CIFS: sanity check length of data to send before sending

Bug #1283101 reported by Andy Whitcroft on 2014-02-21
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
linux-armadaxp (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
linux-ec2 (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
linux-lts-quantal (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
linux-lts-raring (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
linux-lts-saucy (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
linux-ti-omap4 (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned

Bug Description

This CVE was fixed under 5d81de8e8667da7135d3a32a964087c0faf5483f but there is a second fix which will make this much safer going forward against other bugs:

    http://article.gmane.org/gmane.linux.kernel.cifs/9402

Makes sense to put this into any release which needs it.

# As applied to linus' tree
Break-fix: - a26054d184763969a411e3939fe243516715ff59

Andy Whitcroft (apw) on 2014-02-21
Changed in linux (Ubuntu):
status: New → Triaged
tags: added: kernel-bug-break-fix
Andy Whitcroft (apw) on 2014-02-24
description: updated
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid
Andy Whitcroft (apw) on 2014-02-24
Changed in linux-lts-raring (Ubuntu):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-saucy (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Lucid):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: New → Invalid
Changed in linux-lts-saucy (Ubuntu Lucid):
status: New → Invalid
Changed in linux-lts-saucy (Ubuntu Quantal):
status: New → Invalid
Changed in linux-ec2 (Ubuntu):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Lucid):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Saucy):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Quantal):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Lucid):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Precise):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Trusty):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Saucy):
status: New → Invalid
Andy Whitcroft (apw) on 2014-02-24
Changed in linux (Ubuntu Lucid):
status: New → Confirmed
Changed in linux-ec2 (Ubuntu Lucid):
status: New → Confirmed
Changed in linux (Ubuntu Precise):
status: New → Confirmed
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Confirmed
Changed in linux-lts-quantal (Ubuntu Precise):
status: New → Confirmed
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Confirmed
Changed in linux-lts-saucy (Ubuntu Precise):
status: New → Confirmed
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Confirmed
Changed in linux (Ubuntu Quantal):
status: New → Confirmed
Changed in linux-ti-omap4 (Ubuntu Quantal):
status: New → Confirmed
Changed in linux-ti-omap4 (Ubuntu Saucy):
status: New → Confirmed
Changed in linux-armadaxp (Ubuntu Quantal):
status: New → Confirmed
Changed in linux (Ubuntu Saucy):
status: New → Confirmed
Changed in linux (Ubuntu Trusty):
status: Triaged → Confirmed
Andy Whitcroft (apw) on 2014-03-13
summary: - CVE-2014-0069: add hardening patch
+ CVE-2014-0069: CIFS -- add hardening patch
description: updated
Andy Whitcroft (apw) on 2014-05-16
Changed in linux (Ubuntu):
status: Confirmed → Fix Committed
Andy Whitcroft (apw) on 2014-05-22
Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Andy Whitcroft (apw) on 2014-05-22
Changed in linux (Ubuntu Quantal):
status: Confirmed → Won't Fix
Changed in linux-lts-quantal (Ubuntu Precise):
status: Confirmed → Won't Fix
Andy Whitcroft (apw) on 2014-05-22
Changed in linux-ti-omap4 (Ubuntu Quantal):
status: Confirmed → Won't Fix
Changed in linux-armadaxp (Ubuntu Quantal):
status: Confirmed → Won't Fix
Andy Whitcroft (apw) on 2014-08-18
Changed in linux (Ubuntu Saucy):
status: Confirmed → Won't Fix
Changed in linux-lts-raring (Ubuntu Precise):
status: Confirmed → Won't Fix
Changed in linux-lts-saucy (Ubuntu Precise):
status: Confirmed → Won't Fix
Changed in linux-ti-omap4 (Ubuntu Saucy):
status: Confirmed → Won't Fix
Changed in linux (Ubuntu Lucid):
status: Confirmed → Won't Fix
Changed in linux-ec2 (Ubuntu Lucid):
status: Confirmed → Won't Fix
Tim Gardner (timg-tpi) on 2014-08-18
Changed in linux (Ubuntu Trusty):
status: Confirmed → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
Brad Figg (brad-figg) on 2014-09-15
tags: added: verification-done-trusty
removed: verification-needed-trusty
Launchpad Janitor (janitor) wrote :
Download full text (5.8 KiB)

