[kernel] r13836 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Thu Jun 18 04:19:55 UTC 2009

Author: dannf
Date: Thu Jun 18 04:19:52 2009
New Revision: 13836

Log:
cifs: fix several string conversion issues (CVE-2009-1633)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch
      - copied unchanged from r13805, dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch
      - copied unchanged from r13805, dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6.24/debian/changelog	Wed Jun 17 14:50:21 2009	(r13835)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Thu Jun 18 04:19:52 2009	(r13836)
@@ -3,6 +3,7 @@
   * e1000: add missing length check to e1000 receive routine (CVE-2009-1385)
   * r8169: fix crash when large packets are received (CVE-2009-1389)
   * nfs4: fix MAY_EXEC handling (CVE-2009-1630)
+  * cifs: fix several string conversion issues (CVE-2009-1633)
 
  -- dann frazier <dannf at debian.org>  Sat, 06 Jun 2009 09:49:28 -0600
 

Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch (from r13805, dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch	Thu Jun 18 04:19:52 2009	(r13836, copy of r13805, dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch)
@@ -0,0 +1,116 @@
+commit 27b87fe52baba0a55e9723030e76fce94fabcea4
+Author: Jeff Layton <jlayton at redhat.com>
+Date:   Tue Apr 14 11:00:53 2009 -0400
+
+    cifs: fix unicode string area word alignment in session setup
+    
+    The handling of unicode string area alignment is wrong.
+    decode_unicode_ssetup improperly assumes that it will always be preceded
+    by a pad byte. This isn't the case if the string area is already
+    word-aligned.
+    
+    This problem, combined with the bad buffer sizing for the serverDomain
+    string can cause memory corruption. The bad alignment can make it so
+    that the alignment of the characters is off. This can make them
+    translate to characters that are greater than 2 bytes each. If this
+    happens we can overflow the allocation.
+    
+    Fix this by fixing the alignment in CIFS_SessSetup instead so we can
+    verify it against the head of the response. Also, clean up the
+    workaround for improperly terminated strings by checking for a
+    odd-length unicode buffers and then forcibly terminating them.
+    
+    Finally, resize the buffer for serverDomain. Now that we've fixed
+    the alignment, it's probably fine, but a malicious server could
+    overflow it.
+    
+    A better solution for handling these strings is still needed, but
+    this should be a suitable bandaid.
+    
+    Signed-off-by: Jeff Layton <jlayton at redhat.com>
+    CC: Stable <stable at vger.kernel.org>
+    Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/cifs/sess.c linux-source-2.6.26/fs/cifs/sess.c
+--- linux-source-2.6.26.orig/fs/cifs/sess.c	2009-05-11 12:06:56.000000000 -0600
++++ linux-source-2.6.26/fs/cifs/sess.c	2009-05-25 23:24:01.000000000 -0600
+@@ -202,27 +202,26 @@ static int decode_unicode_ssetup(char **
+ 	int words_left, len;
+ 	char *data = *pbcc_area;
+ 
+-
+-
+ 	cFYI(1, ("bleft %d", bleft));
+ 
+-
+-	/* SMB header is unaligned, so cifs servers word align start of
+-	   Unicode strings */
+-	data++;
+-	bleft--; /* Windows servers do not always double null terminate
+-		    their final Unicode string - in which case we
+-		    now will not attempt to decode the byte of junk
+-		    which follows it */
++	/*
++	 * Windows servers do not always double null terminate their final
++	 * Unicode string. Check to see if there are an uneven number of bytes
++	 * left. If so, then add an extra NULL pad byte to the end of the
++	 * response.
++	 *
++	 * See section 2.7.2 in "Implementing CIFS" for details
++	 */
++	if (bleft % 2) {
++		data[bleft] = 0;
++		++bleft;
++	}
+ 
+ 	words_left = bleft / 2;
+ 
+ 	/* save off server operating system */
+ 	len = UniStrnlen((wchar_t *) data, words_left);
+ 
+-/* We look for obvious messed up bcc or strings in response so we do not go off
+-   the end since (at least) WIN2K and Windows XP have a major bug in not null
+-   terminating last Unicode string in response  */
+ 	if (len >= words_left)
+ 		return rc;
+ 
+@@ -260,13 +259,10 @@ static int decode_unicode_ssetup(char **
+ 		return rc;
+ 
+ 	kfree(ses->serverDomain);
+-	ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
+-	if (ses->serverDomain != NULL) {
++	ses->serverDomain = kzalloc((4 * len) + 2, GFP_KERNEL);
++	if (ses->serverDomain != NULL)
+ 		cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
+ 				   nls_cp);
+-		ses->serverDomain[2*len] = 0;
+-		ses->serverDomain[(2*len) + 1] = 0;
+-	}
+ 	data += 2 * (len + 1);
+ 	words_left -= len + 1;
+ 
+@@ -605,12 +601,18 @@ CIFS_SessSetup(unsigned int xid, struct 
+ 	}
+ 
+ 	/* BB check if Unicode and decode strings */
+-	if (smb_buf->Flags2 & SMBFLG2_UNICODE)
++	if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
++		/* unicode string area must be word-aligned */
++		if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
++			++bcc_ptr;
++			--bytes_remaining;
++		}
+ 		rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
+-						   ses, nls_cp);
+-	else
++					   ses, nls_cp);
++	} else {
+ 		rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
+ 					 ses, nls_cp);
++	}
+ 
+ ssetup_exit:
+ 	if (spnego_key)

Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch (from r13805, dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch	Thu Jun 18 04:19:52 2009	(r13836, copy of r13805, dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch)
@@ -0,0 +1,27 @@
+commit 7b0c8fcff47a885743125dd843db64af41af5a61
+Author: Suresh Jayaraman <sjayaraman at suse.de>
+Date:   Mon Apr 20 18:54:36 2009 +0530
+
+    cifs: Increase size of tmp_buf in cifs_readdir to avoid potential overflows
+    
+    Increase size of tmp_buf to possible maximum to avoid potential
+    overflows.
+    
+    Pointed-out-by: Jeff Layton <jlayton at redhat.com>
+    Signed-off-by: Suresh Jayaraman <sjayaraman at suse.de>
+    Acked-by: Jeff Layton <jlayton at redhat.com>
+    Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
+index 1a8be62..ebd0da7 100644
+--- a/fs/cifs/readdir.c
++++ b/fs/cifs/readdir.c
+@@ -1074,7 +1074,7 @@ int cifs_readdir(struct file *file, void *direntry, filldir_t filldir)
+ 		with the rare long characters alloc more to account for
+ 		such multibyte target UTF-8 characters. cifs_unicode.c,
+ 		which actually does the conversion, has the same limit */
+-		tmp_buf = kmalloc((2 * NAME_MAX) + 4, GFP_KERNEL);
++		tmp_buf = kmalloc((4 * NAME_MAX) + 2, GFP_KERNEL);
+ 		for (i = 0; (i < num_to_fill) && (rc == 0); i++) {
+ 			if (current_entry == NULL) {
+ 				/* evaluate whether this case is an error */

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2	Wed Jun 17 14:50:21 2009	(r13835)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2	Thu Jun 18 04:19:52 2009	(r13836)
@@ -1,3 +1,5 @@
 + bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch
 + bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
 + bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch
++ bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch
++ bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch

