[kernel] r18058 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Wed Sep  7 04:57:26 2011
New Revision: 18058

Log:
cifs: fix possible memory corruption in CIFSFindNext (CVE-2011-3191)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny4

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Wed Sep  7 03:06:48 2011	(r18057)
+++ dists/lenny-security/linux-2.6/debian/changelog	Wed Sep  7 04:57:26 2011	(r18058)
@@ -11,6 +11,7 @@
   * Fix overflow in auerswald driver (CVE-2009-4067)
   * restrict access to /proc/pid/* after setuid exec (CVE-2011-1020)
   * befs: Validate length of long symbolic links (CVE-2011-2928)
+  * cifs: fix possible memory corruption in CIFSFindNext (CVE-2011-3191)
 
   [ Moritz Muehlenhoff ]
   * ALSA: caiaq - Fix possible string-buffer overflow (CVE-2011-0712)

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch	Wed Sep  7 04:57:26 2011	(r18058)
@@ -0,0 +1,41 @@
+From: Jeff Layton <jlayton at redhat.com>
+Date: Tue, 23 Aug 2011 11:21:28 +0000 (-0400)
+Subject: cifs: fix possible memory corruption in CIFSFindNext
+X-Git-Url: https://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fsfrench%2Fcifs-2.6.git;a=commitdiff_plain;h=c32dfffaf59f73bbcf4472141b851a4dc5db2bf0
+
+cifs: fix possible memory corruption in CIFSFindNext
+
+The name_len variable in CIFSFindNext is a signed int that gets set to
+the resume_name_len in the cifs_search_info. The resume_name_len however
+is unsigned and for some infolevels is populated directly from a 32 bit
+value sent by the server.
+
+If the server sends a very large value for this, then that value could
+look negative when converted to a signed int. That would make that
+value pass the PATH_MAX check later in CIFSFindNext. The name_len would
+then be used as a length value for a memcpy. It would then be treated
+as unsigned again, and the memcpy scribbles over a ton of memory.
+
+Fix this by making the name_len an unsigned value in CIFSFindNext.
+
+Cc: <stable at kernel.org>
+Reported-by: Darren Lavender <dcl at hppine99.gbr.hp.com>
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+Signed-off-by: Steve French <sfrench at us.ibm.com>
+[dannf: backported to Debian's 2.6.32]
+---
+
+diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
+index 04b755a..665b128 100644
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -3596,7 +3596,8 @@ int CIFSFindNext(const int xid, struct cifsTconInfo *tcon,
+ 	T2_FNEXT_RSP_PARMS *parms;
+ 	char *response_data;
+ 	int rc = 0;
+-	int bytes_returned, name_len;
++	int bytes_returned;
++	unsigned int name_len;
+ 	__u16 params, byte_count;
+ 
+ 	cFYI(1, ("In FindNext"));

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny4	Wed Sep  7 03:06:48 2011	(r18057)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny4	Wed Sep  7 04:57:26 2011	(r18058)
@@ -19,3 +19,4 @@
 + bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch
 + bugfix/all/befs-ensure-fast-symlinks-are-NUL-terminated.patch
 + bugfix/all/befs-validate-length-of-long-symbolic-links.patch
++ bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch