Bug 1062578
Summary: | CVE-2014-0069 kernel: cifs: uncached writes don't handle bad user addresses correctly [fedora-rawhide] | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jeff Layton <jlayton> | ||||||
Component: | kernel | Assignee: | Jeff Layton <jlayton> | ||||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | urgent | Docs Contact: | |||||||
Priority: | urgent | ||||||||
Version: | rawhide | CC: | aviro, nfs-maint, pmatouse, rwheeler, sprabhu, steved | ||||||
Target Milestone: | --- | Keywords: | Security, SecurityTracking | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Release Note | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | |||||||||
: | 1062584 1062588 1062590 (view as bug list) | Environment: | |||||||
Last Closed: | 2014-02-14 19:12:27 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 1062584, 1062585, 1062590, 1064253 | ||||||||
Attachments: |
|
Description
Jeff Layton
2014-02-07 11:19:44 UTC
Created attachment 860442 [details]
patch -- cifs: ensure that uncached writes handle unmapped areas correctly
This patch fixes the bug. It should apply fairly cleanly to most recent kernels (including RHEL6/7).
Created attachment 862435 [details]
patch -- cifs: sanity check length of data to send before sending
Second patch to help prevent issues like this in the future.
If we get a bad send request from the upper layers, have the transport layer throw a warning and an error:
When testing with the reproducer, I get this with this patch applied and not the other one:
[ 2253.669549] WARNING: CPU: 1 PID: 8911 at fs/cifs/transport.c:312 smb_send_rqst+0x22f/0x290 [cifs]()
[ 2253.670968] Send length mismatch(send_length=4294971460 smb_buf_length=4160)
...plus the expected WARN stack trace. I think we'll want to submit both patches for inclusion.
Patches have now been sent upstream: http://article.gmane.org/gmane.linux.kernel.cifs/9401 http://article.gmane.org/gmane.linux.kernel.cifs/9402 ...they should make their way into mainline soon, and the first one should go to stable soon afterward. Fixed in git. Building. In the 3.14-rc2-git4 snapshot kernel. Should hit rawhide tomorrow. |