[kernel] r13464 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Apr 21 04:48:29 UTC 2009
Author: dannf
Date: Tue Apr 21 04:48:26 2009
New Revision: 13464
Log:
cifs: Fix memory overwrite when saving nativeFileSystem field during mount
(CVE-NEEDED)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Apr 20 23:56:03 2009 (r13463)
+++ dists/lenny-security/linux-2.6/debian/changelog Tue Apr 21 04:48:26 2009 (r13464)
@@ -12,6 +12,8 @@
* KVM: VMX: Don't allow uninhibited access to EFER on i386 (CVE-2009-1242)
* exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337)
* Make 'kill sig -1' only apply to caller's namespace (CVE-2009-1338)
+ * cifs: Fix memory overwrite when saving nativeFileSystem field during mount
+ (CVE-NEEDED)
-- dann frazier <dannf at debian.org> Fri, 03 Apr 2009 19:12:51 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch Tue Apr 21 04:48:26 2009 (r13464)
@@ -0,0 +1,42 @@
+commit f083def68f84b04fe3f97312498911afce79609e
+Author: Jeff Layton <jlayton at redhat.com>
+Date: Thu Apr 16 11:21:52 2009 -0400
+
+ cifs: fix buffer size for tcon->nativeFileSystem field
+
+ The buffer for this was resized recently to fix a bug. It's still
+ possible however that a malicious server could overflow this field
+ by sending characters in it that are >2 bytes in the local charset.
+ Double the size of the buffer to account for this possibility.
+
+ Also get rid of some really strange and seemingly pointless NULL
+ termination. It's NULL terminating the string in the source buffer,
+ but by the time that happens, we've already copied the string.
+
+ Signed-off-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/cifs/connect.c linux-source-2.6.26/fs/cifs/connect.c
+--- linux-source-2.6.26.orig/fs/cifs/connect.c 2009-04-20 21:58:14.000000000 -0600
++++ linux-source-2.6.26/fs/cifs/connect.c 2009-04-20 22:06:23.000000000 -0600
+@@ -3466,16 +3466,13 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ BCC(smb_buffer_response)) {
+ kfree(tcon->nativeFileSystem);
+ tcon->nativeFileSystem =
+- kzalloc(2*(length + 1), GFP_KERNEL);
++ kzalloc((4 * length) + 2, GFP_KERNEL);
+ if (tcon->nativeFileSystem)
+ cifs_strfromUCS_le(
+ tcon->nativeFileSystem,
+ (__le16 *) bcc_ptr,
+ length, nls_codepage);
+- bcc_ptr += 2 * length;
+- bcc_ptr[0] = 0; /* null terminate the string */
+- bcc_ptr[1] = 0;
+- bcc_ptr += 2;
++ bcc_ptr += (2 * length) + 2;
+ }
+ /* else do not bother copying these information fields*/
+ } else {
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch Tue Apr 21 04:48:26 2009 (r13464)
@@ -0,0 +1,29 @@
+commit b363b3304bcf68c4541683b2eff70b29f0446a5b
+Author: Steve French <sfrench at us.ibm.com>
+Date: Wed Mar 18 05:57:22 2009 +0000
+
+ [CIFS] Fix memory overwrite when saving nativeFileSystem field during mount
+
+ CIFS can allocate a few bytes to little for the nativeFileSystem field
+ during tree connect response processing during mount. This can result
+ in a "Redzone overwritten" message to be logged.
+
+ Signed-off-by: Sridhar Vinay <vinaysridhar at in.ibm.com>
+ Acked-by: Shirish Pargaonkar <shirishp at us.ibm.com>
+ CC: Stable <stable at kernel.org>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/cifs/connect.c linux-source-2.6.26/fs/cifs/connect.c
+--- linux-source-2.6.26.orig/fs/cifs/connect.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/cifs/connect.c 2009-04-20 21:58:14.000000000 -0600
+@@ -3466,7 +3466,7 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ BCC(smb_buffer_response)) {
+ kfree(tcon->nativeFileSystem);
+ tcon->nativeFileSystem =
+- kzalloc(length + 2, GFP_KERNEL);
++ kzalloc(2*(length + 1), GFP_KERNEL);
+ if (tcon->nativeFileSystem)
+ cifs_strfromUCS_le(
+ tcon->nativeFileSystem,
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch Tue Apr 21 04:48:26 2009 (r13464)
@@ -0,0 +1,26 @@
+commit 22c9d52bc03b880045ab1081890a38f11b272ae7
+Author: Jeff Layton <jlayton at redhat.com>
+Date: Thu Apr 16 13:48:49 2009 -0400
+
+ cifs: remove unneeded bcc_ptr update in CIFSTCon
+
+ This pointer isn't used again after this point. It's also not updated in
+ the ascii case, so there's no need to update it here.
+
+ Pointed-out-by: Dave Kleikamp <shaggy at linux.vnet.ibm.com>
+ Signed-off-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/cifs/connect.c linux-source-2.6.26/fs/cifs/connect.c
+--- linux-source-2.6.26.orig/fs/cifs/connect.c 2009-04-20 22:23:20.000000000 -0600
++++ linux-source-2.6.26/fs/cifs/connect.c 2009-04-20 22:22:19.000000000 -0600
+@@ -3472,7 +3472,6 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ tcon->nativeFileSystem,
+ (__le16 *) bcc_ptr,
+ length, nls_codepage);
+- bcc_ptr += (2 * length) + 2;
+ }
+ /* else do not bother copying these information fields*/
+ } else {
Modified: dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/15lenny1 Mon Apr 20 23:56:03 2009 (r13463)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny1 Tue Apr 21 04:48:26 2009 (r13464)
@@ -8,3 +8,6 @@
+ bugfix/x86/kvm-vmx-inhibit-EFER-access.patch
+ bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
+ bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch
++ bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch
++ bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch
++ bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch
More information about the Kernel-svn-changes
mailing list