Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 266638 (CVE-2009-1439) - Kernel < [CIFS] Fix memory overwrite when saving nativeFileSystem field during mount (CVE-2009-1439)
Summary: Kernel < [CIFS] Fix memory overwrite when saving nativeFileSystem fie...
Alias: CVE-2009-1439
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: [linux <]
Depends on: 271774
  Show dependency tree
Reported: 2009-04-18 10:44 UTC by Torsten Kaiser
Modified: 2013-09-15 19:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Torsten Kaiser 2009-04-18 10:44:43 UTC
-                                   kzalloc(length + 2, GFP_KERNEL);
+                                   kzalloc(2*(length + 1), GFP_KERNEL);

In the buffersize was increase to prevent the overflow, but the jury is still out, if that was enough:

see also:

That seem to be the current patches:

I'm not sure, if the fix in is enough, or if this rework is needed to really fix this cifs problem.
Comment 1 Torsten Kaiser 2009-04-19 16:46:45 UTC
An even bigger increase of this buffer landed in Linus tree:;a=commitdiff;h=f083def68f84b04fe3f97312498911afce79609e
-                                   kzalloc(2*(length + 1), GFP_KERNEL);
+                                   kzalloc((4 * length) + 2, GFP_KERNEL);
Comment 2 Torsten Kaiser 2009-05-06 19:06:59 UTC
Current status:

These 5 patches where acked and should probably hit the stable queue soon.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-05-06 22:55:25 UTC
CVE-2009-1439 (
  Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel
  2.6.29 and earlier allows remote attackers to cause a denial of
  service (crash) via a long nativeFileSystem field in a Tree Connect
  response to an SMB mount request.

Comment 4 Torsten Kaiser 2009-05-20 17:35:58 UTC
The fix to 4*length from comment #1 and several other cifs fixes have been released as
Comment 5 Torsten Kaiser 2009-05-29 16:24:12 UTC
Stabling for vanilla-sources- and the corresponding gentoo-sources has been requested in Bug 271774
Comment 7 kfm 2009-07-24 20:17:06 UTC
If anyone is interested in seeing a full overview of the patch series that was applied by 2.6.29 through to clean up the CIFS filesystem code, resolving this bug and bug 271802 (CVE-2009-1633), please refer to my comment on the latter:

The interesting thing is that the current state of the codebase invalidates the requirement to apply these two patches (if backporting):