[PATCH 0/1][SRU][T] CVE-2018-1066 - CIFS denial of service
Tyler Hicks
tyhicks at canonical.com
Mon Dec 10 23:01:50 UTC 2018
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1066.html
The Linux kernel before version 4.11 is vulnerable to a NULL pointer
dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an
attacker controlling a CIFS server to kernel panic a client that has this
server mounted, because an empty TargetInfo field in an NTLMSSP setup
negotiation response is mishandled during session recovery.
Clean cherry pick from linux-stable to Trusty. I tested the fix by modifying[1]
the Samba server in a Bionic VM to trigger the crash in the Trusty kernel
(client machine) when the Samba server is restarted. I was able to verify that
the patched kernel allows the Trusty kernel to gracefully handle the server
restart by noticing that the server is sending bad info.
Tyler
[1] https://copr-dist-git.fedorainfracloud.org/cgit/alonid/samba-for-client-crash-repro/samba.git/tree/0001-Patch.patch?id=43229c84abe008bfc11aa86f5bacb03a1e54f88c
More information about the kernel-team
mailing list