oss-sec mailing list archives

Re: CVE request - kernel: cifs: Fix a kernel BUG with remote OS/2 server

From: Josh Bressers <bressers () redhat com>
Date: Mon, 28 Jun 2010 16:23:37 -0400 (EDT)

Please use CVE-2010-2248

Thanks.

-- 
    JB


----- "Eugene Teo" <eugeneteo () kernel sg> wrote:

"This was known to trigger with a OS/2 server. The server sets 
pSMBr->CountHigh to a incorrect value even in case of normal writes. 
This results in 'nbytes' being computed wrongly and triggers a kernel

BUG at mm/filemap.c.

     void iov_iter_advance(struct iov_iter *i, size_t bytes)
     {
             BUG_ON(i->count < bytes);    <--- BUG here

Why the server is setting 'CountHigh' is not clear but only does so 
after writing 64k bytes. Though this looks like the server bug, the 
client side crash may not be acceptable.

The workaround is to mask off high 16 bits if the number of bytes 
written as returned by the server is greater than the bytes requested
by 
the client."

https://bugzilla.redhat.com/show_bug.cgi?id=608583
http://git.kernel.org/linus/6513a81e9325d712f1bfb9a1d7b750134e49ff18

-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i);
}

Current thread:

CVE request - kernel: cifs: Fix a kernel BUG with remote OS/2 server Eugene Teo (Jun 28)
- Re: CVE request - kernel: cifs: Fix a kernel BUG with remote OS/2 server Josh Bressers (Jun 28)
- Re: CVE request - kernel: cifs: Fix a kernel BUG with remote OS/2 server akuster (Jun 29)
  - Re: CVE request - kernel: cifs: Fix a kernel BUG with remote OS/2 server Eugene Teo (Jun 29)
    - Re: CVE request - kernel: cifs: Fix a kernel BUG with remote OS/2 server akuster (Jun 30)
    - Re: CVE request - kernel: cifs: Fix a kernel BUG with remote OS/2 server Eugene Teo (Jun 30)