Fix CVE-2011-3191

cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch

@@ -0,0 +1,82 @@
+Path: news.gmane.org!not-for-mail
+From: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
+Newsgroups: gmane.linux.kernel.cifs
+Subject: [PATCH] cifs: fix possible memory corruption in CIFSFindNext
+Date: Tue, 23 Aug 2011 07:21:28 -0400
+Lines: 37
+Approved: news@gmane.org
+Message-ID: <1314098488-1547-1-git-send-email-jlayton@redhat.com>
+NNTP-Posting-Host: lo.gmane.org
+X-Trace: dough.gmane.org 1314098501 27164 80.91.229.12 (23 Aug 2011 11:21:41 GMT)
+X-Complaints-To: usenet@dough.gmane.org
+NNTP-Posting-Date: Tue, 23 Aug 2011 11:21:41 +0000 (UTC)
+Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org
+To: smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
+Original-X-From: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Tue Aug 23 13:21:37 2011
+Return-path: <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
+Envelope-to: glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw@public.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+	by lo.gmane.org with esmtp (Exim 4.69)
+	(envelope-from <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>)
+	id 1Qvp33-0003JC-05
+	for glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw@public.gmane.org; Tue, 23 Aug 2011 13:21:37 +0200
+Original-Received: (majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org) by vger.kernel.org via listexpand
+	id S1752435Ab1HWLVg (ORCPT <rfc822;glkc-linux-cifs@m.gmane.org>);
+	Tue, 23 Aug 2011 07:21:36 -0400
+Original-Received: from mail-gy0-f174.google.com ([209.85.160.174]:43114 "EHLO
+	mail-gy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+	with ESMTP id S1751065Ab1HWLVf (ORCPT
+	<rfc822;linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>); Tue, 23 Aug 2011 07:21:35 -0400
+Original-Received: by gya6 with SMTP id 6so4228912gya.19
+        for <linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>; Tue, 23 Aug 2011 04:21:35 -0700 (PDT)
+Original-Received: by 10.101.144.18 with SMTP id w18mr3505731ann.133.1314098494691;
+        Tue, 23 Aug 2011 04:21:34 -0700 (PDT)
+Original-Received: from salusa.poochiereds.net (cpe-075-177-182-191.nc.res.rr.com [75.177.182.191])
+        by mx.google.com with ESMTPS id d33sm48355ano.35.2011.08.23.04.21.32
+        (version=SSLv3 cipher=OTHER);
+        Tue, 23 Aug 2011 04:21:33 -0700 (PDT)
+X-Mailer: git-send-email 1.7.6
+Original-Sender: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
+Precedence: bulk
+List-ID: <linux-cifs.vger.kernel.org>
+X-Mailing-List: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
+Xref: news.gmane.org gmane.linux.kernel.cifs:4006
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.cifs/4006>
+
+The name_len variable in CIFSFindNext is a signed int that gets set to
+the resume_name_len in the cifs_search_info. The resume_name_len however
+is unsigned and for some infolevels is populated directly from a 32 bit
+value sent by the server.
+
+If the server sends a very large value for this, then that value could
+look negative when converted to a signed int. That would make that
+value pass the PATH_MAX check later in CIFSFindNext. The name_len would
+then be used as a length value for a memcpy. It would then be treated
+as unsigned again, and the memcpy scribbles over a ton of memory.
+
+Fix this by making the name_len an unsigned value in CIFSFindNext.
+
+Cc: <stable-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
+Reported-by: Darren Lavender <dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org>
+Signed-off-by: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
+---
+ fs/cifs/cifssmb.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
+index f4d0988..950464d 100644
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -4089,7 +4089,8 @@ int CIFSFindNext(const int xid, struct cifs_tcon *tcon,
+ 	T2_FNEXT_RSP_PARMS *parms;
+ 	char *response_data;
+ 	int rc = 0;
+-	int bytes_returned, name_len;
++	int bytes_returned;
++	unsigned int name_len;
+ 	__u16 params, byte_count;
+ 
+ 	cFYI(1, "In FindNext");
+-- 
+1.7.6
+

kernel.spec

@@ -687,6 +687,9 @@ Patch21006: sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
 # rhbz #735437
 Patch21007: ucvideo-fix-crash-when-linking-entities.patch
 
+# CVE-2011-3192
+Patch21008: cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1243,6 +1246,9 @@ ApplyPatch sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
 #rhbz 735437
 ApplyPatch ucvideo-fix-crash-when-linking-entities.patch
 
+# CVE-2011-3191
+ApplyPatch cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -1863,6 +1869,9 @@ fi
 # and build.
 
 %changelog
+* Thu Sep 15 2011 Josh Boyer <jwboyer@redhat.com>
+- CVE-2011-3191: cifs: fix possible memory corruption in CIFSFindNext
+
 * Wed Sep 07 2011 Josh Boyer <jwboyer@redhat.com>
 - Add patch to fix oops when linking entities in ucvideo (rhbz 735437)