* [PATCH] ksmbd: fix out-of-bound read in deassemble_neg_contexts()
@ 2023-05-30 12:57 Namjae Jeon
2023-05-30 12:57 ` [PATCH] ksmbd: fix out-of-bound read in parse_lease_state() Namjae Jeon
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Namjae Jeon @ 2023-05-30 12:57 UTC (permalink / raw)
To: linux-cifs
Cc: smfrench, senozhatsky, tom, atteh.mailbox, Namjae Jeon, Chih-Yen Chang
The check in the beginning is
`clen + sizeof(struct smb2_neg_context) <= len_of_ctxts`,
but in the end of loop, `len_of_ctxts` will subtract
`((clen + 7) & ~0x7) + sizeof(struct smb2_neg_context)`, which causes
integer underflow when clen does the 8 alignment. We should use
`(clen + 7) & ~0x7` in the check to avoid underflow from happening.
Then there are some variables that need to be declared unsigned
instead of signed.
[ 11.671070] BUG: KASAN: slab-out-of-bounds in smb2_handle_negotiate+0x799/0x1610
[ 11.671533] Read of size 2 at addr ffff888005e86cf2 by task kworker/0:0/7
...
[ 11.673383] Call Trace:
[ 11.673541] <TASK>
[ 11.673679] dump_stack_lvl+0x33/0x50
[ 11.673913] print_report+0xcc/0x620
[ 11.674671] kasan_report+0xae/0xe0
[ 11.675171] kasan_check_range+0x35/0x1b0
[ 11.675412] smb2_handle_negotiate+0x799/0x1610
[ 11.676217] ksmbd_smb_negotiate_common+0x526/0x770
[ 11.676795] handle_ksmbd_work+0x274/0x810
...
Signed-off-by: Chih-Yen Chang <cc85nod@gmail.com>
Tested-by: Chih-Yen Chang <cc85nod@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
fs/smb/server/smb2pdu.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 7a81541de602..25c0ba04c59d 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -963,13 +963,13 @@ static void decode_sign_cap_ctxt(struct ksmbd_conn *conn,
static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn,
struct smb2_negotiate_req *req,
- int len_of_smb)
+ unsigned int len_of_smb)
{
/* +4 is to account for the RFC1001 len field */
struct smb2_neg_context *pctx = (struct smb2_neg_context *)req;
int i = 0, len_of_ctxts;
- int offset = le32_to_cpu(req->NegotiateContextOffset);
- int neg_ctxt_cnt = le16_to_cpu(req->NegotiateContextCount);
+ unsigned int offset = le32_to_cpu(req->NegotiateContextOffset);
+ unsigned int neg_ctxt_cnt = le16_to_cpu(req->NegotiateContextCount);
__le32 status = STATUS_INVALID_PARAMETER;
ksmbd_debug(SMB, "decoding %d negotiate contexts\n", neg_ctxt_cnt);
@@ -983,7 +983,7 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn,
while (i++ < neg_ctxt_cnt) {
int clen, ctxt_len;
- if (len_of_ctxts < sizeof(struct smb2_neg_context))
+ if (len_of_ctxts < (int)sizeof(struct smb2_neg_context))
break;
pctx = (struct smb2_neg_context *)((char *)pctx + offset);
@@ -1038,9 +1038,8 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn,
}
/* offsets must be 8 byte aligned */
- clen = (clen + 7) & ~0x7;
- offset = clen + sizeof(struct smb2_neg_context);
- len_of_ctxts -= clen + sizeof(struct smb2_neg_context);
+ offset = (ctxt_len + 7) & ~0x7;
+ len_of_ctxts -= offset;
}
return status;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] ksmbd: fix out-of-bound read in parse_lease_state()
2023-05-30 12:57 [PATCH] ksmbd: fix out-of-bound read in deassemble_neg_contexts() Namjae Jeon
@ 2023-05-30 12:57 ` Namjae Jeon
2023-05-30 12:57 ` [PATCH] ksmbd: fix posix_acls and acls dereferencing possible ERR_PTR() Namjae Jeon
2023-05-30 12:57 ` [PATCH] ksmbd: return a literal instead of 'err' in ksmbd_vfs_kern_path_locked() Namjae Jeon
2 siblings, 0 replies; 6+ messages in thread
From: Namjae Jeon @ 2023-05-30 12:57 UTC (permalink / raw)
To: linux-cifs
Cc: smfrench, senozhatsky, tom, atteh.mailbox, Namjae Jeon, Chih-Yen Chang
This bug is in parse_lease_state, and it is caused by the missing check
of `struct create_context`. When the ksmbd traverses the create_contexts,
it doesn't check if the field of `NameOffset` and `Next` is valid,
The KASAN message is following:
[ 6.664323] BUG: KASAN: slab-out-of-bounds in parse_lease_state+0x7d/0x280
[ 6.664738] Read of size 2 at addr ffff888005c08988 by task kworker/0:3/103
...
