[PATCH 1/1] cifs: potential memory leaks when parsing mnt opts

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 1/1] cifs: potential memory leaks when parsing mnt opts
@ 2015-03-21 23:08 ` Taesoo Kim
  0 siblings, 0 replies; 10+ messages in thread
From: Taesoo Kim @ 2015-03-21 23:08 UTC (permalink / raw)
  To: sfrench-eUNUBHrolfbYtjvyW6yDsg,
	linux-cifs-u79uwXL29TY76Z2rM5mHXA,
	samba-technical-w/Ol4Ecudpl8XjKLYN78aQ,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA
  Cc: taesoo-/4noJB3qBVQ3uPMLIKxrzw, changwoo-/4noJB3qBVQ3uPMLIKxrzw,
	sanidhya-/4noJB3qBVQ3uPMLIKxrzw, blee-/4noJB3qBVQ3uPMLIKxrzw,
	csong84-/4noJB3qBVQ3uPMLIKxrzw, Taesoo Kim

For example, when mount opt is redundently specified
(e.g., "user=A,user=B,user=C"), kernel kept allocating new key/val
with kstrdup() and overwrite previous ptr (to be freed).

Althouhg mkfs.cifs in userspace performs a bit of sanitization
(e.g., forcing one user option), current implementation is not
robust. Other options such as iocharset and domainanme are similary
vulnerable.

Signed-off-by: Taesoo Kim <tsgatesv-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 fs/cifs/connect.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index d3aa999..4cb8450 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -1599,6 +1599,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
 				pr_warn("CIFS: username too long\n");
 				goto cifs_parse_mount_err;
 			}
+
+			kfree(vol->username);
 			vol->username = kstrdup(string, GFP_KERNEL);
 			if (!vol->username)
 				goto cifs_parse_mount_err;
@@ -1700,6 +1702,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
 				goto cifs_parse_mount_err;
 			}
 
+			kfree(vol->domainname);
 			vol->domainname = kstrdup(string, GFP_KERNEL);
 			if (!vol->domainname) {
 				pr_warn("CIFS: no memory for domainname\n");
@@ -1731,6 +1734,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
 			}
 
 			 if (strncasecmp(string, "default", 7) != 0) {
+				kfree(vol->iocharset);
 				vol->iocharset = kstrdup(string,
 							 GFP_KERNEL);
 				if (!vol->iocharset) {
-- 
2.3.3

^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [PATCH 1/1] cifs: potential memory leaks when parsing mnt opts
@ 2015-03-21 23:08 ` Taesoo Kim
  0 siblings, 0 replies; 10+ messages in thread
From: Taesoo Kim @ 2015-03-21 23:08 UTC (permalink / raw)
  To: sfrench, linux-cifs, samba-technical, linux-kernel
  Cc: taesoo, changwoo, sanidhya, blee, csong84, Taesoo Kim

For example, when mount opt is redundently specified
(e.g., "user=A,user=B,user=C"), kernel kept allocating new key/val
with kstrdup() and overwrite previous ptr (to be freed).

Althouhg mkfs.cifs in userspace performs a bit of sanitization
(e.g., forcing one user option), current implementation is not
robust. Other options such as iocharset and domainanme are similary
vulnerable.

Signed-off-by: Taesoo Kim <tsgatesv@gmail.com>
---
 fs/cifs/connect.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index d3aa999..4cb8450 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -1599,6 +1599,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
 				pr_warn("CIFS: username too long\n");
 				goto cifs_parse_mount_err;
 			}
+
+			kfree(vol->username);
 			vol->username = kstrdup(string, GFP_KERNEL);
 			if (!vol->username)
 				goto cifs_parse_mount_err;
@@ -1700,6 +1702,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
 				goto cifs_parse_mount_err;
 			}
 
+			kfree(vol->domainname);
 			vol->domainname = kstrdup(string, GFP_KERNEL);
 			if (!vol->domainname) {
 				pr_warn("CIFS: no memory for domainname\n");
@@ -1731,6 +1734,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
 			}
 
 			 if (strncasecmp(string, "default", 7) != 0) {
+				kfree(vol->iocharset);
 				vol->iocharset = kstrdup(string,
 							 GFP_KERNEL);
 				if (!vol->iocharset) {
-- 
2.3.3


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/1] cifs: potential memory leaks when parsing mnt opts
  2015-03-21 23:08 ` Taesoo Kim
@ 2015-03-22  2:10     ` Scott Lovenberg
  -1 siblings, 0 replies; 10+ messages in thread
From: Scott Lovenberg @ 2015-03-22  2:10 UTC (permalink / raw)
  To: Taesoo Kim
  Cc: sfrench-eUNUBHrolfbYtjvyW6yDsg, linux-cifs,
	samba-technical-w/Ol4Ecudpl8XjKLYN78aQ, LKML,
	taesoo-/4noJB3qBVQ3uPMLIKxrzw, changwoo-/4noJB3qBVQ3uPMLIKxrzw,
	sanidhya-/4noJB3qBVQ3uPMLIKxrzw, blee-/4noJB3qBVQ3uPMLIKxrzw,
	csong84-/4noJB3qBVQ3uPMLIKxrzw

On Sat, Mar 21, 2015 at 6:08 PM, Taesoo Kim <tsgatesv-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:

> Althouhg mkfs.cifs in userspace performs a bit of sanitization
> (e.g., forcing one user option), current implementation is not
> robust. Other options such as iocharset and domainanme are similary
> vulnerable.
>

I assume you mean mount.cifs?  :-) Anyways, good catch.

-- 
Peace and Blessings,
-Scott.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/1] cifs: potential memory leaks when parsing mnt opts
@ 2015-03-22  2:10     ` Scott Lovenberg
  0 siblings, 0 replies; 10+ messages in thread
From: Scott Lovenberg @ 2015-03-22  2:10 UTC (permalink / raw)
  To: Taesoo Kim
  Cc: sfrench, linux-cifs, samba-technical, LKML, taesoo, changwoo,
	sanidhya, blee, csong84

On Sat, Mar 21, 2015 at 6:08 PM, Taesoo Kim <tsgatesv@gmail.com> wrote:

> Althouhg mkfs.cifs in userspace performs a bit of sanitization
> (e.g., forcing one user option), current implementation is not
> robust. Other options such as iocharset and domainanme are similary
> vulnerable.
>

I assume you mean mount.cifs?  :-) Anyways, good catch.

-- 
Peace and Blessings,
-Scott.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/1] cifs: potential memory leaks when parsing mnt opts
  2015-03-22  2:10     ` Scott Lovenberg
@ 2015-03-22  3:23         ` Taesoo Kim
  -1 siblings, 0 replies; 10+ messages in thread
From: Taesoo Kim @ 2015-03-22  3:23 UTC (permalink / raw)
  To: Scott Lovenberg
  Cc: Taesoo Kim, sfrench-eUNUBHrolfbYtjvyW6yDsg, linux-cifs,
	samba-technical-w/Ol4Ecudpl8XjKLYN78aQ, LKML,
	changwoo-/4noJB3qBVQ3uPMLIKxrzw, sanidhya-/4noJB3qBVQ3uPMLIKxrzw,
	blee-/4noJB3qBVQ3uPMLIKxrzw, csong84-/4noJB3qBVQ3uPMLIKxrzw

On 03/21/15 at 09:10pm, Scott Lovenberg wrote:
> On Sat, Mar 21, 2015 at 6:08 PM, Taesoo Kim <tsgatesv-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> 
> > Althouhg mkfs.cifs in userspace performs a bit of sanitization
> > (e.g., forcing one user option), current implementation is not
> > robust. Other options such as iocharset and domainanme are similary
> > vulnerable.
> >
> 
> I assume you mean mount.cifs?  :-) Anyways, good catch.

Right. FYI, I've tried mangling password field (e.g., pass=a,user=A
&c); Skimming through the code (just a few minutes), there are a few
potential places that don't sanitize its string, unlike passwd. But
don't have much time to play with for now :)

Thanks,
Taesoo
 
> -- 
> Peace and Blessings,
> -Scott.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/1] cifs: potential memory leaks when parsing mnt opts
@ 2015-03-22  3:23         ` Taesoo Kim
  0 siblings, 0 replies; 10+ messages in thread
From: Taesoo Kim @ 2015-03-22  3:23 UTC (permalink / raw)
  To: Scott Lovenberg
  Cc: Taesoo Kim, sfrench, linux-cifs, samba-technical, LKML, changwoo,
	sanidhya, blee, csong84

On 03/21/15 at 09:10pm, Scott Lovenberg wrote:
> On Sat, Mar 21, 2015 at 6:08 PM, Taesoo Kim <tsgatesv@gmail.com> wrote:
> 
> > Althouhg mkfs.cifs in userspace performs a bit of sanitization
> > (e.g., forcing one user option), current implementation is not
> > robust. Other options such as iocharset and domainanme are similary
> > vulnerable.
> >
> 
> I assume you mean mount.cifs?  :-) Anyways, good catch.

