From: Kamal Mostafa <kamal@canonical.com>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
kernel-team@lists.ubuntu.com
Cc: Justin Maggard <jmaggard@netgear.com>,
Steve French <smfrench@gmail.com>,
Kamal Mostafa <kamal@canonical.com>
Subject: [PATCH 3.19.y-ckt 26/70] cifs: fix out-of-bounds access in lease parsing
Date: Wed, 16 Mar 2016 13:05:19 -0700 [thread overview]
Message-ID: <1458158763-9614-27-git-send-email-kamal@canonical.com> (raw)
In-Reply-To: <1458158763-9614-1-git-send-email-kamal@canonical.com>
v3.19.8-ckt17 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: Justin Maggard <jmaggard10@gmail.com>
commit deb7deff2f00bdbbcb3d560dad2a89ef37df837d upstream.
When opening a file, SMB2_open() attempts to parse the lease state from the
SMB2 CREATE Response. However, the parsing code was not careful to ensure
that the create contexts are not empty or invalid, which can lead to out-
of-bounds memory access. This can be seen easily by trying
to read a file from a OSX 10.11 SMB3 server. Here is sample crash output:
BUG: unable to handle kernel paging request at ffff8800a1a77cc6
IP: [<ffffffff8828a734>] SMB2_open+0x804/0x960
PGD 8f77067 PUD 0
Oops: 0000 [#1] SMP
Modules linked in:
CPU: 3 PID: 2876 Comm: cp Not tainted 4.5.0-rc3.x86_64.1+ #14
Hardware name: NETGEAR ReadyNAS 314 /ReadyNAS 314 , BIOS 4.6.5 10/11/2012
task: ffff880073cdc080 ti: ffff88005b31c000 task.ti: ffff88005b31c000
RIP: 0010:[<ffffffff8828a734>] [<ffffffff8828a734>] SMB2_open+0x804/0x960
RSP: 0018:ffff88005b31fa08 EFLAGS: 00010282
RAX: 0000000000000015 RBX: 0000000000000000 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff88007eb8c8b0
RBP: ffff88005b31fad8 R08: 666666203d206363 R09: 6131613030383866
R10: 3030383866666666 R11: 00000000000002b0 R12: ffff8800660fd800
R13: ffff8800a1a77cc2 R14: 00000000424d53fe R15: ffff88005f5a28c0
FS: 00007f7c8a2897c0(0000) GS:ffff88007eb80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffff8800a1a77cc6 CR3: 000000005b281000 CR4: 00000000000006e0
Stack:
ffff88005b31fa70 ffffffff88278789 00000000000001d3 ffff88005f5a2a80
ffffffff00000003 ffff88005d029d00 ffff88006fde05a0 0000000000000000
ffff88005b31fc78 ffff88006fde0780 ffff88005b31fb2f 0000000100000fe0
Call Trace:
[<ffffffff88278789>] ? cifsConvertToUTF16+0x159/0x2d0
[<ffffffff8828cf68>] smb2_open_file+0x98/0x210
[<ffffffff8811e80c>] ? __kmalloc+0x1c/0xe0
[<ffffffff882685f4>] cifs_open+0x2a4/0x720
[<ffffffff88122cef>] do_dentry_open+0x1ff/0x310
[<ffffffff88268350>] ? cifsFileInfo_get+0x30/0x30
[<ffffffff88123d92>] vfs_open+0x52/0x60
[<ffffffff88131dd0>] path_openat+0x170/0xf70
[<ffffffff88097d48>] ? remove_wait_queue+0x48/0x50
[<ffffffff88133a29>] do_filp_open+0x79/0xd0
[<ffffffff8813f2ca>] ? __alloc_fd+0x3a/0x170
[<ffffffff881240c4>] do_sys_open+0x114/0x1e0
[<ffffffff881241a9>] SyS_open+0x19/0x20
[<ffffffff8896e257>] entry_SYSCALL_64_fastpath+0x12/0x6a
Code: 4d 8d 6c 07 04 31 c0 4c 89 ee e8 47 6f e5 ff 31 c9 41 89 ce 44 89 f1 48 c7 c7 28 b1 bd 88 31 c0 49 01 cd 4c 89 ee e8 2b 6f e5 ff <45> 0f b7 75 04 48 c7 c7 31 b1 bd 88 31 c0 4d 01 ee 4c 89 f6 e8
RIP [<ffffffff8828a734>] SMB2_open+0x804/0x960
RSP <ffff88005b31fa08>
CR2: ffff8800a1a77cc6
---[ end trace d9f69ba64feee469 ]---
Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/cifs/smb2pdu.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 355cc45..09169fe 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1042,21 +1042,25 @@ parse_lease_state(struct TCP_Server_Info *server, struct smb2_create_rsp *rsp,
{
char *data_offset;
struct create_context *cc;
- unsigned int next = 0;
+ unsigned int next;
+ unsigned int remaining;
char *name;
data_offset = (char *)rsp + 4 + le32_to_cpu(rsp->CreateContextsOffset);
+ remaining = le32_to_cpu(rsp->CreateContextsLength);
cc = (struct create_context *)data_offset;
- do {
- cc = (struct create_context *)((char *)cc + next);
+ while (remaining >= sizeof(struct create_context)) {
name = le16_to_cpu(cc->NameOffset) + (char *)cc;
- if (le16_to_cpu(cc->NameLength) != 4 ||
- strncmp(name, "RqLs", 4)) {
- next = le32_to_cpu(cc->Next);
- continue;
- }
- return server->ops->parse_lease_buf(cc, epoch);
- } while (next != 0);
+ if (le16_to_cpu(cc->NameLength) == 4 &&
