diff --git a/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch b/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch new file mode 100644 index 000000000..06fc5c74a --- /dev/null +++ b/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch @@ -0,0 +1,82 @@ +Path: news.gmane.org!not-for-mail +From: Jeff Layton +Newsgroups: gmane.linux.kernel.cifs +Subject: [PATCH] cifs: fix possible memory corruption in CIFSFindNext +Date: Tue, 23 Aug 2011 07:21:28 -0400 +Lines: 37 +Approved: news@gmane.org +Message-ID: <1314098488-1547-1-git-send-email-jlayton@redhat.com> +NNTP-Posting-Host: lo.gmane.org +X-Trace: dough.gmane.org 1314098501 27164 80.91.229.12 (23 Aug 2011 11:21:41 GMT) +X-Complaints-To: usenet@dough.gmane.org +NNTP-Posting-Date: Tue, 23 Aug 2011 11:21:41 +0000 (UTC) +Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org +To: smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org +Original-X-From: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Tue Aug 23 13:21:37 2011 +Return-path: +Envelope-to: glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw@public.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by lo.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1Qvp33-0003JC-05 + for glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw@public.gmane.org; Tue, 23 Aug 2011 13:21:37 +0200 +Original-Received: (majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org) by vger.kernel.org via listexpand + id S1752435Ab1HWLVg (ORCPT ); + Tue, 23 Aug 2011 07:21:36 -0400 +Original-Received: from mail-gy0-f174.google.com ([209.85.160.174]:43114 "EHLO + mail-gy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1751065Ab1HWLVf (ORCPT + ); Tue, 23 Aug 2011 07:21:35 -0400 +Original-Received: by gya6 with SMTP id 6so4228912gya.19 + for ; Tue, 23 Aug 2011 04:21:35 -0700 (PDT) +Original-Received: by 10.101.144.18 with SMTP id w18mr3505731ann.133.1314098494691; + Tue, 23 Aug 2011 04:21:34 -0700 (PDT) +Original-Received: from salusa.poochiereds.net (cpe-075-177-182-191.nc.res.rr.com [75.177.182.191]) + by mx.google.com with ESMTPS id d33sm48355ano.35.2011.08.23.04.21.32 + (version=SSLv3 cipher=OTHER); + Tue, 23 Aug 2011 04:21:33 -0700 (PDT) +X-Mailer: git-send-email 1.7.6 +Original-Sender: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org +Xref: news.gmane.org gmane.linux.kernel.cifs:4006 +Archived-At: + +The name_len variable in CIFSFindNext is a signed int that gets set to +the resume_name_len in the cifs_search_info. The resume_name_len however +is unsigned and for some infolevels is populated directly from a 32 bit +value sent by the server. + +If the server sends a very large value for this, then that value could +look negative when converted to a signed int. That would make that +value pass the PATH_MAX check later in CIFSFindNext. The name_len would +then be used as a length value for a memcpy. It would then be treated +as unsigned again, and the memcpy scribbles over a ton of memory. + +Fix this by making the name_len an unsigned value in CIFSFindNext. + +Cc: +Reported-by: Darren Lavender +Signed-off-by: Jeff Layton +--- + fs/cifs/cifssmb.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c +index f4d0988..950464d 100644 +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -4089,7 +4089,8 @@ int CIFSFindNext(const int xid, struct cifs_tcon *tcon, + T2_FNEXT_RSP_PARMS *parms; + char *response_data; + int rc = 0; +- int bytes_returned, name_len; ++ int bytes_returned; ++ unsigned int name_len; + __u16 params, byte_count; + + cFYI(1, "In FindNext"); +-- +1.7.6 + diff --git a/kernel.spec b/kernel.spec index 526c56205..49fb20d1d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -737,6 +737,9 @@ Patch13012: ibmveth-Checksum-offload-is-always-disabled.patch Patch13013: powerpc-Fix-deadlock-in-icswx-code.patch +# CVE-2011-3191 +Patch13014: cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch + Patch20000: utrace.patch # Flattened devicetree support @@ -1363,6 +1366,9 @@ ApplyPatch ibmveth-Checksum-offload-is-always-disabled.patch ApplyPatch powerpc-Fix-deadlock-in-icswx-code.patch +# CVE-2011-3191 +ApplyPatch cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch + # utrace. ApplyPatch utrace.patch @@ -2065,6 +2071,9 @@ fi # and build. %changelog +* Thu Sep 15 2011 Josh Boyer +- CVE-2011-3191: cifs: fix possible memory corruption in CIFSFindNext + * Wed Sep 14 2011 Josh Boyer - Add patch to fix deadlock in ppc64 icswx (rhbz 737984)