[kernel] r14100 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Aug 11 06:46:48 UTC 2009
Author: dannf
Date: Tue Aug 11 06:46:45 2009
New Revision: 14100
Log:
cifs: fix several string conversion issues (CVE-2009-1633)
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-oops-when-windows-server-sent-bad-domain-name-null-terminator.patch
dists/etch-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch
- copied, changed from r14096, dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch
dists/etch-security/linux-2.6/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch
- copied, changed from r14096, dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/24etch3
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog Tue Aug 11 06:12:34 2009 (r14099)
+++ dists/etch-security/linux-2.6/debian/changelog Tue Aug 11 06:46:45 2009 (r14100)
@@ -3,6 +3,7 @@
* e1000: add missing length check to e1000 receive routine (CVE-2009-1385)
* r8169: fix crash when large packets are received (CVE-2009-1389)
* nfs4: fix MAY_EXEC handling (CVE-2009-1630)
+ * cifs: fix several string conversion issues (CVE-2009-1633)
-- dann frazier <dannf at debian.org> Sat, 06 Jun 2009 09:55:38 -0600
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-oops-when-windows-server-sent-bad-domain-name-null-terminator.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-oops-when-windows-server-sent-bad-domain-name-null-terminator.patch Tue Aug 11 06:46:45 2009 (r14100)
@@ -0,0 +1,42 @@
+commit 8e6f195af0e1f226e9b2e0256af8df46adb9d595
+Author: Steve French <sfrench at us.ibm.com>
+Date: Mon Jan 22 01:19:30 2007 +0000
+
+ [CIFS] Fix oops when Windows server sent bad domain name null terminator
+
+ Fixes RedHat bug 211672
+
+ Windows sends one byte (instead of two) of null to terminate final Unicode
+ string (domain name) in session setup response in some cases - this caused
+ cifs to misalign some informational strings (making it hard to convert
+ from UCS16 to UTF8).
+
+ Thanks to Shaggy for his help and Akemi Yagi for debugging/testing
+
+ Signed-off-by: Shirish Pargaonkar <shirishp at us.ibm.com>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
+index bbdda99..7584646 100644
+--- a/fs/cifs/sess.c
++++ b/fs/cifs/sess.c
+@@ -182,11 +182,14 @@ static int decode_unicode_ssetup(char ** pbcc_area, int bleft, struct cifsSesInf
+ cFYI(1,("bleft %d",bleft));
+
+
+- /* word align, if bytes remaining is not even */
+- if(bleft % 2) {
+- bleft--;
+- data++;
+- }
++ /* SMB header is unaligned, so cifs servers word align start of
++ Unicode strings */
++ data++;
++ bleft--; /* Windows servers do not always double null terminate
++ their final Unicode string - in which case we
++ now will not attempt to decode the byte of junk
++ which follows it */
++
+ words_left = bleft / 2;
+
+ /* save off server operating system */
Copied and modified: dists/etch-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch (from r14096, dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch)
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch Sat Aug 8 12:37:43 2009 (r14096, copy source)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch Tue Aug 11 06:46:45 2009 (r14100)
@@ -31,18 +31,18 @@
CC: Stable <stable at vger.kernel.org>
Signed-off-by: Steve French <sfrench at us.ibm.com>
-Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
-diff -urpN linux-source-2.6.26.orig/fs/cifs/sess.c linux-source-2.6.26/fs/cifs/sess.c
---- linux-source-2.6.26.orig/fs/cifs/sess.c 2009-05-11 12:06:56.000000000 -0600
-+++ linux-source-2.6.26/fs/cifs/sess.c 2009-05-25 23:24:01.000000000 -0600
-@@ -202,27 +202,26 @@ static int decode_unicode_ssetup(char **
+diff -urpN linux-source-2.6.18.orig/fs/cifs/sess.c linux-source-2.6.18/fs/cifs/sess.c
+--- linux-source-2.6.18.orig/fs/cifs/sess.c 2009-08-11 00:19:07.000000000 -0600
++++ linux-source-2.6.18/fs/cifs/sess.c 2009-08-11 00:34:46.000000000 -0600
+@@ -174,27 +174,26 @@ static int decode_unicode_ssetup(char **
int words_left, len;
- char *data = *pbcc_area;
+ char * data = *pbcc_area;
-
-
- cFYI(1, ("bleft %d", bleft));
+ cFYI(1,("bleft %d",bleft));
-
- /* SMB header is unaligned, so cifs servers word align start of
@@ -64,7 +64,7 @@
+ data[bleft] = 0;
