Fix CVE-2011-3191

This commit is contained in:
Josh Boyer 2011-09-15 10:16:34 -04:00
parent 9d940d046e
commit 34c20229d7
2 changed files with 91 additions and 0 deletions

View File

@ -0,0 +1,82 @@
Path: news.gmane.org!not-for-mail
From: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Newsgroups: gmane.linux.kernel.cifs
Subject: [PATCH] cifs: fix possible memory corruption in CIFSFindNext
Date: Tue, 23 Aug 2011 07:21:28 -0400
Lines: 37
Approved: news@gmane.org
Message-ID: <1314098488-1547-1-git-send-email-jlayton@redhat.com>
NNTP-Posting-Host: lo.gmane.org
X-Trace: dough.gmane.org 1314098501 27164 80.91.229.12 (23 Aug 2011 11:21:41 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Tue, 23 Aug 2011 11:21:41 +0000 (UTC)
Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org
To: smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Original-X-From: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Tue Aug 23 13:21:37 2011
Return-path: <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Envelope-to: glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw@public.gmane.org
Original-Received: from vger.kernel.org ([209.132.180.67])
by lo.gmane.org with esmtp (Exim 4.69)
(envelope-from <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>)
id 1Qvp33-0003JC-05
for glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw@public.gmane.org; Tue, 23 Aug 2011 13:21:37 +0200
Original-Received: (majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org) by vger.kernel.org via listexpand
id S1752435Ab1HWLVg (ORCPT <rfc822;glkc-linux-cifs@m.gmane.org>);
Tue, 23 Aug 2011 07:21:36 -0400
Original-Received: from mail-gy0-f174.google.com ([209.85.160.174]:43114 "EHLO
mail-gy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1751065Ab1HWLVf (ORCPT
<rfc822;linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>); Tue, 23 Aug 2011 07:21:35 -0400
Original-Received: by gya6 with SMTP id 6so4228912gya.19
for <linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>; Tue, 23 Aug 2011 04:21:35 -0700 (PDT)
Original-Received: by 10.101.144.18 with SMTP id w18mr3505731ann.133.1314098494691;
Tue, 23 Aug 2011 04:21:34 -0700 (PDT)
Original-Received: from salusa.poochiereds.net (cpe-075-177-182-191.nc.res.rr.com [75.177.182.191])
by mx.google.com with ESMTPS id d33sm48355ano.35.2011.08.23.04.21.32
(version=SSLv3 cipher=OTHER);
Tue, 23 Aug 2011 04:21:33 -0700 (PDT)
X-Mailer: git-send-email 1.7.6
Original-Sender: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Precedence: bulk
List-ID: <linux-cifs.vger.kernel.org>
X-Mailing-List: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Xref: news.gmane.org gmane.linux.kernel.cifs:4006
Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.cifs/4006>
The name_len variable in CIFSFindNext is a signed int that gets set to
the resume_name_len in the cifs_search_info. The resume_name_len however
is unsigned and for some infolevels is populated directly from a 32 bit
value sent by the server.
If the server sends a very large value for this, then that value could
look negative when converted to a signed int. That would make that
value pass the PATH_MAX check later in CIFSFindNext. The name_len would
then be used as a length value for a memcpy. It would then be treated
as unsigned again, and the memcpy scribbles over a ton of memory.
Fix this by making the name_len an unsigned value in CIFSFindNext.
Cc: <stable-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Reported-by: Darren Lavender <dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org>
Signed-off-by: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
---
fs/cifs/cifssmb.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index f4d0988..950464d 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -4089,7 +4089,8 @@ int CIFSFindNext(const int xid, struct cifs_tcon *tcon,
T2_FNEXT_RSP_PARMS *parms;
char *response_data;
int rc = 0;
- int bytes_returned, name_len;
+ int bytes_returned;
+ unsigned int name_len;
__u16 params, byte_count;
cFYI(1, "In FindNext");
--
1.7.6

View File

@ -737,6 +737,9 @@ Patch13012: ibmveth-Checksum-offload-is-always-disabled.patch
Patch13013: powerpc-Fix-deadlock-in-icswx-code.patch
# CVE-2011-3191
Patch13014: cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
Patch20000: utrace.patch
# Flattened devicetree support
@ -1363,6 +1366,9 @@ ApplyPatch ibmveth-Checksum-offload-is-always-disabled.patch
ApplyPatch powerpc-Fix-deadlock-in-icswx-code.patch
# CVE-2011-3191
ApplyPatch cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
# utrace.
ApplyPatch utrace.patch
@ -2065,6 +2071,9 @@ fi
# and build.
%changelog
* Thu Sep 15 2011 Josh Boyer <jwboyer@redhat.com>
- CVE-2011-3191: cifs: fix possible memory corruption in CIFSFindNext
* Wed Sep 14 2011 Josh Boyer <jwboyer@redhat.com>
- Add patch to fix deadlock in ppc64 icswx (rhbz 737984)