oss-sec mailing list archives

CVE request? buffer overflow in CIFS in 2.6.*

From: Marcus Meissner <meissner () suse de>
Date: Sun, 5 Apr 2009 00:11:31 +0200

Hi,

I guess we need a CVE for this fix:

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.29.y.git;a=commitdiff;h=15bd8021d870d2c4fbf8c16578d72d03cfddd3a7

Fixes a kmalloc area overflow in CIFS, number of overwritten bytes
is depending on the codepage converted to.

The data seems to come from a remote generated reply blob even, correct
me if I am wrong. :/

Checking our enterprise distro kernels it seems to cover most of the
2.6 kernel range...
2.6.27 has the same code, 2.6.16 too, 2.6.5 too.



And I wonder if "len*2" is sufficient, can't a UCS -> UTF8 conversion
generate more than 2 byte utf-8 characters for 1 ucs character?

(spotted by felix leitner, german blog entry: http://blog.fefe.de/?ts=b72905a8 )

Ciao, Marcus

Current thread:

CVE request? buffer overflow in CIFS in 2.6.* Marcus Meissner (Apr 04)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 06)
  - Re: CVE request? buffer overflow in CIFS in 2.6.* Marcus Meissner (Apr 07)
    - Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 20)
    - Re: CVE request? buffer overflow in CIFS in 2.6.* Marcus Meissner (Apr 21)
    - Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 21)
    - Re: CVE request? buffer overflow in CIFS in 2.6.* Steven M. Christey (Apr 24)
    - Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 25)
    - Re: CVE request? buffer overflow in CIFS in 2.6.* dann frazier (Apr 29)
    - Re: CVE request? buffer overflow in CIFS in 2.6.* Steven French (Apr 29)
    - Re: CVE request? buffer overflow in CIFS in 2.6.* dann frazier (Apr 29)

(Thread continues...)