This bug was fixed in the package linux - 3.13.0-36.63

---------------
linux (3.13.0-36.63) trusty; urgency=low

  [ Joseph Salisbury ]

  * Release Tracking Bug
    - LP: #1365052

  [ Feng Kan ]

  * SAUCE: (no-up) irqchip:gic: change access of gicc_ctrl register to read
    modify write.
    - LP: #1357527
  * SAUCE: (no-up) arm64: optimized copy_to_user and copy_from_user
    assembly code
    - LP: #1358949

  [ Ming Lei ]

  * SAUCE: (no-up) Drop APM X-Gene SoC Ethernet driver
    - LP: #1360140
  * [Config] Drop XGENE entries
    - LP: #1360140
  * [Config] CONFIG_NET_XGENE=m for arm64
    - LP: #1360140

  [ Stefan Bader ]

  * SAUCE: Add compat macro for skb_get_hash
    - LP: #1358162
  * SAUCE: bcache: prevent crash on changing writeback_running
    - LP: #1357295

  [ Suman Tripathi ]

  * SAUCE: (no-up) arm64: Fix the csr-mask for APM X-Gene SoC AHCI SATA PHY
    clock DTS node.
    - LP: #1359489
  * SAUCE: (no-up) ahci_xgene: Skip the PHY and clock initialization if
    already configured by the firmware.
    - LP: #1359501
  * SAUCE: (no-up) ahci_xgene: Fix the link down in first attempt for the
    APM X-Gene SoC AHCI SATA host controller driver.
    - LP: #1359507

  [ Tuan Phan ]

  * SAUCE: (no-up) pci-xgene-msi: fixed deadlock in irq_set_affinity
    - LP: #1359514

  [ Upstream Kernel Changes ]

  * iwlwifi: mvm: Add a missed beacons threshold
    - LP: #1349572
  * mac80211: reset probe_send_count also in HW_CONNECTION_MONITOR case
    - LP: #1349572
  * genirq: Add an accessor for IRQ_PER_CPU flag
    - LP: #1357527
  * arm64: perf: add support for percpu pmu interrupt
    - LP: #1357527
  * cifs: sanity check length of data to send before sending
    - LP: #1283101
  * KVM: nVMX: Pass vmexit parameters to nested_vmx_vmexit
    - LP: #1329434
  * KVM: nVMX: Rework interception of IRQs and NMIs
    - LP: #1329434
  * KVM: vmx: disable APIC virtualization in nested guests
    - LP: #1329434
  * HID: Add transport-driver functions to the USB HID interface.
    - LP: #1353021
  * ahci_xgene: Removing NCQ support from the APM X-Gene SoC AHCI SATA Host
    Controller driver.
    - LP: #1358498
  * fold d_kill() and d_free()
    - LP: #1354234
  * fold try_prune_one_dentry()
    - LP: #1354234
  * new helper: dentry_free()
    - LP: #1354234
  * expand the call of dentry_lru_del() in dentry_kill()
    - LP: #1354234
  * dentry_kill(): don't try to remove from shrink list
    - LP: #1354234
  * don't remove from shrink list in select_collect()
    - LP: #1354234
  * more graceful recovery in umount_collect()
    - LP: #1354234
  * dcache: don't need rcu in shrink_dentry_list()
    - LP: #1354234
  * lift the "already marked killed" case into shrink_dentry_list()
  * split dentry_kill()
    - LP: #1354234
  * expand dentry_kill(dentry, 0) in shrink_dentry_list()
    - LP: #1354234
  * shrink_dentry_list(): take parent's ->d_lock earlier
    - LP: #1354234
  * dealing with the rest of shrink_dentry_list() livelock
    - LP: #1354234
  * dentry_kill() doesn't need the second argument now
    - LP: #1354234
  * dcache: add missing lockdep annotation
    - LP: #1354234
  * fs: convert use of typedef ctl_table to struct ctl_table
 ...

Read more...

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Andy Whitcroft (apw) on 2014-10-28
Changed in linux (Ubuntu):
status: Fix Released → Invalid
Andy Whitcroft (apw) on 2015-03-08
Changed in linux (Ubuntu):
status: Invalid → Fix Released
information type: Public → Public Security
summary: - CVE-2014-0069: CIFS -- add hardening patch
+ CIFS: sanity check length of data to send before sending
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers