[kernel] r17435 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue May 17 07:22:39 UTC 2011
Author: dannf
Date: Tue May 17 07:22:37 2011
New Revision: 17435
Log:
* [cifs] fix session reuse issue (CVE-2011-1585):
- cifs: clean up cifs_find_smb_ses
- cifs: fix NULL pointer dereference in cifs_find_smb_ses
- cifs: check for NULL session password
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-check-for-NULL-session-password.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-clean-up-cifs_find_smb_ses.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-NULL-pointer-dereference-in-cifs_find_smb_ses.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Tue May 17 07:10:34 2011 (r17434)
+++ dists/squeeze-security/linux-2.6/debian/changelog Tue May 17 07:22:37 2011 (r17435)
@@ -1,6 +1,10 @@
linux-2.6 (2.6.32-34squeeze1) UNRELEASED; urgency=high
* Validate size of EFI GUID partition entries (CVE-2011-1577)
+ * [cifs] fix session reuse issue (CVE-2011-1585):
+ - cifs: clean up cifs_find_smb_ses
+ - cifs: fix NULL pointer dereference in cifs_find_smb_ses
+ - cifs: check for NULL session password
-- dann frazier <dannf at debian.org> Tue, 17 May 2011 00:41:07 -0600
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-check-for-NULL-session-password.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-check-for-NULL-session-password.patch Tue May 17 07:22:37 2011 (r17435)
@@ -0,0 +1,24 @@
+commit 24e6cf92fde1f140d8eb0bf7cd24c2c78149b6b2
+Author: Jeff Layton <jlayton at redhat.com>
+Date: Mon Aug 23 11:38:04 2010 -0400
+
+ cifs: check for NULL session password
+
+ It's possible for a cifsSesInfo struct to have a NULL password, so we
+ need to check for that prior to running strncmp on it.
+
+ Signed-off-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index 18af707..ec0ea4a 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -1673,6 +1673,7 @@ cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb_vol *vol)
+ MAX_USERNAME_SIZE))
+ continue;
+ if (strlen(vol->username) != 0 &&
++ ses->password != NULL &&
+ strncmp(ses->password,
+ vol->password ? vol->password : "",
+ MAX_PASSWORD_SIZE))
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-clean-up-cifs_find_smb_ses.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-clean-up-cifs_find_smb_ses.patch Tue May 17 07:22:37 2011 (r17435)
@@ -0,0 +1,84 @@
+commit 4ff67b720c02c36e54d55b88c2931879b7db1cd2
+Author: Jeff Layton <jlayton at redhat.com>
+Date: Tue Jul 6 20:43:02 2010 -0400
+
+ cifs: clean up cifs_find_smb_ses (try #2)
+
+ This patch replaces the earlier patch by the same name. The only
+ difference is that MAX_PASSWORD_SIZE has been increased to attempt to
+ match the limits that windows enforces.
+
+ Do a better job of matching sessions by authtype. Matching by username
+ for a Kerberos session is incorrect, and anonymous sessions need special
+ handling.
+
+ Also, in the case where we do match by username, we also need to match
+ by password. That ensures that someone else doesn't "borrow" an existing
+ session without needing to know the password.
+
+ Finally, passwords can be longer than 16 bytes. Bump MAX_PASSWORD_SIZE
+ to 512 to match the size that the userspace mount helper allows.