[ 6.666644] Call Trace:
[ 6.666796] <TASK>
[ 6.666933] dump_stack_lvl+0x33/0x50
[ 6.667167] print_report+0xcc/0x620
[ 6.667903] kasan_report+0xae/0xe0
[ 6.668374] kasan_check_range+0x35/0x1b0
[ 6.668621] parse_lease_state+0x7d/0x280
[ 6.668868] smb2_open+0xbe8/0x4420
[ 6.675137] handle_ksmbd_work+0x282/0x820
Use smb2_find_context_vals() to find smb2 create request lease context.
smb2_find_context_vals validate create context fields.
Reported-by: Chih-Yen Chang <cc85nod@gmail.com>
Tested-by: Chih-Yen Chang <cc85nod@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
fs/smb/server/oplock.c | 66 +++++++++++++++---------------------------
1 file changed, 24 insertions(+), 42 deletions(-)
diff --git a/fs/smb/server/oplock.c b/fs/smb/server/oplock.c
index db181bdad73a..844b303baf29 100644
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -1415,56 +1415,38 @@ void create_lease_buf(u8 *rbuf, struct lease *lease)
*/
struct lease_ctx_info *parse_lease_state(void *open_req)
{
- char *data_offset;
struct create_context *cc;
- unsigned int next = 0;
- char *name;
- bool found = false;
struct smb2_create_req *req = (struct smb2_create_req *)open_req;
- struct lease_ctx_info *lreq = kzalloc(sizeof(struct lease_ctx_info),
- GFP_KERNEL);
+ struct lease_ctx_info *lreq;
+
+ cc = smb2_find_context_vals(req, SMB2_CREATE_REQUEST_LEASE, 4);
+ if (IS_ERR_OR_NULL(cc))
+ return NULL;
+
+ lreq = kzalloc(sizeof(struct lease_ctx_info), GFP_KERNEL);
if (!lreq)
return NULL;
- data_offset = (char *)req + le32_to_cpu(req->CreateContextsOffset);
- cc = (struct create_context *)data_offset;
- do {
- cc = (struct create_context *)((char *)cc + next);
- name = le16_to_cpu(cc->NameOffset) + (char *)cc;
- if (le16_to_cpu(cc->NameLength) != 4 ||
- strncmp(name, SMB2_CREATE_REQUEST_LEASE, 4)) {
- next = le32_to_cpu(cc->Next);
- continue;
- }
- found = true;
- break;
- } while (next != 0);
+ if (sizeof(struct lease_context_v2) == le32_to_cpu(cc->DataLength)) {
+ struct create_lease_v2 *lc = (struct create_lease_v2 *)cc;
- if (found) {
- if (sizeof(struct lease_context_v2) == le32_to_cpu(cc->DataLength)) {
- struct create_lease_v2 *lc = (struct create_lease_v2 *)cc;
-
- memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
- lreq->req_state = lc->lcontext.LeaseState;
- lreq->flags = lc->lcontext.LeaseFlags;
- lreq->duration = lc->lcontext.LeaseDuration;
- memcpy(lreq->parent_lease_key, lc->lcontext.ParentLeaseKey,
- SMB2_LEASE_KEY_SIZE);
- lreq->version = 2;
- } else {
- struct create_lease *lc = (struct create_lease *)cc;
+ memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
+ lreq->req_state = lc->lcontext.LeaseState;
+ lreq->flags = lc->lcontext.LeaseFlags;
+ lreq->duration = lc->lcontext.LeaseDuration;
+ memcpy(lreq->parent_lease_key, lc->lcontext.ParentLeaseKey,
+ SMB2_LEASE_KEY_SIZE);
+ lreq->version = 2;
+ } else {
+ struct create_lease *lc = (struct create_lease *)cc;
- memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
- lreq->req_state = lc->lcontext.LeaseState;
- lreq->flags = lc->lcontext.LeaseFlags;
- lreq->duration = lc->lcontext.LeaseDuration;
- lreq->version = 1;
- }
- return lreq;
+ memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
+ lreq->req_state = lc->lcontext.LeaseState;
+ lreq->flags = lc->lcontext.LeaseFlags;
+ lreq->duration = lc->lcontext.LeaseDuration;
+ lreq->version = 1;
}
-
- kfree(lreq);
- return NULL;
+ return lreq;
}
/**
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] ksmbd: fix posix_acls and acls dereferencing possible ERR_PTR()
2023-05-30 12:57 [PATCH] ksmbd: fix out-of-bound read in deassemble_neg_contexts() Namjae Jeon
2023-05-30 12:57 ` [PATCH] ksmbd: fix out-of-bound read in parse_lease_state() Namjae Jeon
@ 2023-05-30 12:57 ` Namjae Jeon
2023-05-30 12:57 ` [PATCH] ksmbd: return a literal instead of 'err' in ksmbd_vfs_kern_path_locked() Namjae Jeon
2 siblings, 0 replies; 6+ messages in thread
From: Namjae Jeon @ 2023-05-30 12:57 UTC (permalink / raw)
To: linux-cifs
Cc: smfrench, senozhatsky, tom, atteh.mailbox, Namjae Jeon, Dan Carpenter
Dan reported the following error message:
fs/smb/server/smbacl.c:1296 smb_check_perm_dacl()
error: 'posix_acls' dereferencing possible ERR_PTR()
fs/smb/server/vfs.c:1323 ksmbd_vfs_make_xattr_posix_acl()
error: 'posix_acls' dereferencing possible ERR_PTR()
fs/smb/server/vfs.c:1830 ksmbd_vfs_inherit_posix_acl()
error: 'acls' dereferencing possible ERR_PTR()
__get_acl() returns a mix of error pointers and NULL. This change it
with IS_ERR_OR_NULL().
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
fs/smb/server/smbacl.c | 4 ++--
fs/smb/server/vfs.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c
index 6d6cfb6957a9..0a5862a61c77 100644
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -1290,7 +1290,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, const struct path *path,
if (IS_ENABLED(CONFIG_FS_POSIX_ACL)) {
posix_acls = get_inode_acl(d_inode(path->dentry), ACL_TYPE_ACCESS);
- if (posix_acls && !found) {
+ if (!IS_ERR_OR_NULL(posix_acls) && !found) {
unsigned int id = -1;
pa_entry = posix_acls->a_entries;
@@ -1314,7 +1314,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, const struct path *path,
}
}
}
- if (posix_acls)
+ if (!IS_ERR_OR_NULL(posix_acls))
posix_acl_release(posix_acls);
}
diff --git a/fs/smb/server/vfs.c b/fs/smb/server/vfs.c
index 6f302919e9f7..f9fb778247e7 100644
--- a/fs/smb/server/vfs.c
+++ b/fs/smb/server/vfs.c
@@ -1321,7 +1321,7 @@ static struct xattr_smb_acl *ksmbd_vfs_make_xattr_posix_acl(struct mnt_idmap *id
return NULL;
posix_acls = get_inode_acl(inode, acl_type);
- if (!posix_acls)
+ if (IS_ERR_OR_NULL(posix_acls))
return NULL;
smb_acl = kzalloc(sizeof(struct xattr_smb_acl) +
@@ -1830,7 +1830,7 @@ int ksmbd_vfs_inherit_posix_acl(struct mnt_idmap *idmap,
return -EOPNOTSUPP;
acls = get_inode_acl(parent_inode, ACL_TYPE_DEFAULT);
- if (!acls)
+ if (IS_ERR_OR_NULL(acls))
return -ENOENT;
pace = acls->a_entries;
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] ksmbd: return a literal instead of 'err' in ksmbd_vfs_kern_path_locked()
2023-05-30 12:57 [PATCH] ksmbd: fix out-of-bound read in deassemble_neg_contexts() Namjae Jeon
2023-05-30 12:57 ` [PATCH] ksmbd: fix out-of-bound read in parse_lease_state() Namjae Jeon
2023-05-30 12:57 ` [PATCH] ksmbd: fix posix_acls and acls dereferencing possible ERR_PTR() Namjae Jeon
@ 2023-05-30 12:57 ` Namjae Jeon
2023-05-30 14:01 ` Dan Carpenter
2 siblings, 1 reply; 6+ messages in thread
From: Namjae Jeon @ 2023-05-30 12:57 UTC (permalink / raw)
To: linux-cifs
Cc: smfrench, senozhatsky, tom, atteh.mailbox, Namjae Jeon, Dan Carpenter
Return a literal instead of 'err' in ksmbd_vfs_kern_path_locked().
Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
fs/smb/server/vfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/smb/server/vfs.c b/fs/smb/server/vfs.c
index f9fb778247e7..4f14f111a367 100644
--- a/fs/smb/server/vfs.c
+++ b/fs/smb/server/vfs.c
@@ -1161,7 +1161,7 @@ int ksmbd_vfs_kern_path_locked(struct ksmbd_work *work, char *name,
err = ksmbd_vfs_path_lookup_locked(share_conf, name, flags, path);
if (!err)
- return err;
+ return 0;
if (caseless) {
char *filepath;
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] ksmbd: return a literal instead of 'err' in ksmbd_vfs_kern_path_locked()
2023-05-30 12:57 ` [PATCH] ksmbd: return a literal instead of 'err' in ksmbd_vfs_kern_path_locked() Namjae Jeon
@ 2023-05-30 14:01 ` Dan Carpenter
2023-05-30 14:12 ` Namjae Jeon
0 siblings, 1 reply; 6+ messages in thread
From: Dan Carpenter @ 2023-05-30 14:01 UTC (permalink / raw)
To: Namjae Jeon; +Cc: linux-cifs, smfrench, senozhatsky, tom, atteh.mailbox
On Tue, May 30, 2023 at 09:57:57PM +0900, Namjae Jeon wrote:
> Return a literal instead of 'err' in ksmbd_vfs_kern_path_locked().
>
> Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name")
No need for a Fixes tag.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ksmbd: return a literal instead of 'err' in ksmbd_vfs_kern_path_locked()
2023-05-30 14:01 ` Dan Carpenter
@ 2023-05-30 14:12 ` Namjae Jeon
0 siblings, 0 replies; 6+ messages in thread
From: Namjae Jeon @ 2023-05-30 14:12 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-cifs, smfrench, senozhatsky, tom, atteh.mailbox
2023-05-30 23:01 GMT+09:00, Dan Carpenter <dan.carpenter@linaro.org>:
> On Tue, May 30, 2023 at 09:57:57PM +0900, Namjae Jeon wrote:
>> Return a literal instead of 'err' in ksmbd_vfs_kern_path_locked().
>>
>> Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and
>> ->d_name")
>
> No need for a Fixes tag.
OK.
Thanks.
>
> regards,
> dan carpenter
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-05-30 14:12 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-30 12:57 [PATCH] ksmbd: fix out-of-bound read in deassemble_neg_contexts() Namjae Jeon
2023-05-30 12:57 ` [PATCH] ksmbd: fix out-of-bound read in parse_lease_state() Namjae Jeon
2023-05-30 12:57 ` [PATCH] ksmbd: fix posix_acls and acls dereferencing possible ERR_PTR() Namjae Jeon
2023-05-30 12:57 ` [PATCH] ksmbd: return a literal instead of 'err' in ksmbd_vfs_kern_path_locked() Namjae Jeon
2023-05-30 14:01 ` Dan Carpenter
2023-05-30 14:12 ` Namjae Jeon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.