+ strncmp(name, "RqLs", 4) == 0)
+ return server->ops->parse_lease_buf(cc, epoch);
+
+ next = le32_to_cpu(cc->Next);
+ if (!next)
+ break;
+ remaining -= next;
+ cc = (struct create_context *)((char *)cc + next);
+ }
return 0;
}
--
2.7.0
next prev parent reply other threads:[~2016-03-16 20:22 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-16 20:04 [3.19.y-ckt stable] Linux v3.19.8-ckt17 stable review Kamal Mostafa
2016-03-16 20:04 ` [PATCH 3.19.y-ckt 01/70] [stable-only] AIO: properly check iovec sizes Kamal Mostafa
2016-03-16 20:04 ` [PATCH 3.19.y-ckt 02/70] Input: aiptek - fix crash on detecting device without endpoints Kamal Mostafa
2016-03-16 20:04 ` [PATCH 3.19.y-ckt 03/70] wext: fix message delay/ordering Kamal Mostafa
2016-03-16 20:04 ` [PATCH 3.19.y-ckt 04/70] cfg80211/wext: fix message ordering Kamal Mostafa
2016-03-16 20:04 ` [PATCH 3.19.y-ckt 05/70] mac80211: fix use of uninitialised values in RX aggregation Kamal Mostafa
2016-03-16 20:04 ` [PATCH 3.19.y-ckt 06/70] libata: fix HDIO_GET_32BIT ioctl Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 07/70] iwlwifi: mvm: inc pending frames counter also when txing non-sta Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 08/70] [media] adv7604: fix tx 5v detect regression Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 09/70] ahci: add new Intel device IDs Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 10/70] ahci: Order SATA device IDs for codename Lewisburg Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 11/70] Adding Intel Lewisburg device IDs for SATA Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 12/70] mac80211: minstrel_ht: set default tx aggregation timeout to 0 Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 13/70] usb: chipidea: otg: change workqueue ci_otg as freezable Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 14/70] Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin" Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 15/70] jffs2: Fix page lock / f->sem deadlock Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 16/70] Fix directory hardlinks from deleted directories Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 17/70] iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 18/70] iommu/amd: Apply workaround for ATS write permission check Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 19/70] libata: Align ata_device's id on a cacheline Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 20/70] can: gs_usb: fixed disconnect bug by removing erroneous use of kfree() Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 21/70] vfio: fix ioctl error handling Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 22/70] ALSA: ctl: Fix ioctls for X32 ABI Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 23/70] ALSA: rawmidi: Fix ioctls " Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 24/70] ALSA: timer: Fix broken compat timer user status ioctl Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 25/70] ALSA: timer: Fix ioctls for X32 ABI Kamal Mostafa
2016-03-16 20:05 ` Kamal Mostafa [this message]
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 27/70] CIFS: Fix SMB2+ interim response processing for read requests Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 28/70] Fix cifs_uniqueid_to_ino_t() function for s390x Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 29/70] arm/arm64: KVM: Fix ioctl error handling Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 30/70] ALSA: hdspm: Fix wrong boolean ctl value accesses Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 31/70] ALSA: hdspm: Fix zero-division Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 32/70] ALSA: hdsp: Fix wrong boolean ctl value accesses Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 33/70] USB: qcserial: add Dell Wireless 5809e Gobi 4G HSPA+ (rev3) Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 34/70] USB: cp210x: Add ID for Parrot NMEA GPS Flight Recorder Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 35/70] ASoC: wm8958: Fix enum ctl accesses in a wrong type Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 36/70] ASoC: wm8994: " Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 