[kernel] r13464 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Tue Apr 21 04:48:29 UTC 2009 

Author: dannf
Date: Tue Apr 21 04:48:26 2009
New Revision: 13464

Log:
cifs: Fix memory overwrite when saving nativeFileSystem field during mount
(CVE-NEEDED)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/15lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Apr 20 23:56:03 2009	(r13463)
+++ dists/lenny-security/linux-2.6/debian/changelog	Tue Apr 21 04:48:26 2009	(r13464)
@@ -12,6 +12,8 @@
   * KVM: VMX: Don't allow uninhibited access to EFER on i386 (CVE-2009-1242)
   * exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337)
   * Make 'kill sig -1' only apply to caller's namespace (CVE-2009-1338)
+  * cifs: Fix memory overwrite when saving nativeFileSystem field during mount
+    (CVE-NEEDED)
 
  -- dann frazier <dannf at debian.org>  Fri, 03 Apr 2009 19:12:51 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch	Tue Apr 21 04:48:26 2009	(r13464)
@@ -0,0 +1,42 @@
+commit f083def68f84b04fe3f97312498911afce79609e
+Author: Jeff Layton <jlayton at redhat.com>
+Date:   Thu Apr 16 11:21:52 2009 -0400
+
+    cifs: fix buffer size for tcon->nativeFileSystem field
+    
+    The buffer for this was resized recently to fix a bug. It's still
+    possible however that a malicious server could overflow this field
+    by sending characters in it that are >2 bytes in the local charset.
+    Double the size of the buffer to account for this possibility.
+    
+    Also get rid of some really strange and seemingly pointless NULL
+    termination. It's NULL terminating the string in the source buffer,
+    but by the time that happens, we've already copied the string.
+    
+    Signed-off-by: Jeff Layton <jlayton at redhat.com>
+    Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/cifs/connect.c linux-source-2.6.26/fs/cifs/connect.c
+--- linux-source-2.6.26.orig/fs/cifs/connect.c	2009-04-20 21:58:14.000000000 -0600
++++ linux-source-2.6.26/fs/cifs/connect.c	2009-04-20 22:06:23.000000000 -0600
+@@ -3466,16 +3466,13 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ 			    BCC(smb_buffer_response)) {
+ 				kfree(tcon->nativeFileSystem);
+ 				tcon->nativeFileSystem =
+-				    kzalloc(2*(length + 1), GFP_KERNEL);
++				    kzalloc((4 * length) + 2, GFP_KERNEL);
+ 				if (tcon->nativeFileSystem)
+ 					cifs_strfromUCS_le(
+ 						tcon->nativeFileSystem,
+ 						(__le16 *) bcc_ptr,
+ 						length, nls_codepage);
+-				bcc_ptr += 2 * length;
+-				bcc_ptr[0] = 0;	/* null terminate the string */
+-				bcc_ptr[1] = 0;
+-				bcc_ptr += 2;
++				bcc_ptr += (2 * length) + 2;
+ 			}
+ 			/* else do not bother copying these information fields*/
+ 		} else {

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch	Tue Apr 21 04:48:26 2009	(r13464)
@@ -0,0 +1,29 @@
+commit b363b3304bcf68c4541683b2eff70b29f0446a5b
+Author: Steve French <sfrench at us.ibm.com>
+Date:   Wed Mar 18 05:57:22 2009 +0000
+
+    [CIFS] Fix memory overwrite when saving nativeFileSystem field during mount
+    
+    CIFS can allocate a few bytes to little for the nativeFileSystem field
+    during tree connect response processing during mount.  This can result
+    in a "Redzone overwritten" message to be logged.
+    
+    Signed-off-by: Sridhar Vinay <vinaysridhar at in.ibm.com>
+    Acked-by: Shirish Pargaonkar <shirishp at us.ibm.com>
+    CC: Stable <stable at kernel.org>
+    Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/cifs/connect.c linux-source-2.6.26/fs/cifs/connect.c
+--- linux-source-2.6.26.orig/fs/cifs/connect.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/cifs/connect.c	2009-04-20 21:58:14.000000000 -0600
+@@ -3466,7 +3466,7 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ 			    BCC(smb_buffer_response)) {
+ 				kfree(tcon->nativeFileSystem);
+ 				tcon->nativeFileSystem =
+-				    kzalloc(length + 2, GFP_KERNEL);
++				    kzalloc(2*(length + 1), GFP_KERNEL);
+ 				if (tcon->nativeFileSystem)
+ 					cifs_strfromUCS_le(
+ 						tcon->nativeFileSystem,

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch	Tue Apr 21 04:48:26 2009	(r13464)
@@ -0,0 +1,26 @@
+commit 22c9d52bc03b880045ab1081890a38f11b272ae7
+Author: Jeff Layton <jlayton at redhat.com>
+Date:   Thu Apr 16 13:48:49 2009 -0400
+
+    cifs: remove unneeded bcc_ptr update in CIFSTCon
+    
+    This pointer isn't used again after this point. It's also not updated in
+    the ascii case, so there's no need to update it here.
+    
+    Pointed-out-by: Dave Kleikamp <shaggy at linux.vnet.ibm.com>
+    Signed-off-by: Jeff Layton <jlayton at redhat.com>
+    Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/cifs/connect.c linux-source-2.6.26/fs/cifs/connect.c
+--- linux-source-2.6.26.orig/fs/cifs/connect.c	2009-04-20 22:23:20.000000000 -0600
++++ linux-source-2.6.26/fs/cifs/connect.c	2009-04-20 22:22:19.000000000 -0600
+@@ -3472,7 +3472,6 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ 						tcon->nativeFileSystem,
+ 						(__le16 *) bcc_ptr,
+ 						length, nls_codepage);
+-				bcc_ptr += (2 * length) + 2;
+ 			}
+ 			/* else do not bother copying these information fields*/
+ 		} else {

Modified: dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/15lenny1	Mon Apr 20 23:56:03 2009	(r13463)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny1	Tue Apr 21 04:48:26 2009	(r13464)
@@ -8,3 +8,6 @@
 + bugfix/x86/kvm-vmx-inhibit-EFER-access.patch
 + bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
 + bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch
++ bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch
++ bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch
++ bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch

More information about the Kernel-svn-changes mailing list