The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer.
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| http://article.gmane.org/gmane.linux.kernel.cifs/9401 | mailing list broken link |
| http://www.securityfocus.com/bid/65588 | vdb entry third party advisory |
| https://github.com/torvalds/linux/commit/5d81de8e8667da7135d3a32a964087c0faf5483f | third party advisory patch |
| http://rhn.redhat.com/errata/RHSA-2014-0328.html | third party advisory vendor advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=1064253 | issue tracking third party advisory |
| http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=5d81de8e8667da7135d3a32a964087c0faf5483f | broken link |
| http://www.openwall.com/lists/oss-security/2014/02/17/4 | third party advisory mailing list |
| http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00026.html | mailing list third party advisory vendor advisory |