漏洞信息详情
Linux Kernel 'fs/cifs/connect.c'远程溢出漏洞
- CNNVD编号:CNNVD-200904-492
- 危害等级: 中危
- CVE编号: CVE-2009-1439
- 漏洞类型: 缓冲区溢出
- 发布时间: 2009-04-27
- 威胁类型: 远程
- 更新时间: 2009-06-23
- 厂 商: linux
- 漏洞来源: fefe
漏洞简介
Linux kernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。NFSv4 implementation是其中的一个分布式文件系统协议。
Linux Kernel的fs/cifs/connect.c文件中的CIFSTCon()函数存在缓冲区溢出漏洞。如果用户受骗连接到了恶意的服务器且服务器向客户端返回了特制的Tree Connect响应的话,就可以出发这个溢出,导致执行任意代码。以下是有漏洞的代码段:
3441 int
3442 CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
3443 const char *tree, struct cifsTconInfo *tcon,
3444 const struct nls_table *nls_codepage)
3445 {
3446 struct smb_hdr *smb_buffer;
3447 struct smb_hdr *smb_buffer_response;
3448 TCONX_REQ *pSMB;
3449 TCONX_RSP *pSMBr;
3450 unsigned char *bcc_ptr;
3451 int rc = 0;
3452 int length;
3453 __u16 count;
...
3458 smb_buffer = cifs_buf_get();
...
3561 if (smb_buffer->;Flags2 & SMBFLG2_UNICODE) {
3562 length = UniStrnlen((wchar_t *) bcc_ptr, 512);
3563 if ((bcc_ptr + (2 * length)) -
3564 pByteArea(smb_buffer_response) <=
3565 BCC(smb_buffer_response)) {
3566 kfree(tcon->;nativeFileSystem);
3567 tcon->;nativeFileSystem =
3568 kzalloc(length + 2, GFP_KERNEL);
...
3579 /* else do not bother copying these information fields*/
...
3606 cifs_buf_release(smb_buffer);
3607 return rc;
3608 }
如果用户所控制的smb_buffer缓冲区(3458行)为Unicode(3561行),就会使用UniStrnlen()计算其长度。如果长度小于或等于smb_buffer_response的字节数,会使用fs/cifs/cifspdu.h中定义的BCC()宏:
416 /* given a pointer to an smb_hdr retrieve the value of byte count */
417 #define BCC(smb_var) (*(__u16 *)((char *)smb_var + sizeof(struct smb_hdr) + (2 * smb_var->;WordCount)))
418 #define BCC_LE(smb_var) (*(__le16 *)((char *)smb_var + sizeof(struct smb_hdr) + (2 * smb_var->;WordCount)))
之后释放所分配的原始文件系统内存(3566行),并在3568行使用kzalloc()重新分配。这个大小应足够储存unicode字符串,但没有执行(length + 1) * 2,而是执行了length + 2,因此分配了不充分的缓冲区。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b363b3304bcf68c4541683b2eff70b29f0446a5b
参考网址
来源: FEDORA
名称: FEDORA-2009-5383
链接:https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01271.HTML
来源: FEDORA
名称: FEDORA-2009-5356
链接:https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01126.HTML
来源: CONFIRM
链接:https://bugzilla.redhat.com/show_bug.cgi?id=494275
来源: CONFIRM
链接:https://bugzilla.novell.com/show_bug.cgi?id=492282
来源: MISC
链接:http://xorl.wordpress.com/2009/04/07/linux-kernel-tree-connect-cifs-remote-buffer-overflow/
来源: BID
名称: 34453
链接:http://www.securityfocus.com/bid/34453
来源: BUGTRAQ
名称: 20090516 rPSA-2009-0084-1 kernel
链接:http://www.securityfocus.com/archive/1/archive/1/503610/100/0/threaded
来源: REDHAT
名称: RHSA-2009:1081
链接:http://www.redhat.com/support/errata/RHSA-2009-1081.HTML
来源: MLIST
名称: [oss-security] 20090407 Re: CVE request? buffer overflow in CIFS in 2.6.*
链接:http://www.openwall.com/lists/oss-security/2009/04/07/7
来源: MLIST
名称: [oss-security] 20090407 Re: CVE request? buffer overflow in CIFS in 2.6.*
链接:http://www.openwall.com/lists/oss-security/2009/04/07/3
来源: MLIST
名称: [oss-security] 20090405 CVE request? buffer overflow in CIFS in 2.6.*
链接:http://www.openwall.com/lists/oss-security/2009/04/04/1
来源: DEBIAN
名称: DSA-1800
链接:http://www.debian.org/security/2009/dsa-1800
来源: DEBIAN
名称: DSA-1794
链接:http://www.debian.org/security/2009/dsa-1794
来源: DEBIAN
名称: DSA-1787
链接:http://www.debian.org/security/2009/dsa-1787
来源: wiki.rpath.com
链接:http://wiki.rpath.com/Advisories:rPSA-2009-0084
来源: SECUNIA
名称: 35394
链接:http://secunia.com/advisories/35394
来源: SECUNIA
名称: 35390
链接:http://secunia.com/advisories/35390
来源: SECUNIA
名称: 35387
链接:http://secunia.com/advisories/35387
来源: SECUNIA
名称: 35226
链接:http://secunia.com/advisories/35226
来源: SECUNIA
名称: 35217
链接:http://secunia.com/advisories/35217
来源: SECUNIA
名称: 35185
链接:http://secunia.com/advisories/35185
来源: SECUNIA
名称: 35121
链接:http://secunia.com/advisories/35121
来源: SECUNIA
名称: 35120
链接:http://secunia.com/advisories/35120
来源: SECUNIA
名称: 35011
链接:http://secunia.com/advisories/35011
来源: SECUNIA
名称: 34981
链接:http://secunia.com/advisories/34981
来源: MLIST
名称: [linux-cifs-client] 20090406 [PATCH] cifs: Fix insufficient memory allocation for nativeFileSystem field
链接:http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.HTML
来源: SUSE
名称: SUSE-SA:2009:032
链接:http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00002.HTML
来源: SUSE
名称: SUSE-SA:2009:031
链接:http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00001.HTML
来源: SUSE
名称: SUSE-SA:2009:030
链接:http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00000.HTML
来源: SUSE
名称: SUSE-SA:2009:028
链接:http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00002.HTML
来源: git.kernel.org
链接:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b363b3304bcf68c4541683b2eff70b29f0446a5b
来源: MISC
链接:http://blog.fefe.de/?ts=b72905a8
受影响实体
- Linux Linux_kernel:2.6.22.7
- Linux Linux_kernel:2.6.22.19
- Linux Linux_kernel:2.6.27.10
- Linux Linux_kernel:2.6.27.9
- Linux Linux_kernel:2.6.27.12
补丁
暂无
![weinxin](http://zone.ci/zone_ci_images/zone.ci.png)
评论