Right. FYI, I've tried mangling password field (e.g., pass=a,user=A
&c); Skimming through the code (just a few minutes), there are a few
potential places that don't sanitize its string, unlike passwd. But
don't have much time to play with for now :)

Thanks,
Taesoo
 
> -- 
> Peace and Blessings,
> -Scott.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/1] cifs: potential memory leaks when parsing mnt opts
  2015-03-22  3:23         ` Taesoo Kim
@ 2015-03-22  3:54             ` Scott Lovenberg
  -1 siblings, 0 replies; 10+ messages in thread
From: Scott Lovenberg @ 2015-03-22  3:54 UTC (permalink / raw)
  To: Taesoo Kim
  Cc: Taesoo Kim, sfrench-eUNUBHrolfbYtjvyW6yDsg, linux-cifs,
	samba-technical-w/Ol4Ecudpl8XjKLYN78aQ, LKML,
	changwoo-/4noJB3qBVQ3uPMLIKxrzw, sanidhya-/4noJB3qBVQ3uPMLIKxrzw,
	blee-/4noJB3qBVQ3uPMLIKxrzw, csong84-/4noJB3qBVQ3uPMLIKxrzw

On Sat, Mar 21, 2015 at 10:23 PM, Taesoo Kim <taesoo-/4noJB3qBVQ3uPMLIKxrzw@public.gmane.org> wrote:
> On 03/21/15 at 09:10pm, Scott Lovenberg wrote:
>> On Sat, Mar 21, 2015 at 6:08 PM, Taesoo Kim <tsgatesv-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>
>> > Althouhg mkfs.cifs in userspace performs a bit of sanitization
>> > (e.g., forcing one user option), current implementation is not
>> > robust. Other options such as iocharset and domainanme are similary
>> > vulnerable.
>> >
>>
>> I assume you mean mount.cifs?  :-) Anyways, good catch.
>
> Right. FYI, I've tried mangling password field (e.g., pass=a,user=A
> &c); Skimming through the code (just a few minutes), there are a few
> potential places that don't sanitize its string, unlike passwd. But
> don't have much time to play with for now :)
>
> Thanks,
> Taesoo
>
>> --
>> Peace and Blessings,
>> -Scott.

Without even looking at the code, I can tell you that's probably my
fault if you're talking about the code in mount.cifs.  I was pretty
paranoid about the password field but not so paranoid about the other
parameters.  I'll take a look late tonight or some time tomorrow and
try to patch over my shame. :)

-- 
Peace and Blessings,
-Scott.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/1] cifs: potential memory leaks when parsing mnt opts
@ 2015-03-22  3:54             ` Scott Lovenberg
  0 siblings, 0 replies; 10+ messages in thread
From: Scott Lovenberg @ 2015-03-22  3:54 UTC (permalink / raw)
  To: Taesoo Kim
  Cc: Taesoo Kim, sfrench, linux-cifs, samba-technical, LKML, changwoo,
	sanidhya, blee, csong84

On Sat, Mar 21, 2015 at 10:23 PM, Taesoo Kim <taesoo@gatech.edu> wrote:
> On 03/21/15 at 09:10pm, Scott Lovenberg wrote:
>> On Sat, Mar 21, 2015 at 6:08 PM, Taesoo Kim <tsgatesv@gmail.com> wrote:
>>
>> > Althouhg mkfs.cifs in userspace performs a bit of sanitization
>> > (e.g., forcing one user option), current implementation is not
>> > robust. Other options such as iocharset and domainanme are similary
>> > vulnerable.
>> >
>>
>> I assume you mean mount.cifs?  :-) Anyways, good catch.
>
> Right. FYI, I've tried mangling password field (e.g., pass=a,user=A
> &c); Skimming through the code (just a few minutes), there are a few
> potential places that don't sanitize its string, unlike passwd. But
> don't have much time to play with for now :)
>
> Thanks,
> Taesoo
>
>> --
>> Peace and Blessings,
>> -Scott.

Without even looking at the code, I can tell you that's probably my
fault if you're talking about the code in mount.cifs.  I was pretty
paranoid about the password field but not so paranoid about the other
parameters.  I'll take a look late tonight or some time tomorrow and
try to patch over my shame. :)

-- 
Peace and Blessings,
-Scott.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/1] cifs: potential memory leaks when parsing mnt opts
  2015-03-21 23:08 ` Taesoo Kim
@ 2015-03-24  4:43     ` Steve French
  -1 siblings, 0 replies; 10+ messages in thread
From: Steve French @ 2015-03-24  4:43 UTC (permalink / raw)
  To: Taesoo Kim
  Cc: Steve French, linux-cifs-u79uwXL29TY76Z2rM5mHXA, samba-technical,
	LKML, taesoo-/4noJB3qBVQ3uPMLIKxrzw,
	changwoo-/4noJB3qBVQ3uPMLIKxrzw, sanidhya-/4noJB3qBVQ3uPMLIKxrzw,
	blee-/4noJB3qBVQ3uPMLIKxrzw, csong84-/4noJB3qBVQ3uPMLIKxrzw,
	Scott Lovenberg

Nice catch.

