7949 – DoS in Winbind and smbd with many file descriptors open; CVE-2011-0719

Bug 7949 - DoS in Winbind and smbd with many file descriptors open; CVE-2011-0719

Summary: DoS in Winbind and smbd with many file descriptors open; CVE-2011-0719

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.5
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	unspecified
Hardware:	All Linux

Importance:	P3 regression
Target Milestone:	---
Assignee:	Volker Lendecke
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-02-07 15:33 UTC by Simo Sorce
Modified:	2012-03-16 23:56 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Patch for 3.5.x. (12.79 KB, patch) 2011-02-15 16:07 UTC, Jeremy Allison	no flags	Details
Patch for 3.4.x. (20.86 KB, patch) 2011-02-15 19:16 UTC, Jeremy Allison	no flags	Details
Slightly better 3.5.x patch that fixes doesn't do the check on every select call. (13.22 KB, patch) 2011-02-16 12:16 UTC, Jeremy Allison	no flags	Details
Correct patch for 3.4.x (removed extraneous changes). (13.40 KB, patch) 2011-02-16 12:18 UTC, Jeremy Allison	no flags	Details
Missed one extraneous change in the 3.4.x patch... (12.87 KB, text/x-patch) 2011-02-16 13:42 UTC, Jeremy Allison	no flags	Details
Patch for 3.3.x. (15.91 KB, patch) 2011-02-16 17:17 UTC, Jeremy Allison	no flags	Details
Patch for 3.2.x. (15.36 KB, patch) 2011-02-16 18:40 UTC, Jeremy Allison	no flags	Details
Patch for 3.0.x. (14.37 KB, patch) 2011-02-17 14:04 UTC, Jeremy Allison	no flags	Details
Modified version/ subset of the 3.0 patch for 3.0.20b (10.95 KB, patch) 2011-02-22 04:28 UTC, Lars Müller	no flags	Details
Modified version/ subset of the 3.0 patch for 3.0.20b; use False and return NULL insmb_readline_replacement() (11.14 KB, patch) 2011-02-22 14:28 UTC, Lars Müller	no flags	Details
Modified version of Jeremy'sinitial to return NULL from smb_readline_replacement() (14.37 KB, patch) 2011-02-23 06:24 UTC, Lars Müller	no flags	Details
Modified version of Jeremy'sinitial to return NULL from smb_readline_replacement() (14.56 KB, patch) 2011-02-23 06:32 UTC, Lars Müller	no flags	Details
Show Obsolete (6) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Simo Sorce 2011-02-07 15:33:35 UTC

test

Comment 1 Simo Sorce 2011-02-07 16:09:15 UTC

This is a blocker bug for 3.5.7

Will not provide more info until we are sure we can restrict access when we change back the product to "Samba 3.5"

Comment 2 Lars Müller 2011-02-07 17:09:56 UTC

Restriction also set for Product Samba 3.5 and 3.6.

Comment 3 Jeremy Allison 2011-02-15 16:07:18 UTC

Created attachment 6248 [details]
Patch for 3.5.x.

Comment 4 Jeremy Allison 2011-02-15 19:16:59 UTC

Created attachment 6249 [details]
Patch for 3.4.x.

Comment 5 Jeremy Allison 2011-02-16 12:16:21 UTC

Created attachment 6252 [details]
Slightly better 3.5.x patch that fixes doesn't do the check on every select call.

Comment 6 Jeremy Allison 2011-02-16 12:18:26 UTC

Created attachment 6253 [details]
Correct patch for 3.4.x (removed extraneous changes).

Comment 7 Jeremy Allison 2011-02-16 13:42:37 UTC

Created attachment 6254 [details]
Missed one extraneous change in the 3.4.x patch...

Comment 8 Jeremy Allison 2011-02-16 17:17:51 UTC

Created attachment 6255 [details]
Patch for 3.3.x.

Comment 9 Jeremy Allison 2011-02-16 18:40:34 UTC

Created attachment 6256 [details]
Patch for 3.2.x.

Comment 10 Jeremy Allison 2011-02-17 14:04:42 UTC

Created attachment 6257 [details]
Patch for 3.0.x.

Comment 11 Lars Müller 2011-02-22 04:28:11 UTC

Created attachment 6262 [details]
Modified version/ subset of the 3.0 patch for 3.0.20b

Comment 12 Lars Müller 2011-02-22 14:28:52 UTC

Created attachment 6264 [details]
Modified version/ subset of the 3.0 patch for 3.0.20b; use False and return NULL insmb_readline_replacement()

Comment 13 Lars Müller 2011-02-22 16:34:53 UTC

After a short discussion with Günther <gd> I've checked the code further to see if the missing "return NULL;" in the patch for 3.0 is even able to cause any trouble.

From source/client/client.c process_stdin() calls smb_readline(the_prompt, ...) while the_prompt is not initialized.

Adding

--- source/lib/readline.c.orig
+++ source/lib/readline.c
@@ -79,6 +84,7 @@ static char *smb_readline_replacement(co
      if (callback)
         callback();
   }
+  return NULL;
 }
·
 /****************************************************************************

and we're on the save side.  That's how we handle this situation in post-3.0 versions.

Comment 14 Oden Eriksson 2011-02-23 02:22:36 UTC

Hello.

We use samba-3.0.37 in Mandriva Corporate Server 4 and I used the 3.0 patch 
posted on vendor-sec. Are those the final patches?

Comment 15 Lars Müller 2011-02-23 06:24:43 UTC

Created attachment 6265 [details]
Modified version of Jeremy'sinitial to return NULL from smb_readline_replacement()

Comment 16 Lars Müller 2011-02-23 06:32:09 UTC

Created attachment 6266 [details]
Modified version of Jeremy'sinitial to return NULL from smb_readline_replacement()

Comment 17 Lars Müller 2011-02-23 06:38:59 UTC

(In reply to comment #14)
> We use samba-3.0.37 in Mandriva Corporate Server 4 and I used the 3.0 patch 
> posted on vendor-sec. Are those the final patches?
 
For the final 3.0 patch version see attachment #6266 [details]  That's a slightly modified version of the initial one.  It includes the modification as described in comment #13.

The patches against 3.2 and newer are correct.  These code bases already include the return call we had to add in 3.0.

Comment 18 Oden Eriksson 2011-02-23 06:42:53 UTC

Thanks guys!

Comment 19 Jeremy Allison 2011-02-24 14:15:44 UTC

===========================================================
== Subject:     Denial of service - memory corruption
==
== CVE ID#:     CVE-2011-0719
==
== Versions:    Samba 3.0.x - 3.5.6 (inclusive)
==
== Summary:     Samba 3.0.x to 3.5.6 are affected by a
==              denial of service caused by memory corruption.
==
===========================================================

===========
Description
===========

All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.

A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).

Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 3.5.7 has been issued as security release to correct the
defect.  Patches against older Samba versions are available at
http://samba.org/samba/patches/.  Samba administrators running affected
versions are advised to upgrade to 3.5.7 or apply the patch as soon
as possible.

==========
Workaround
==========

None.

=======
Credits
=======

This problem was found by an internal audit of the Samba code by
Volker Lendecke of SerNet. Thanks to Volker for his careful code
review.

Comment 20 Karolin Seeger 2011-02-28 08:10:53 UTC

Fixed with Samba 3.5.7, 3.4.12 and 3.3.15.
Closing out bug report.

Thanks!

Comment 21 Lars Müller 2011-02-28 08:31:25 UTC

Make the bug public as the embargo time expired.