+ ++bleft;
+ }
-
+
words_left = bleft / 2;
/* save off server operating system */
@@ -73,30 +73,30 @@
-/* We look for obvious messed up bcc or strings in response so we do not go off
- the end since (at least) WIN2K and Windows XP have a major bug in not null
- terminating last Unicode string in response */
- if (len >= words_left)
+ if(len >= words_left)
return rc;
-@@ -260,13 +259,10 @@ static int decode_unicode_ssetup(char **
- return rc;
+@@ -237,13 +236,10 @@ static int decode_unicode_ssetup(char **
- kfree(ses->serverDomain);
-- ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
-- if (ses->serverDomain != NULL) {
+ if(ses->serverDomain)
+ kfree(ses->serverDomain);
+- ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
+- if(ses->serverDomain != NULL) {
+ ses->serverDomain = kzalloc((4 * len) + 2, GFP_KERNEL);
+ if (ses->serverDomain != NULL)
- cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
- nls_cp);
-- ses->serverDomain[2*len] = 0;
-- ses->serverDomain[(2*len) + 1] = 0;
-- }
- data += 2 * (len + 1);
- words_left -= len + 1;
-
-@@ -605,12 +601,18 @@ CIFS_SessSetup(unsigned int xid, struct
- }
+ cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
+ nls_cp);
+- ses->serverDomain[2*len] = 0;
+- ses->serverDomain[(2*len) + 1] = 0;
+- }
+ data += 2 * (len + 1);
+ words_left -= len + 1;
+
+@@ -524,11 +520,17 @@ CIFS_SessSetup(unsigned int xid, struct
+ }
/* BB check if Unicode and decode strings */
-- if (smb_buf->Flags2 & SMBFLG2_UNICODE)
+- if(smb_buf->Flags2 & SMBFLG2_UNICODE)
+ if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
+ /* unicode string area must be word-aligned */
+ if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
@@ -108,9 +108,8 @@
- else
+ ses, nls_cp);
+ } else {
- rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
- ses, nls_cp);
+ rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,nls_cp);
+ }
-
+
ssetup_exit:
- if (spnego_key)
+ kfree(str_area);
Copied and modified: dists/etch-security/linux-2.6/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch (from r14096, dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch)
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch Sat Aug 8 12:37:43 2009 (r14096, copy source)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch Tue Aug 11 06:46:45 2009 (r14100)
@@ -12,16 +12,16 @@
Acked-by: Jeff Layton <jlayton at redhat.com>
Signed-off-by: Steve French <sfrench at us.ibm.com>
-diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
-index 1a8be62..ebd0da7 100644
---- a/fs/cifs/readdir.c
-+++ b/fs/cifs/readdir.c
-@@ -1074,7 +1074,7 @@ int cifs_readdir(struct file *file, void *direntry, filldir_t filldir)
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+diff -urpN linux-source-2.6.18.orig/fs/cifs/readdir.c linux-source-2.6.18/fs/cifs/readdir.c
+--- linux-source-2.6.18.orig/fs/cifs/readdir.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/cifs/readdir.c 2009-08-11 00:40:14.000000000 -0600
+@@ -1044,7 +1044,7 @@ int cifs_readdir(struct file *file, void
with the rare long characters alloc more to account for
such multibyte target UTF-8 characters. cifs_unicode.c,
which actually does the conversion, has the same limit */
- tmp_buf = kmalloc((2 * NAME_MAX) + 4, GFP_KERNEL);
+ tmp_buf = kmalloc((4 * NAME_MAX) + 2, GFP_KERNEL);
- for (i = 0; (i < num_to_fill) && (rc == 0); i++) {
- if (current_entry == NULL) {
+ for(i=0;(i<num_to_fill) && (rc == 0);i++) {
+ if(current_entry == NULL) {
/* evaluate whether this case is an error */
Modified: dists/etch-security/linux-2.6/debian/patches/series/24etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/24etch3 Tue Aug 11 06:12:34 2009 (r14099)
+++ dists/etch-security/linux-2.6/debian/patches/series/24etch3 Tue Aug 11 06:46:45 2009 (r14100)
@@ -1,3 +1,6 @@
+ bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch
+ bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
+ bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch
++ bugfix/all/cifs-fix-oops-when-windows-server-sent-bad-domain-name-null-terminator.patch
++ bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch
++ bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch
More information about the Kernel-svn-changes
mailing list