Re: CVE request - kernel: cifs: Fix a kernel BUG with remote OS/2 server

[Eugene Teo <eugeneteo () kernel sg>]

On 06/30/2010 12:57 AM, akuster wrote:
> pSMBr->CountHigh looks to have been introduce by commit
> 381a420f5b23cedd9e166e052a93a7f4237bd57c back in 2.6.12-rc2.
> So would it be said this issue has been around since then?

Which tree are you using? I got: fatal: bad object 
381a420f5b23cedd9e166e052a93a7f4237bd57c.

->CountHigh was added long ago. Even v2.6.9 (rhel-4) is affected.

Eugene

> On 06/27/2010 10:41 PM, Eugene Teo wrote:
> > "This was known to trigger with a OS/2 server. The server sets
> > pSMBr->CountHigh to a incorrect value even in case of normal writes.
> > This results in 'nbytes' being computed wrongly and triggers a kernel
> > BUG at mm/filemap.c.
> >
> >      void iov_iter_advance(struct iov_iter *i, size_t bytes)
> >      {
> >              BUG_ON(i->count<  bytes);<--- BUG here
> >
> > Why the server is setting 'CountHigh' is not clear but only does so
> > after writing 64k bytes. Though this looks like the server bug, the
> > client side crash may not be acceptable.
> >
> > The workaround is to mask off high 16 bits if the number of bytes
> > written as returned by the server is greater than the bytes requested by
> > the client."
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=608583
> > http://git.kernel.org/linus/6513a81e9325d712f1bfb9a1d7b750134e49ff18


--
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }