Bug 266638 (CVE-2009-1439)

Summary:	Kernel <2.6.29.4 [CIFS] Fix memory overwrite when saving nativeFileSystem field during mount (CVE-2009-1439)
Product:	Gentoo Security	Reporter:	Torsten Kaiser <Storklerk>
Component:	Kernel	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	hardened-kernel+disabled, kernel
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b363b3304bcf68c4541683b2eff70b29f0446a5b
Whiteboard:	[linux <2.6.29.4]
Package list:		Runtime testing required:	---
Bug Depends on:	271774
Bug Blocks:

Description Torsten Kaiser 2009-04-18 10:44:43 UTC

From http://blog.fefe.de/?ts=b72905a8:
-                                   kzalloc(length + 2, GFP_KERNEL);
+                                   kzalloc(2*(length + 1), GFP_KERNEL);

In 2.6.29.1 the buffersize was increase to prevent the overflow, but the jury is still out, if that was enough:
http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html

see also:
http://www.securityfocus.com/bid/34453/info
http://www.vupen.com/english/advisories/2009/0974

That seem to be the current patches:
http://lists.samba.org/archive/linux-cifs-client/2009-April/004421.html

I'm not sure, if the fix in 2.6.29.1 is enough, or if this rework is needed to really fix this cifs problem.

Comment 1 Torsten Kaiser 2009-04-19 16:46:45 UTC

An even bigger increase of this buffer landed in Linus tree:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=f083def68f84b04fe3f97312498911afce79609e
contains:
-                                   kzalloc(2*(length + 1), GFP_KERNEL);
+                                   kzalloc((4 * length) + 2, GFP_KERNEL);

Comment 2 Torsten Kaiser 2009-05-06 19:06:59 UTC

Current status:
http://marc.info/?l=linux-cifs-client&m=124160962414513&w=2

These 5 patches where acked and should probably hit the stable queue soon.

Comment 3 Stefan Behte (RETIRED) gentoo-dev

2009-05-06 22:55:25 UTC

CVE-2009-1439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1439):
  Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel
  2.6.29 and earlier allows remote attackers to cause a denial of
  service (crash) via a long nativeFileSystem field in a Tree Connect
  response to an SMB mount request.

Comment 4 Torsten Kaiser 2009-05-20 17:35:58 UTC

The fix to 4*length from comment #1 and several other cifs fixes have been released as 2.6.29.4

Comment 5 Torsten Kaiser 2009-05-29 16:24:12 UTC

Stabling for vanilla-sources-2.6.29.4 and the corresponding gentoo-sources has been requested in Bug 271774

Comment 6 kfm 2009-07-24 03:31:41 UTC

http://suva.vyatta.com/git/?p=linux-vyatta.git;a=commitdiff_plain;h=5a12457e62aab1e19aa1b1d9bdbe53f26e9ed689

http://suva.vyatta.com/git/?p=linux-vyatta.git;a=commitdiff_plain;h=a7a7d2fe8813c3bee7d7db9ba889fc2c2dd39dd7

http://suva.vyatta.com/git/?p=linux-vyatta.git;a=commitdiff_plain;h=9381701c0f0722ffc1dab1c55ecd48f6d0b5be6f

http://suva.vyatta.com/git/?p=linux-vyatta.git;a=commitdiff_plain;h=e9012cf5e92b7812f5fc88fdd1ddaecc34a5b904

http://suva.vyatta.com/git/?p=linux-vyatta.git;a=commitdiff_plain;h=5b0ecf297e133be1e4767b1e446a6d7902274c13

Comment 7 kfm 2009-07-24 20:17:06 UTC

If anyone is interested in seeing a full overview of the patch series that was applied by 2.6.29 through 2.6.29.6 to clean up the CIFS filesystem code, resolving this bug and bug 271802 (CVE-2009-1633), please refer to my comment on the latter:

http://bugs.gentoo.org/show_bug.cgi?id=271802#c1

The interesting thing is that the current state of the codebase invalidates the requirement to apply these two patches (if backporting):

5b0ecf297e133be1e4767b1e446a6d7902274c13
a7a7d2fe8813c3bee7d7db9ba889fc2c2dd39dd7