Merged into cifs-2.6.git for-next

On Sat, Mar 21, 2015 at 6:08 PM, Taesoo Kim <tsgatesv-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> For example, when mount opt is redundently specified
> (e.g., "user=A,user=B,user=C"), kernel kept allocating new key/val
> with kstrdup() and overwrite previous ptr (to be freed).
>
> Althouhg mkfs.cifs in userspace performs a bit of sanitization
> (e.g., forcing one user option), current implementation is not
> robust. Other options such as iocharset and domainanme are similary
> vulnerable.
>
> Signed-off-by: Taesoo Kim <tsgatesv-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> ---
>  fs/cifs/connect.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> index d3aa999..4cb8450 100644
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
> @@ -1599,6 +1599,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
>                                 pr_warn("CIFS: username too long\n");
>                                 goto cifs_parse_mount_err;
>                         }
> +
> +                       kfree(vol->username);
>                         vol->username = kstrdup(string, GFP_KERNEL);
>                         if (!vol->username)
>                                 goto cifs_parse_mount_err;
> @@ -1700,6 +1702,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
>                                 goto cifs_parse_mount_err;
>                         }
>
> +                       kfree(vol->domainname);
>                         vol->domainname = kstrdup(string, GFP_KERNEL);
>                         if (!vol->domainname) {
>                                 pr_warn("CIFS: no memory for domainname\n");
> @@ -1731,6 +1734,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
>                         }
>
>                          if (strncasecmp(string, "default", 7) != 0) {
> +                               kfree(vol->iocharset);
>                                 vol->iocharset = kstrdup(string,
>                                                          GFP_KERNEL);
>                                 if (!vol->iocharset) {
> --
> 2.3.3
>



-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/1] cifs: potential memory leaks when parsing mnt opts
@ 2015-03-24  4:43     ` Steve French
  0 siblings, 0 replies; 10+ messages in thread
From: Steve French @ 2015-03-24  4:43 UTC (permalink / raw)
  To: Taesoo Kim
  Cc: Steve French, linux-cifs, samba-technical, LKML, taesoo,
	changwoo, sanidhya, blee, csong84, Scott Lovenberg

Nice catch.

Merged into cifs-2.6.git for-next

On Sat, Mar 21, 2015 at 6:08 PM, Taesoo Kim <tsgatesv@gmail.com> wrote:
> For example, when mount opt is redundently specified
> (e.g., "user=A,user=B,user=C"), kernel kept allocating new key/val
> with kstrdup() and overwrite previous ptr (to be freed).
>
> Althouhg mkfs.cifs in userspace performs a bit of sanitization
> (e.g., forcing one user option), current implementation is not
> robust. Other options such as iocharset and domainanme are similary
> vulnerable.
>
> Signed-off-by: Taesoo Kim <tsgatesv@gmail.com>
> ---
>  fs/cifs/connect.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> index d3aa999..4cb8450 100644
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
> @@ -1599,6 +1599,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
>                                 pr_warn("CIFS: username too long\n");
>                                 goto cifs_parse_mount_err;
>                         }
> +
> +                       kfree(vol->username);
>                         vol->username = kstrdup(string, GFP_KERNEL);
>                         if (!vol->username)
>                                 goto cifs_parse_mount_err;
> @@ -1700,6 +1702,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
>                                 goto cifs_parse_mount_err;
>                         }
>
> +                       kfree(vol->domainname);
>                         vol->domainname = kstrdup(string, GFP_KERNEL);
>                         if (!vol->domainname) {
>                                 pr_warn("CIFS: no memory for domainname\n");
> @@ -1731,6 +1734,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
>                         }
>
>                          if (strncasecmp(string, "default", 7) != 0) {
> +                               kfree(vol->iocharset);
>                                 vol->iocharset = kstrdup(string,
>                                                          GFP_KERNEL);
>                                 if (!vol->iocharset) {
> --
> 2.3.3
>



-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2015-03-24  4:44 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-21 23:08 [PATCH 1/1] cifs: potential memory leaks when parsing mnt opts Taesoo Kim
2015-03-21 23:08 ` Taesoo Kim
     [not found] ` <1426979310-31201-1-git-send-email-tsgatesv-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-03-22  2:10   ` Scott Lovenberg
2015-03-22  2:10     ` Scott Lovenberg
     [not found]     ` <CAFB9KM3==40uUXxxOD_CD09zFPj3Fmr-Brt7x4SZj86NTf3_vg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-03-22  3:23       ` Taesoo Kim
2015-03-22  3:23         ` Taesoo Kim
     [not found]         ` <20150322032340.GD5170-Q1ymHw66ZoYdnm+yROfE0A@public.gmane.org>
2015-03-22  3:54           ` Scott Lovenberg
2015-03-22  3:54             ` Scott Lovenberg
2015-03-24  4:43   ` Steve French
2015-03-24  4:43     ` Steve French

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.