[PATCH 0/1][SRU][T] CVE-2018-1066 - CIFS denial of service

Tyler Hicks tyhicks at canonical.com
Mon Dec 10 23:01:50 UTC 2018


 The Linux kernel before version 4.11 is vulnerable to a NULL pointer
 dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an
 attacker controlling a CIFS server to kernel panic a client that has this
 server mounted, because an empty TargetInfo field in an NTLMSSP setup
 negotiation response is mishandled during session recovery.

Clean cherry pick from linux-stable to Trusty. I tested the fix by modifying[1]
the Samba server in a Bionic VM to trigger the crash in the Trusty kernel
(client machine) when the Samba server is restarted. I was able to verify that
the patched kernel allows the Trusty kernel to gracefully handle the server
restart by noticing that the server is sending bad info.


[1] https://copr-dist-git.fedorainfracloud.org/cgit/alonid/samba-for-client-crash-repro/samba.git/tree/0001-Patch.patch?id=43229c84abe008bfc11aa86f5bacb03a1e54f88c

More information about the kernel-team mailing list