Fix CVE-2011-3191
This commit is contained in:
parent
9d940d046e
commit
34c20229d7
82
cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
Normal file
82
cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
Normal file
@ -0,0 +1,82 @@
|
||||
Path: news.gmane.org!not-for-mail
|
||||
From: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
|
||||
Newsgroups: gmane.linux.kernel.cifs
|
||||
Subject: [PATCH] cifs: fix possible memory corruption in CIFSFindNext
|
||||
Date: Tue, 23 Aug 2011 07:21:28 -0400
|
||||
Lines: 37
|
||||
Approved: news@gmane.org
|
||||
Message-ID: <1314098488-1547-1-git-send-email-jlayton@redhat.com>
|
||||
NNTP-Posting-Host: lo.gmane.org
|
||||
X-Trace: dough.gmane.org 1314098501 27164 80.91.229.12 (23 Aug 2011 11:21:41 GMT)
|
||||
X-Complaints-To: usenet@dough.gmane.org
|
||||
NNTP-Posting-Date: Tue, 23 Aug 2011 11:21:41 +0000 (UTC)
|
||||
Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org
|
||||
To: smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
|
||||
Original-X-From: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Tue Aug 23 13:21:37 2011
|
||||
Return-path: <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
|
||||
Envelope-to: glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw@public.gmane.org
|
||||
Original-Received: from vger.kernel.org ([209.132.180.67])
|
||||
by lo.gmane.org with esmtp (Exim 4.69)
|
||||
(envelope-from <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>)
|
||||
id 1Qvp33-0003JC-05
|
||||
for glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw@public.gmane.org; Tue, 23 Aug 2011 13:21:37 +0200
|
||||
Original-Received: (majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org) by vger.kernel.org via listexpand
|
||||
id S1752435Ab1HWLVg (ORCPT <rfc822;glkc-linux-cifs@m.gmane.org>);
|
||||
Tue, 23 Aug 2011 07:21:36 -0400
|
||||
Original-Received: from mail-gy0-f174.google.com ([209.85.160.174]:43114 "EHLO
|
||||
mail-gy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
|
||||
with ESMTP id S1751065Ab1HWLVf (ORCPT
|
||||
<rfc822;linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>); Tue, 23 Aug 2011 07:21:35 -0400
|
||||
Original-Received: by gya6 with SMTP id 6so4228912gya.19
|
||||
for <linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>; Tue, 23 Aug 2011 04:21:35 -0700 (PDT)
|
||||
Original-Received: by 10.101.144.18 with SMTP id w18mr3505731ann.133.1314098494691;
|
||||
Tue, 23 Aug 2011 04:21:34 -0700 (PDT)
|
||||
Original-Received: from salusa.poochiereds.net (cpe-075-177-182-191.nc.res.rr.com [75.177.182.191])
|
||||
by mx.google.com with ESMTPS id d33sm48355ano.35.2011.08.23.04.21.32
|
||||
(version=SSLv3 cipher=OTHER);
|
||||
Tue, 23 Aug 2011 04:21:33 -0700 (PDT)
|
||||
X-Mailer: git-send-email 1.7.6
|
||||
Original-Sender: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
|
||||
Precedence: bulk
|
||||
List-ID: <linux-cifs.vger.kernel.org>
|
||||
X-Mailing-List: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
|
||||
Xref: news.gmane.org gmane.linux.kernel.cifs:4006
|
||||
Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.cifs/4006>
|
||||
|
||||
The name_len variable in CIFSFindNext is a signed int that gets set to
|
||||
the resume_name_len in the cifs_search_info. The resume_name_len however
|
||||
is unsigned and for some infolevels is populated directly from a 32 bit
|
||||
value sent by the server.
|
||||
|
||||
If the server sends a very large value for this, then that value could
|
||||
look negative when converted to a signed int. That would make that
|
||||
value pass the PATH_MAX check later in CIFSFindNext. The name_len would
|
||||
then be used as a length value for a memcpy. It would then be treated
|
||||
as unsigned again, and the memcpy scribbles over a ton of memory.
|
||||
|
||||
Fix this by making the name_len an unsigned value in CIFSFindNext.
|
||||
|
||||
Cc: <stable-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
|
||||
Reported-by: Darren Lavender <dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org>
|
||||
Signed-off-by: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
|
||||
---
|
||||
fs/cifs/cifssmb.c | 3 ++-
|
||||
1 files changed, 2 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
|
||||
index f4d0988..950464d 100644
|
||||
--- a/fs/cifs/cifssmb.c
|
||||
+++ b/fs/cifs/cifssmb.c
|
||||
@@ -4089,7 +4089,8 @@ int CIFSFindNext(const int xid, struct cifs_tcon *tcon,
|
||||
T2_FNEXT_RSP_PARMS *parms;
|
||||
char *response_data;
|
||||
int rc = 0;
|
||||
- int bytes_returned, name_len;
|
||||
+ int bytes_returned;
|
||||
+ unsigned int name_len;
|
||||
__u16 params, byte_count;
|
||||
|
||||
cFYI(1, "In FindNext");
|
||||
--
|
||||
1.7.6
|
||||
|
@ -737,6 +737,9 @@ Patch13012: ibmveth-Checksum-offload-is-always-disabled.patch
|
||||
|
||||
Patch13013: powerpc-Fix-deadlock-in-icswx-code.patch
|
||||
|
||||
# CVE-2011-3191
|
||||
Patch13014: cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
|
||||
|
||||
Patch20000: utrace.patch
|
||||
|
||||
# Flattened devicetree support
|
||||
@ -1363,6 +1366,9 @@ ApplyPatch ibmveth-Checksum-offload-is-always-disabled.patch
|
||||
|
||||
ApplyPatch powerpc-Fix-deadlock-in-icswx-code.patch
|
||||
|
||||
# CVE-2011-3191
|
||||
ApplyPatch cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
|
||||
|
||||
# utrace.
|
||||
ApplyPatch utrace.patch
|
||||
|
||||
@ -2065,6 +2071,9 @@ fi
|
||||
# and build.
|
||||
|
||||
%changelog
|
||||
* Thu Sep 15 2011 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2011-3191: cifs: fix possible memory corruption in CIFSFindNext
|
||||
|
||||
* Wed Sep 14 2011 Josh Boyer <jwboyer@redhat.com>
|
||||
- Add patch to fix deadlock in ppc64 icswx (rhbz 737984)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user