[kernel] r18000 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Aug 25 02:44:31 UTC 2011 

Author: dannf
Date: Thu Aug 25 02:44:30 2011
New Revision: 18000

Log:
cifs: fix possible memory corruption in CIFSFindNext (CVE-2011-3191)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Thu Aug 25 02:39:36 2011	(r17999)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Thu Aug 25 02:44:30 2011	(r18000)
@@ -14,6 +14,7 @@
   * gro: Only reset frag0 when skb can be pulled (CVE-2011-2723)
   * comedi: fix infoleak to userspace (CVE-2011-2909)
   * restrict access to /proc/pid/* after setuid exec (CVE-2011-1020)
+  * cifs: fix possible memory corruption in CIFSFindNext (CVE-2011-3191)
 
   [ Moritz Muehlenhoff ]
   * si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700)

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch	Thu Aug 25 02:44:30 2011	(r18000)
@@ -0,0 +1,27 @@
+From: Jeff Layton <jlayton at redhat.com>
+Date: Tue, 23 Aug 2011 11:21:28 +0000 (-0400)
+Subject: cifs: fix possible memory corruption in CIFSFindNext
+X-Git-Url: https://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fsfrench%2Fcifs-2.6.git;a=commitdiff_plain;h=c32dfffaf59f73bbcf4472141b851a4dc5db2bf0
+
+cifs: fix possible memory corruption in CIFSFindNext
+
+The name_len variable in CIFSFindNext is a signed int that gets set to
+the resume_name_len in the cifs_search_info. The resume_name_len however
+is unsigned and for some infolevels is populated directly from a 32 bit
+value sent by the server.
+
+If the server sends a very large value for this, then that value could
+look negative when converted to a signed int. That would make that
+value pass the PATH_MAX check later in CIFSFindNext. The name_len would
+then be used as a length value for a memcpy. It would then be treated
+as unsigned again, and the memcpy scribbles over a ton of memory.
+
+Fix this by making the name_len an unsigned value in CIFSFindNext.
+
+Cc: <stable at kernel.org>
+Reported-by: Darren Lavender <dcl at hppine99.gbr.hp.com>
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+Signed-off-by: Steve French <sfrench at us.ibm.com>
+[dannf: backported to Debian's 2.6.32]
+---
+

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Thu Aug 25 02:39:36 2011	(r17999)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Thu Aug 25 02:44:30 2011	(r18000)
@@ -21,3 +21,4 @@
 + bugfix/all/close-race-in-proc-pid-environ.patch
 + bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch
 + bugfix/all/proc-syscall-stack-personality-races.patch
++ bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch

More information about the Kernel-svn-changes mailing list