37/70] ASoC: wm_adsp: " Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 38/70] USB: serial: option: add support for Telit LE922 PID 0x1045 Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 39/70] USB: serial: option: add support for Quectel UC20 Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 40/70] mac80211: Fix Public Action frame RX in AP mode Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 41/70] ALSA: seq: oss: Don't drain at closing a client Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 42/70] drm/ast: Fix incorrect register check for DRAM width Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 43/70] USB: qcserial: add Sierra Wireless EM74xx device ID Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 44/70] drm/radeon/pm: update current crtc info after setting the powerstate Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 45/70] PM / sleep / x86: Fix crash on graph trace through x86 suspend Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 46/70] ALSA: hda - Fix mic issues on Acer Aspire E1-472 Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 47/70] ovl: fix getcwd() failure after unsuccessful rmdir Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 48/70] ovl: copy new uid/gid into overlayfs runtime inode Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 49/70] MIPS: traps: Fix SIGFPE information leak from `do_ov' and `do_trap_or_bp' Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 50/70] ubi: Fix out of bounds write in volume update code Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 51/70] target: Drop incorrect ABORT_TASK put for completed commands Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 52/70] ARM: OMAP2+: hwmod: Introduce ti,no-idle dt property Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 53/70] ARM: dts: dra7: do not gate cpsw clock due to errata i877 Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 54/70] Revert "drm/radeon: call hpd_irq_event on resume" Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 55/70] KVM: PPC: Book3S HV: Sanitize special-purpose register values on guest exit Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 56/70] jffs2: reduce the breakage on recovery from halfway failed rename() Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 57/70] KVM: VMX: disable PEBS before a guest entry Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 58/70] tracing: Fix check for cpu online when event is disabled Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 59/70] KVM: MMU: fix ept=0/pte.u=1/pte.w=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0 combo Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 60/70] MIPS: Fix build error when SMP is used without GIC Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 61/70] gpio: rcar: Add Runtime PM handling for interrupts Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 62/70] tcp: convert cached rtt from usec to jiffies when feeding initial rto Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 63/70] ext4: iterate over buffer heads correctly in move_extent_per_page() Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 64/70] net/mlx4_core: Allow resetting VF admin mac to zero Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 65/70] ipv6: re-enable fragment header matching in ipv6_find_hdr Kamal Mostafa
2016-03-16 20:05 ` [PATCH 3.19.y-ckt 66/70] cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind Kamal Mostafa
2016-03-16 20:06 ` [PATCH 3.19.y-ckt 67/70] net: qca_spi: Don't clear IFF_BROADCAST Kamal Mostafa
2016-03-16 20:06 ` [PATCH 3.19.y-ckt 68/70] net: moxa: fix an error code Kamal Mostafa
2016-03-16 20:06 ` [PATCH 3.19.y-ckt 69/70] mld, igmp: Fix reserved tailroom calculation Kamal Mostafa
2016-03-16 20:06 ` [PATCH 3.19.y-ckt 70/70] IB/core: Use GRH when the path hop-limit > 0 Kamal Mostafa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1458158763-9614-27-git-send-email-kamal@canonical.com \
--to=kamal@canonical.com \
--cc=jmaggard@netgear.com \
--cc=kernel-team@lists.ubuntu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=smfrench@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.