Bug 7949 - DoS in Winbind and smbd with many file descriptors open; CVE-2011-0719
DoS in Winbind and smbd with many file descriptors open; CVE-2011-0719
Status: RESOLVED FIXED
Product: Samba 3.5
Classification: Unclassified
Component: File services
unspecified
All Linux
: P3 regression
: ---
Assigned To: Volker Lendecke
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-02-07 15:33 UTC by Simo Sorce
Modified: 2012-03-16 23:56 UTC (History)
3 users (show)

See Also:


Attachments
Patch for 3.5.x. (12.79 KB, patch)
2011-02-15 16:07 UTC, Jeremy Allison
no flags Details
Patch for 3.4.x. (20.86 KB, patch)
2011-02-15 19:16 UTC, Jeremy Allison
no flags Details
Slightly better 3.5.x patch that fixes doesn't do the check on every select call. (13.22 KB, patch)
2011-02-16 12:16 UTC, Jeremy Allison
no flags Details
Correct patch for 3.4.x (removed extraneous changes). (13.40 KB, patch)
2011-02-16 12:18 UTC, Jeremy Allison
no flags Details
Missed one extraneous change in the 3.4.x patch... (12.87 KB, text/x-patch)
2011-02-16 13:42 UTC, Jeremy Allison
no flags Details
Patch for 3.3.x. (15.91 KB, patch)
2011-02-16 17:17 UTC, Jeremy Allison
no flags Details
Patch for 3.2.x. (15.36 KB, patch)
2011-02-16 18:40 UTC, Jeremy Allison
no flags Details
Patch for 3.0.x. (14.37 KB, patch)
2011-02-17 14:04 UTC, Jeremy Allison
no flags Details
Modified version/ subset of the 3.0 patch for 3.0.20b (10.95 KB, patch)
2011-02-22 04:28 UTC, Lars Müller
no flags Details
Modified version/ subset of the 3.0 patch for 3.0.20b; use False and return NULL insmb_readline_replacement() (11.14 KB, patch)
2011-02-22 14:28 UTC, Lars Müller
no flags Details
Modified version of Jeremy'sinitial to return NULL from smb_readline_replacement() (14.37 KB, patch)
2011-02-23 06:24 UTC, Lars Müller
no flags Details
Modified version of Jeremy'sinitial to return NULL from smb_readline_replacement() (14.56 KB, patch)
2011-02-23 06:32 UTC, Lars Müller
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Simo Sorce 2011-02-07 15:33:35 UTC
test
Comment 1 Simo Sorce 2011-02-07 16:09:15 UTC
This is a blocker bug for 3.5.7

Will not provide more info until we are sure we can restrict access when we change back the product to "Samba 3.5"
Comment 2 Lars Müller 2011-02-07 17:09:56 UTC
Restriction also set for Product Samba 3.5 and 3.6.
Comment 3 Jeremy Allison 2011-02-15 16:07:18 UTC
Created attachment 6248 [details]
Patch for 3.5.x.
Comment 4 Jeremy Allison 2011-02-15 19:16:59 UTC
Created attachment 6249 [details]
Patch for 3.4.x.
Comment 5 Jeremy Allison 2011-02-16 12:16:21 UTC
Created attachment 6252 [details]
Slightly better 3.5.x patch that fixes doesn't do the check on every select call.
Comment 6 Jeremy Allison 2011-02-16 12:18:26 UTC
Created attachment 6253 [details]
Correct patch for 3.4.x (removed extraneous changes).
Comment 7 Jeremy Allison 2011-02-16 13:42:37 UTC
Created attachment 6254 [details]
Missed one extraneous change in the 3.4.x patch...
Comment 8 Jeremy Allison 2011-02-16 17:17:51 UTC
Created attachment 6255 [details]
Patch for 3.3.x.
Comment 9 Jeremy Allison 2011-02-16 18:40:34 UTC
Created attachment 6256 [details]
Patch for 3.2.x.
Comment 10 Jeremy Allison 2011-02-17 14:04:42 UTC
Created attachment 6257 [details]
Patch for 3.0.x.
Comment 11 Lars Müller 2011-02-22 04:28:11 UTC
Created attachment 6262 [details]
Modified version/ subset of the 3.0 patch for 3.0.20b
Comment 12 Lars Müller 2011-02-22 14:28:52 UTC
Created attachment 6264 [details]
Modified version/ subset of the 3.0 patch for 3.0.20b; use False and return NULL insmb_readline_replacement()
Comment 13 Lars Müller 2011-02-22 16:34:53 UTC
After a short discussion with Günther <gd> I've checked the code further to see if the missing "return NULL;" in the patch for 3.0 is even able to cause any trouble.

From source/client/client.c process_stdin() calls smb_readline(the_prompt, ...) while the_prompt is not initialized.

Adding

--- source/lib/readline.c.orig
+++ source/lib/readline.c
@@ -79,6 +84,7 @@ static char *smb_readline_replacement(co
      if (callback)
         callback();
   }
+  return NULL;
 }
·
 /****************************************************************************

and we're on the save side.  That's how we handle this situation in post-3.0 versions.
Comment 14 Oden Eriksson 2011-02-23 02:22:36 UTC
Hello.

We use samba-3.0.37 in Mandriva Corporate Server 4 and I used the 3.0 patch 
posted on vendor-sec. Are those the final patches?
Comment 15 Lars Müller 2011-02-23 06:24:43 UTC
Created attachment 6265 [details]
Modified version of Jeremy'sinitial to return NULL from smb_readline_replacement()
Comment 16 Lars Müller 2011-02-23 06:32:09 UTC
Created attachment 6266 [details]
Modified version of Jeremy'sinitial to return NULL from smb_readline_replacement()
Comment 17 Lars Müller 2011-02-23 06:38:59 UTC
(In reply to comment #14)
> We use samba-3.0.37 in Mandriva Corporate Server 4 and I used the 3.0 patch 
> posted on vendor-sec. Are those the final patches?
 
For the final 3.0 patch version see attachment #6266 [details]  That's a slightly modified version of the initial one.  It includes the modification as described in comment #13.

The patches against 3.2 and newer are correct.  These code bases already include the return call we had to add in 3.0.
Comment 18 Oden Eriksson 2011-02-23 06:42:53 UTC
Thanks guys!
Comment 19 Jeremy Allison 2011-02-24 14:15:44 UTC
===========================================================
== Subject:     Denial of service - memory corruption
==
== CVE ID#:     CVE-2011-0719
==
== Versions:    Samba 3.0.x - 3.5.6 (inclusive)
==
== Summary:     Samba 3.0.x to 3.5.6 are affected by a
==              denial of service caused by memory corruption.
==
===========================================================

===========
Description
===========

All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.

A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).

Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 3.5.7 has been issued as security release to correct the
defect.  Patches against older Samba versions are available at
http://samba.org/samba/patches/.  Samba administrators running affected
versions are advised to upgrade to 3.5.7 or apply the patch as soon
as possible.

==========
Workaround
==========

None.

=======
Credits
=======

This problem was found by an internal audit of the Samba code by
Volker Lendecke of SerNet. Thanks to Volker for his careful code
review.
Comment 20 Karolin Seeger 2011-02-28 08:10:53 UTC
Fixed with Samba 3.5.7, 3.4.12 and 3.3.15.
Closing out bug report.

Thanks!
Comment 21 Lars Müller 2011-02-28 08:31:25 UTC
Make the bug public as the embargo time expired.