Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 266638 (CVE-2009-1439) - Kernel <2.6.29.4 [CIFS] Fix memory overwrite when saving nativeFileSystem field during mount (CVE-2009-1439)
Summary: Kernel <2.6.29.4 [CIFS] Fix memory overwrite when saving nativeFileSystem fie...
Status: RESOLVED FIXED
Alias: CVE-2009-1439
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://git.kernel.org/?p=linux/kernel...
Whiteboard: [linux <2.6.29.4]
Keywords:
Depends on: 271774
Blocks:
  Show dependency tree
 
Reported: 2009-04-18 10:44 UTC by Torsten Kaiser
Modified: 2013-09-15 19:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Torsten Kaiser 2009-04-18 10:44:43 UTC
From http://blog.fefe.de/?ts=b72905a8:
-                                   kzalloc(length + 2, GFP_KERNEL);
+                                   kzalloc(2*(length + 1), GFP_KERNEL);

In 2.6.29.1 the buffersize was increase to prevent the overflow, but the jury is still out, if that was enough:
http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html

see also:
http://www.securityfocus.com/bid/34453/info
http://www.vupen.com/english/advisories/2009/0974

That seem to be the current patches:
http://lists.samba.org/archive/linux-cifs-client/2009-April/004421.html

I'm not sure, if the fix in 2.6.29.1 is enough, or if this rework is needed to really fix this cifs problem.
Comment 1 Torsten Kaiser 2009-04-19 16:46:45 UTC
An even bigger increase of this buffer landed in Linus tree:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=f083def68f84b04fe3f97312498911afce79609e
contains:
-                                   kzalloc(2*(length + 1), GFP_KERNEL);
+                                   kzalloc((4 * length) + 2, GFP_KERNEL);
Comment 2 Torsten Kaiser 2009-05-06 19:06:59 UTC
Current status:
http://marc.info/?l=linux-cifs-client&m=124160962414513&w=2

These 5 patches where acked and should probably hit the stable queue soon.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-05-06 22:55:25 UTC
CVE-2009-1439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1439):
  Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel
  2.6.29 and earlier allows remote attackers to cause a denial of
  service (crash) via a long nativeFileSystem field in a Tree Connect
  response to an SMB mount request.

Comment 4 Torsten Kaiser 2009-05-20 17:35:58 UTC
The fix to 4*length from comment #1 and several other cifs fixes have been released as 2.6.29.4
Comment 5 Torsten Kaiser 2009-05-29 16:24:12 UTC
Stabling for vanilla-sources-2.6.29.4 and the corresponding gentoo-sources has been requested in Bug 271774
Comment 7 kfm 2009-07-24 20:17:06 UTC
If anyone is interested in seeing a full overview of the patch series that was applied by 2.6.29 through 2.6.29.6 to clean up the CIFS filesystem code, resolving this bug and bug 271802 (CVE-2009-1633), please refer to my comment on the latter:

http://bugs.gentoo.org/show_bug.cgi?id=271802#c1

The interesting thing is that the current state of the codebase invalidates the requirement to apply these two patches (if backporting):

5b0ecf297e133be1e4767b1e446a6d7902274c13
a7a7d2fe8813c3bee7d7db9ba889fc2c2dd39dd7