Vigil@nce - Linux kernel: denial of service in iov_iter_advance
June 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A malicious SMB/CIFS server can use the CountHigh field, in order
to stop the CIFS client of the Linux kernel.
Severity: 1/4
Creation date: 28/06/2010
DESCRIPTION OF THE VULNERABILITY
The CIFS SMBWrite and SMBWrite2 messages contain two fields to
store the written size:
– Count : historical field (size < 64ko)
– CountHigh : field used for sizes larger than 64ko
When the SMBWrite/SMBWrite2 command requests the server to write
less than 64ko, and when the answer contains a CountHigh different
of zero, the CIFSSMBWrite() and CIFSSMBWrite() functions of the
Linux kernel incorrectly compute the size. The BUG_ON() macro is
then called by the iov_iter_advance() function.
A malicious SMB/CIFS server can therefore use the CountHigh field,
in order to stop the CIFS client of the Linux kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-in-iov-iter-advance-9729