Summary: | Kernel <2.6.29.4 [CIFS] Fix memory overwrite when saving nativeFileSystem field during mount (CVE-2009-1439) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Torsten Kaiser <Storklerk> |
Component: | Kernel | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hardened-kernel+disabled, kernel |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b363b3304bcf68c4541683b2eff70b29f0446a5b | ||
Whiteboard: | [linux <2.6.29.4] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 271774 | ||
Bug Blocks: |
Description
Torsten Kaiser
2009-04-18 10:44:43 UTC
An even bigger increase of this buffer landed in Linus tree: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=f083def68f84b04fe3f97312498911afce79609e contains: - kzalloc(2*(length + 1), GFP_KERNEL); + kzalloc((4 * length) + 2, GFP_KERNEL); Current status: http://marc.info/?l=linux-cifs-client&m=124160962414513&w=2 These 5 patches where acked and should probably hit the stable queue soon. CVE-2009-1439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1439): Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) via a long nativeFileSystem field in a Tree Connect response to an SMB mount request. The fix to 4*length from comment #1 and several other cifs fixes have been released as 2.6.29.4 Stabling for vanilla-sources-2.6.29.4 and the corresponding gentoo-sources has been requested in Bug 271774 http://suva.vyatta.com/git/?p=linux-vyatta.git;a=commitdiff_plain;h=5a12457e62aab1e19aa1b1d9bdbe53f26e9ed689 http://suva.vyatta.com/git/?p=linux-vyatta.git;a=commitdiff_plain;h=a7a7d2fe8813c3bee7d7db9ba889fc2c2dd39dd7 http://suva.vyatta.com/git/?p=linux-vyatta.git;a=commitdiff_plain;h=9381701c0f0722ffc1dab1c55ecd48f6d0b5be6f http://suva.vyatta.com/git/?p=linux-vyatta.git;a=commitdiff_plain;h=e9012cf5e92b7812f5fc88fdd1ddaecc34a5b904 http://suva.vyatta.com/git/?p=linux-vyatta.git;a=commitdiff_plain;h=5b0ecf297e133be1e4767b1e446a6d7902274c13 If anyone is interested in seeing a full overview of the patch series that was applied by 2.6.29 through 2.6.29.6 to clean up the CIFS filesystem code, resolving this bug and bug 271802 (CVE-2009-1633), please refer to my comment on the latter: http://bugs.gentoo.org/show_bug.cgi?id=271802#c1 The interesting thing is that the current state of the codebase invalidates the requirement to apply these two patches (if backporting): 5b0ecf297e133be1e4767b1e446a6d7902274c13 a7a7d2fe8813c3bee7d7db9ba889fc2c2dd39dd7 |