Bug 494275 (CVE-2009-1439)

Summary: CVE-2009-1439 kernel: cifs: memory overwrite when saving nativeFileSystem field during mount
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bhu, dhoward, jlayton, jpirko, jskrabal, kseifried, lgoncalv, lwang, mjc, rcvalle, tao, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-02 00:16:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 494276, 494277, 494278, 494279, 494280    
Bug Blocks:    

Description Eugene Teo (Security Response) 2009-04-06 07:03:39 UTC 
Description of problem:
CIFS can allocate a few bytes to little for the nativeFileSystem field
during tree connect response processing during mount.  This can result
in a "Redzone overwritten" message to be logged.

Upstream commit:
http://git.kernel.org/linus/b363b3304bcf68c4541683b2eff70b29f0446a5b

References:
http://blog.fefe.de/?ts=b72905a8
http://git.kernel.org/linus/15bd8021d870d2c4fbf8c16578d72d03cfddd3a7
http://article.gmane.org/gmane.comp.security.oss.general/1620
Comment 5 Eugene Teo (Security Response) 2009-04-08 00:22:30 UTC 
More references:
https://bugzilla.novell.com/show_bug.cgi?id=492282
http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html
Comment 12 Vincent Danen 2009-04-27 18:39:15 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1439 to
the following vulnerability:

Name: CVE-2009-1439
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439
Assigned: 20090427
Reference: MLIST:[linux-cifs-client] 20090406 [PATCH] cifs: Fix insufficient memory allocation for nativeFileSystem field
Reference: URL: http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html
Reference: MLIST:[oss-security] 20090405 CVE request? buffer overflow in CIFS in 2.6.*
Reference: URL: http://www.openwall.com/lists/oss-security/2009/04/04/1
Reference: MLIST:[oss-security] 20090407 Re: CVE request? buffer overflow in CIFS in 2.6.*
Reference: URL: http://www.openwall.com/lists/oss-security/2009/04/07/7
Reference: MLIST:[oss-security] 20090407 Re: CVE request? buffer overflow in CIFS in 2.6.*
Reference: URL: http://www.openwall.com/lists/oss-security/2009/04/07/3
Reference: MISC: http://blog.fefe.de/?ts=b72905a8
Reference: CONFIRM: https://bugzilla.novell.com/show_bug.cgi?id=492282

Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel
2.6.29 and earlier allows remote attackers to cause a denial of
service (crash) via a long nativeFileSystem field in a Tree Connect
response to an SMB mount request.
Comment 13 Eugene Teo (Security Response) 2009-05-13 02:24:21 UTC 
Update:
These patches are needed too:
f083def68f84b04fe3f97312498911afce79609e (fix for b363b330)
27b87fe52baba0a55e9723030e76fce94fabcea4 (another issue)
313fecfa69bbad0a10d3313a50a89d3064f47ce1 (add cFYI messages)
22c9d52bc03b880045ab1081890a38f11b272ae7 (remove unneeded pointer)
to be patched on top of:
b363b3304bcf68c4541683b2eff70b29f0446a5b.

http://git.kernel.org/linus/b363b3304bcf68c4541683b2eff70b29f0446a5b
http://git.kernel.org/linus/f083def68f84b04fe3f97312498911afce79609e
http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4
http://git.kernel.org/linus/313fecfa69bbad0a10d3313a50a89d3064f47ce1
http://git.kernel.org/linus/22c9d52bc03b880045ab1081890a38f11b272ae7
Comment 15 Chuck Ebbert 2009-05-21 17:13:12 UTC 
It looks like this bug is fixed in the upstream 2.6.27.24 and 2.6.29.4 updates.
Comment 16 Fedora Update System 2009-05-21 22:16:12 UTC 
kernel-2.6.27.24-78.2.53.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/kernel-2.6.27.24-78.2.53.fc9
Comment 17 Fedora Update System 2009-05-22 09:01:52 UTC 
kernel-2.6.27.24-170.2.68.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.24-170.2.68.fc10
Comment 18 Fedora Update System 2009-05-25 21:09:25 UTC 
kernel-2.6.27.24-170.2.68.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2009-05-27 19:05:48 UTC 
kernel-2.6.27.24-78.2.53.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 errata-xmlrpc 2009-06-03 15:36:53 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1081 https://rhn.redhat.com/errata/RHSA-2009-1081.html
Comment 21 errata-xmlrpc 2009-06-16 22:34:16 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1106 https://rhn.redhat.com/errata/RHSA-2009-1106.html
Comment 23 errata-xmlrpc 2009-08-13 15:34:54 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1211 https://rhn.redhat.com/errata/RHSA-2009-1211.html
Comment 26 Kurt Seifried 2011-11-02 00:16:10 UTC 
All children bugs have been closed, parent is no longer needed.