* [PATCH 1/2] cifs: modefromsid: make room for 4 ACE
@ 2019-09-16 2:28 Aurelien Aptel
2019-09-16 2:28 ` [PATCH 2/2] cifs: modefromsid: write mode ACE with DENY first Aurelien Aptel
0 siblings, 1 reply; 2+ messages in thread
From: Aurelien Aptel @ 2019-09-16 2:28 UTC (permalink / raw)
To: linux-cifs; +Cc: smfrench, Aurelien Aptel
when mounting with modefromsid, we end up writing 4 ACE in a security
descriptor that only has room for 3, thus triggering an out-of-bounds
write. fix this by changing the min size of a security descriptor.
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
---
fs/cifs/cifsacl.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/cifs/cifsacl.h b/fs/cifs/cifsacl.h
index dd95a6fa24bf..eb428349f29a 100644
--- a/fs/cifs/cifsacl.h
+++ b/fs/cifs/cifsacl.h
@@ -45,7 +45,7 @@
*/
#define DEFAULT_SEC_DESC_LEN (sizeof(struct cifs_ntsd) + \
sizeof(struct cifs_acl) + \
- (sizeof(struct cifs_ace) * 3))
+ (sizeof(struct cifs_ace) * 4))
/*
* Maximum size of a string representation of a SID:
--
2.16.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH 2/2] cifs: modefromsid: write mode ACE with DENY first
2019-09-16 2:28 [PATCH 1/2] cifs: modefromsid: make room for 4 ACE Aurelien Aptel
@ 2019-09-16 2:28 ` Aurelien Aptel
0 siblings, 0 replies; 2+ messages in thread
From: Aurelien Aptel @ 2019-09-16 2:28 UTC (permalink / raw)
To: linux-cifs; +Cc: smfrench, Aurelien Aptel
DACL should start with denying ACE first but we are putting it at the
end. reorder them to put it first.
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
---
fs/cifs/cifsacl.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
index 3e0c5ed9ca20..28b56cb19d60 100644
--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -809,17 +809,11 @@ static int set_chmod_dacl(struct cifs_acl *pndacl, struct cifs_sid *pownersid,
struct cifs_sid *pgrpsid, __u64 nmode, bool modefromsid)
{
u16 size = 0;
+ u32 num_aces = 0;
struct cifs_acl *pnndacl;
pnndacl = (struct cifs_acl *)((char *)pndacl + sizeof(struct cifs_acl));
- size += fill_ace_for_sid((struct cifs_ace *) ((char *)pnndacl + size),
- pownersid, nmode, S_IRWXU);
- size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
- pgrpsid, nmode, S_IRWXG);
- size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
- &sid_everyone, nmode, S_IRWXO);
-
/* TBD: Move this ACE to the top of ACE list instead of bottom */
if (modefromsid) {
struct cifs_ace *pntace =
@@ -840,12 +834,22 @@ static int set_chmod_dacl(struct cifs_acl *pndacl, struct cifs_sid *pownersid,
pntace->sid.sub_auth[1] = sid_unix_NFS_mode.sub_auth[1];
pntace->sid.sub_auth[2] = cpu_to_le32(nmode & 07777);
- pndacl->num_aces = cpu_to_le32(4);
size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
&sid_unix_NFS_mode, nmode, S_IRWXO);
- } else
- pndacl->num_aces = cpu_to_le32(3);
+ num_aces++;
+ }
+
+ size += fill_ace_for_sid((struct cifs_ace *) ((char *)pnndacl + size),
+ pownersid, nmode, S_IRWXU);
+ num_aces++;
+ size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
+ pgrpsid, nmode, S_IRWXG);
+ num_aces++;
+ size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
+ &sid_everyone, nmode, S_IRWXO);
+ num_aces++;
+ pndacl->num_aces = cpu_to_le32(num_aces);
pndacl->size = cpu_to_le16(size + sizeof(struct cifs_acl));
return 0;
--
2.16.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-09-16 2:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-16 2:28 [PATCH 1/2] cifs: modefromsid: make room for 4 ACE Aurelien Aptel
2019-09-16 2:28 ` [PATCH 2/2] cifs: modefromsid: write mode ACE with DENY first Aurelien Aptel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.