835652 – (CVE-2013-4247) VUL-1: CVE-2013-4247: kernel: cifs: off-by-one bug in build_unc_path_to_root

Bug 835652 (CVE-2013-4247) - VUL-1: CVE-2013-4247: kernel: cifs: off-by-one bug in build_unc_path_to_root

Summary: VUL-1: CVE-2013-4247: kernel: cifs: off-by-one bug in build_unc_path_to_root

Status:	RESOLVED FIXED

Alias:	CVE-2013-4247

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	David Disseldorp
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-08-20 12:57 UTC by Matthias Weckbecker
Modified:	2013-10-29 15:49 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Weckbecker 2013-08-20 12:57:52 UTC

From [1]:

  "Linux kernel built with the Common Internet File System (CONFIG_CIFS)
   support along with a feature to access Distributed File Systems
   (CONFIG_CIFS_DFS_UPCALL), is vulnerable to a memory corruption flaw caused
   by writing one byte past an allocated memory area. It occurs while mounting
   a DFS share wherein the server provides DFS referral names of certain
   length. The memory corruption leads to an unresponsive kernel and subsequent
   crash resulting in Denial of Service.

   An user/program able to mount a file system could use this flaw to crash
   the kernel resulting in DoS."

[1] http://www.openwall.com/lists/oss-security/2013/08/14/8 (patch included)

Comment 1 Matthias Weckbecker 2013-08-22 08:00:33 UTC

CVE-2013-4247 was assigned to this.

Comment 2 Marcus Meissner 2013-08-26 14:59:51 UTC

https://git.kernel.org/linus/1fc29bacedeabb278080e31bb9c1ecb49f143c3b

Comment 3 Marcus Meissner 2013-08-27 20:10:25 UTC

(SLES10 at least does not have this code)

Comment 6 David Disseldorp 2013-10-04 12:49:08 UTC

This bug was introduced by commit 839db3d10a
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=839db3d10a

I've audited the following kernel branches:
SLE10-SP4: never introduced
SLE11-SP[123]: never introduced
openSUSE-12.[123]: never introduced
openSUSE-13.1: introduced and fixed

IMO this bug can be closed.

Comment 7 Marcus Meissner 2013-10-04 12:58:02 UTC

commit 839db3d10a was in Linux 3.7 and later.

So SLES 10 and SLES 11 are not affected.

thanks!