to 400 bytes by RFC 5531, but in the example above we will create (and successfully encode and send to the other party) 5 * 4 + 100 + 80 * 4 = 440 bytes of the auth body.

This will happen only in a case the XDR_INLINE() call in the authloopback_marshal() function succeeds.


Files

module.c (3.9 KB) module.c Marcel Telka, 2017-04-26 01:58 PM

Related issues

Related to illumos gate - Bug #8105: libnsl(3nsl): NGRPS_LOOPBACK should be increasedIn Progress2017-04-25

Actions
Related to illumos gate - Bug #8109: Kernel AUTH_SYS and AUTH_LOOPBACK implementation can ignore provided credentialsClosed2017-04-26

Actions

History

#1

Updated by Marcel Telka almost 3 years ago

  • Related to Bug #8085: Handle RPC groups better added
#2

Updated by Marcel Telka almost 3 years ago

  • Subject changed from authloopback_marshal() should do better to authloopback_marshal() can violate the RPC specification
  • Description updated (diff)
  • Category changed from networking to kernel

After a little bit more thinking about this I decided to do not allow the authloopback_marshal() to succeed in a case the user is in a large number of groups by encoding only limited set of groups (similarly as authkern_marshal() does today). If I would do that it might confuse the AUTH_LOOPBACK users when they would receive incomplete list of groups. I believe the current AUTH_LOOPBACK consumers in the gate are not prone to be confused by that, but still it would be better to do not change the current behavior to be safe.

In any case, if needed, we can easily change the authloopback_marshal() behavior in future to behave similarly as authkern_marshal() does and do not fail for large number of groups.

#3

Updated by Marcel Telka almost 3 years ago

  • Related to deleted (Bug #8085: Handle RPC groups better)
#4

Updated by Marcel Telka almost 3 years ago

  • Related to Bug #8105: libnsl(3nsl): NGRPS_LOOPBACK should be increased added
#5

Updated by Marcel Telka almost 3 years ago

  • Related to Bug #8109: Kernel AUTH_SYS and AUTH_LOOPBACK implementation can ignore provided credentials added
#6

Updated by Marcel Telka almost 3 years ago

To reproduce this problem compile the attached module.c file using these steps:

$ /opt/gcc/4.4.4/bin/gcc -Wall -D_KERNEL -m64 -mcmodel=kernel -mno-red-zone -ffreestanding -nodefaultlibs -c module.c
$ /usr/ccs/bin/ld -dy -N rpcsec -r -o module module.o

and then do this:

# mdb -kwe 'ngroups_max/W 100'
# hostname $(python -c 'print "x" * 100')
# modload module

You will see this in the log:

Apr 26 16:00:37 t4 module: [ID 378104 kern.info] NOTICE: AUTH_LOOPBACK, 70 groups, xdrmem success: 000055de 00000190
Apr 26 16:00:37 t4 module: [ID 618828 kern.info] NOTICE: AUTH_LOOPBACK, 70 groups, xdrmblk success: 000055de 000000a4
Apr 26 16:00:37 t4 module: [ID 633239 kern.info] NOTICE: AUTH_LOOPBACK, 80 groups, xdrmem success: 000055de 000001b8
Apr 26 16:00:37 t4 module: [ID 767423 kern.info] NOTICE: AUTH_LOOPBACK, 80 groups, xdrmblk success: 000055de 000000a4
Apr 26 16:00:37 t4 module: [ID 398392 kern.info] NOTICE: AUTH_SYS, 80 groups, xdrmem success: 00000001 000000b8
Apr 26 16:00:37 t4 module: [ID 301671 kern.info] NOTICE: AUTH_SYS, 80 groups, xdrmblk success: 00000001 000000a4

At line 3 you see the encoded size of the auth body 0x1b8 (440) bytes. For this case (and also for line 4) it was expected that the AUTH_MARSHALL() call would fail.

#8

Updated by Marcel Telka almost 3 years ago

  • Status changed from In Progress to Pending RTI
#9

Updated by Electric Monk almost 3 years ago

  • Status changed from Pending RTI to Closed
  • % Done changed from 0 to 100

git commit 6dd72a43d2e43185833c20e7f0c4cb88a4d37ec8

commit  6dd72a43d2e43185833c20e7f0c4cb88a4d37ec8
Author: Marcel Telka <marcel@telka.sk>
Date:   2017-06-13T14:37:46.000Z

    8106 authloopback_marshal() can violate the RPC specification
    8109 Kernel AUTH_SYS and AUTH_LOOPBACK implementation can ignore provided credentials
    Reviewed by: Toomas Soome <tsoome@me.com>
    Reviewed by: Jason King <jason.brian.king+illumos@gmail.com>
    Approved by: Dan McDonald <danmcd@joyent.com>

Also available in: Atom PDF