[kernel/f14] Fix CVE-2011-3191

Josh Boyer jwboyer at fedoraproject.org
Thu Sep 15 14:17:17 UTC 2011 

commit 51ba367fb083f8f5a43d4309cabafdb7c957e0d2
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Thu Sep 15 10:08:51 2011 -0400

    Fix CVE-2011-3191

 ...ossible-memory-corruption-in-CIFSFindNext.patch |   82 ++++++++++++++++++++
 kernel.spec                                        |    7 ++
 2 files changed, 89 insertions(+), 0 deletions(-)
---
diff --git a/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch b/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
new file mode 100644
index 0000000..06fc5c7
--- /dev/null
+++ b/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
@@ -0,0 +1,82 @@
+Path: news.gmane.org!not-for-mail
+From: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA at public.gmane.org>
+Newsgroups: gmane.linux.kernel.cifs
+Subject: [PATCH] cifs: fix possible memory corruption in CIFSFindNext
+Date: Tue, 23 Aug 2011 07:21:28 -0400
+Lines: 37
+Approved: news at gmane.org
+Message-ID: <1314098488-1547-1-git-send-email-jlayton at redhat.com>
+NNTP-Posting-Host: lo.gmane.org
+X-Trace: dough.gmane.org 1314098501 27164 80.91.229.12 (23 Aug 2011 11:21:41 GMT)
+X-Complaints-To: usenet at dough.gmane.org
+NNTP-Posting-Date: Tue, 23 Aug 2011 11:21:41 +0000 (UTC)
+Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA at public.gmane.org, dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR at public.gmane.org
+To: smfrench-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
+Original-X-From: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA at public.gmane.org Tue Aug 23 13:21:37 2011
+Return-path: <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA at public.gmane.org>
+Envelope-to: glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw at public.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+	by lo.gmane.org with esmtp (Exim 4.69)
+	(envelope-from <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA at public.gmane.org>)
+	id 1Qvp33-0003JC-05
+	for glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw at public.gmane.org; Tue, 23 Aug 2011 13:21:37 +0200
+Original-Received: (majordomo-u79uwXL29TY76Z2rM5mHXA at public.gmane.org) by vger.kernel.org via listexpand
+	id S1752435Ab1HWLVg (ORCPT <rfc822;glkc-linux-cifs at m.gmane.org>);
+	Tue, 23 Aug 2011 07:21:36 -0400
+Original-Received: from mail-gy0-f174.google.com ([209.85.160.174]:43114 "EHLO
+	mail-gy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+	with ESMTP id S1751065Ab1HWLVf (ORCPT
+	<rfc822;linux-cifs-u79uwXL29TY76Z2rM5mHXA at public.gmane.org>); Tue, 23 Aug 2011 07:21:35 -0400
+Original-Received: by gya6 with SMTP id 6so4228912gya.19
+        for <linux-cifs-u79uwXL29TY76Z2rM5mHXA at public.gmane.org>; Tue, 23 Aug 2011 04:21:35 -0700 (PDT)
+Original-Received: by 10.101.144.18 with SMTP id w18mr3505731ann.133.1314098494691;
+        Tue, 23 Aug 2011 04:21:34 -0700 (PDT)
+Original-Received: from salusa.poochiereds.net (cpe-075-177-182-191.nc.res.rr.com [75.177.182.191])
+        by mx.google.com with ESMTPS id d33sm48355ano.35.2011.08.23.04.21.32
+        (version=SSLv3 cipher=OTHER);
+        Tue, 23 Aug 2011 04:21:33 -0700 (PDT)
+X-Mailer: git-send-email 1.7.6
+Original-Sender: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA at public.gmane.org
+Precedence: bulk
+List-ID: <linux-cifs.vger.kernel.org>
+X-Mailing-List: linux-cifs-u79uwXL29TY76Z2rM5mHXA at public.gmane.org
+Xref: news.gmane.org gmane.linux.kernel.cifs:4006
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.cifs/4006>
+
+The name_len variable in CIFSFindNext is a signed int that gets set to
+the resume_name_len in the cifs_search_info. The resume_name_len however
+is unsigned and for some infolevels is populated directly from a 32 bit
+value sent by the server.
+
+If the server sends a very large value for this, then that value could
+look negative when converted to a signed int. That would make that
+value pass the PATH_MAX check later in CIFSFindNext. The name_len would
+then be used as a length value for a memcpy. It would then be treated
+as unsigned again, and the memcpy scribbles over a ton of memory.
+
+Fix this by making the name_len an unsigned value in CIFSFindNext.
+
+Cc: <stable-DgEjT+Ai2ygdnm+yROfE0A at public.gmane.org>
+Reported-by: Darren Lavender <dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR at public.gmane.org>
+Signed-off-by: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA at public.gmane.org>
+---
+ fs/cifs/cifssmb.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
+index f4d0988..950464d 100644
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -4089,7 +4089,8 @@ int CIFSFindNext(const int xid, struct cifs_tcon *tcon,
+ 	T2_FNEXT_RSP_PARMS *parms;
+ 	char *response_data;
+ 	int rc = 0;
+-	int bytes_returned, name_len;
++	int bytes_returned;
++	unsigned int name_len;
+ 	__u16 params, byte_count;
+ 
+ 	cFYI(1, "In FindNext");
+-- 
+1.7.6
+
diff --git a/kernel.spec b/kernel.spec
index eadc187..acdbe55 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -870,6 +870,9 @@ Patch14052: gro-Only-reset-frag0-when-skb-can-be-pulled.patch
 # CVE-2011-2928
 Patch14053: befs-Validate-length-of-long-symbolic-links.patch
 
+# CVE-2011-3191
+Patch14054: cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1639,6 +1642,9 @@ ApplyPatch gro-Only-reset-frag0-when-skb-can-be-pulled.patch
 # CVE-2011-2928
 ApplyPatch befs-Validate-length-of-long-symbolic-links.patch
 
+# CVE-2011-3191
+ApplyPatch cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2228,6 +2234,7 @@ fi
 * Thu Sep 15 2011 Josh Boyer <jwboyer at redhat.com>
 - CVE-2011-2723: gro: Only reset frag0 when skb can be pulled
 - CVE-2011-2928: befs: Validate length of long symbolic links
+- CVE-2011-3191: cifs: fix possible memory corruption in CIFSFindNext
 
 * Mon Sep 12 2011 Josh Boyer <jwboyer at redhat.com>
 - Backport 5336377d to fix RHBZ #648571

More information about the scm-commits mailing list