+
+ Signed-off-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff -urpN linux-source-2.6.32.orig/fs/cifs/cifsglob.h linux-source-2.6.32/fs/cifs/cifsglob.h
+--- linux-source-2.6.32.orig/fs/cifs/cifsglob.h 2011-05-03 09:28:59.000000000 -0600
++++ linux-source-2.6.32/fs/cifs/cifsglob.h 2011-05-17 00:55:12.683573674 -0600
+@@ -33,7 +33,7 @@
+ #define MAX_SHARE_SIZE 64 /* used to be 20, this should still be enough */
+ #define MAX_USERNAME_SIZE 32 /* 32 is to allow for 15 char names + null
+ termination then *2 for unicode versions */
+-#define MAX_PASSWORD_SIZE 16
++#define MAX_PASSWORD_SIZE 512 /* max for windows seems to be 256 wide chars */
+
+ #define CIFS_MIN_RCV_POOL 4
+
+diff -urpN linux-source-2.6.32.orig/fs/cifs/connect.c linux-source-2.6.32/fs/cifs/connect.c
+--- linux-source-2.6.32.orig/fs/cifs/connect.c 2011-05-03 09:29:09.000000000 -0600
++++ linux-source-2.6.32/fs/cifs/connect.c 2011-05-17 00:57:32.409046666 -0600
+@@ -1587,17 +1587,27 @@ out_err:
+ }
+
+ static struct cifsSesInfo *
+-cifs_find_smb_ses(struct TCP_Server_Info *server, char *username)
++cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb_vol *vol)
+ {
+- struct list_head *tmp;
+ struct cifsSesInfo *ses;
+
+ write_lock(&cifs_tcp_ses_lock);
+- list_for_each(tmp, &server->smb_ses_list) {
+- ses = list_entry(tmp, struct cifsSesInfo, smb_ses_list);
+- if (strncmp(ses->userName, username, MAX_USERNAME_SIZE))
+- continue;
+-
++ list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
++ switch (server->secType) {
++ case Kerberos:
++ if (vol->linux_uid != ses->linux_uid)
++ continue;
++ break;
++ default:
++ /* anything else takes username/password */
++ if (strncmp(ses->userName, vol->username,
++ MAX_USERNAME_SIZE))
++ continue;
++ if (strlen(vol->username) != 0 &&
++ strncmp(ses->password, vol->password,
++ MAX_PASSWORD_SIZE))
++ continue;
++ }
+ ++ses->ses_count;
+ write_unlock(&cifs_tcp_ses_lock);
+ return ses;
+@@ -2356,7 +2366,7 @@ try_mount_again:
+ goto out;
+ }
+
+- pSesInfo = cifs_find_smb_ses(srvTcp, volume_info->username);
++ pSesInfo = cifs_find_smb_ses(srvTcp, volume_info);
+ if (pSesInfo) {
+ cFYI(1, ("Existing smb sess found (status=%d)",
+ pSesInfo->status));
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-NULL-pointer-dereference-in-cifs_find_smb_ses.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-NULL-pointer-dereference-in-cifs_find_smb_ses.patch Tue May 17 07:22:37 2011 (r17435)
@@ -0,0 +1,29 @@
+commit fc87a40677bbe0937e2ff0642c7e83c9a4813f3d
+Author: Jeff Layton <jlayton at redhat.com>
+Date: Wed Aug 18 13:13:39 2010 -0400
+
+ cifs: fix NULL pointer dereference in cifs_find_smb_ses
+
+ cifs_find_smb_ses assumes that the vol->password field is a valid
+ pointer, but that's only the case if a password was passed in via
+ the options string. It's possible that one won't be if there is
+ no mount helper on the box.
+
+ Reported-by: diabel <gacek-2004 at wp.pl>
+ Signed-off-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index 95c2ea6..446e248 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -1673,7 +1673,8 @@ cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb_vol *vol)
+ MAX_USERNAME_SIZE))
+ continue;
+ if (strlen(vol->username) != 0 &&
+- strncmp(ses->password, vol->password,
++ strncmp(ses->password,
++ vol->password ? vol->password : "",
+ MAX_PASSWORD_SIZE))
+ continue;
+ }
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1 Tue May 17 07:10:34 2011 (r17434)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1 Tue May 17 07:22:37 2011 (r17435)
@@ -1 +1,4 @@
+ bugfix/all/validate-size-of-efi-guid-partition-entries.patch
++ bugfix/all/cifs-clean-up-cifs_find_smb_ses.patch
++ bugfix/all/cifs-fix-NULL-pointer-dereference-in-cifs_find_smb_ses.patch
++ bugfix/all/cifs-check-for-NULL-session-password.patch
More information about the Kernel-svn-changes
mailing list