From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 17919C433EF for ; Wed, 22 Sep 2021 04:35:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E2D3561166 for ; Wed, 22 Sep 2021 04:35:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230476AbhIVEge (ORCPT ); Wed, 22 Sep 2021 00:36:34 -0400 Received: from mail.kernel.org ([198.145.29.99]:34838 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229495AbhIVEge (ORCPT ); Wed, 22 Sep 2021 00:36:34 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C439C61166 for ; Wed, 22 Sep 2021 04:35:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1632285304; bh=zM1jiBpkAlG+/gVeqlyV0Ht6Zb5BiAN0jCAGe+/YFrM=; h=In-Reply-To:References:From:Date:Subject:To:Cc:From; b=HXnV0190OrGU+arXWe9v6fhLm5wMBQKBGmlc9/B+/8P/rvvrub6B63C5TyzXDFKHb Hj31qR4WAvElaiub9E8QKlWv3woGyGYNWf+fjVUqbn6F/PEJyBFVi4Le5kJ/SUIwQ1 ttZgqAZGtzW32Uiwc28pdK4JDK0viGw/L2u3vY43AOM17VvubXpvgb0faR4gSu/KWW SrSwA2IZv29dMhUnkHaQEYHi5ThjXOIJIpE4jjgeXkwKZatpBzdkZYwlzmhAiEKHc4 ypxzRyeDiND6cp22U41JvLGlA3QiA4OIYgApzHKAy0YkBMkVJZD6VUuHv5V9cgQ4kZ MdRxkk7antl6Q== Received: by mail-oi1-f181.google.com with SMTP id u22so2604426oie.5 for ; Tue, 21 Sep 2021 21:35:04 -0700 (PDT) X-Gm-Message-State: AOAM531dPtm9kOS2KoyFaD2CFdemJp/Kf5Iwhg49DUhpab+CAcG9WUmm 8oT3n1R3qIRxPvZQlN+iRVhOcdkkfD2tnjoSiCg= X-Google-Smtp-Source: ABdhPJyReFhRb/UYoIubwiTEZnL+QF9zE191OEX+PctK+RZVyHjstl75qrct/bxZ2SI/9utrUJ8JJ/TupHVSECKeGrM= X-Received: by 2002:a05:6808:1a29:: with SMTP id bk41mr6447588oib.167.1632285304183; Tue, 21 Sep 2021 21:35:04 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a8a:1342:0:0:0:0:0 with HTTP; Tue, 21 Sep 2021 21:35:03 -0700 (PDT) In-Reply-To: References: <20210921225109.6388-1-linkinjeon@kernel.org> <20210921225109.6388-3-linkinjeon@kernel.org> From: Namjae Jeon Date: Wed, 22 Sep 2021 13:35:03 +0900 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 3/3] ksmbd: fix invalid request buffer access in compound request To: ronnie sahlberg Cc: linux-cifs , =?UTF-8?B?UmFscGggQsO2aG1l?= , Steve French , Ronnie Sahlberg Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org 2021-09-22 9:39 GMT+09:00, ronnie sahlberg : > On Wed, Sep 22, 2021 at 8:51 AM Namjae Jeon wrote= : >> >> Ronnie reported invalid request buffer access in chained command when >> inserting garbage value to NextCommand of compound request. >> This patch add validation check to avoid this issue. >> >> Cc: Ronnie Sahlberg >> Cc: Ralph B=C3=B6hme >> Cc: Steve French >> Reported-by: Ronnie Sahlberg >> Signed-off-by: Namjae Jeon >> --- >> v2: >> - fix integer overflow from work->next_smb2_rcv_hdr_off. >> >> fs/ksmbd/smb2pdu.c | 7 +++++++ >> 1 file changed, 7 insertions(+) >> >> diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c >> index 1fe37ad4e5bc..cae796ea1148 100644 >> --- a/fs/ksmbd/smb2pdu.c >> +++ b/fs/ksmbd/smb2pdu.c >> @@ -466,6 +466,13 @@ bool is_chained_smb2_message(struct ksmbd_work >> *work) >> >> hdr =3D ksmbd_req_buf_next(work); >> if (le32_to_cpu(hdr->NextCommand) > 0) { >> + if ((u64)work->next_smb2_rcv_hdr_off + >> le32_to_cpu(hdr->NextCommand) > >> + get_rfc1002_len(work->request_buf)) { >> + pr_err("next command(%u) offset exceeds smb msg >> size\n", >> + hdr->NextCommand); >> + return false; >> + } >> + >> ksmbd_debug(SMB, "got SMB2 chained command\n"); >> init_chained_smb2_rsp(work); >> return true; > > Very good, reviewed by me. Sorry for late response, Thanks for your review! > The conditional though, since you know there will be at least a full > smb2 header there you could already check that change it to >> + if ((u64)work->next_smb2_rcv_hdr_off + >> le32_to_cpu(hdr->NextCommand) > >> + get_rfc1002_len(work->request_buf) + 64) { Ah, I didn't understand why we should add + 64(smb2 hdr size)... As I know, NextCommand offset included smb2 header size.. > > > Which leads to another question. Where do you check that the buffer > contains enough data to hold the smb2 header and the full fixed part > of the request? ksmbd_smb2_check_message() in smb2misc.c should check it. > There is a check that you have enough space for the smb2 header in > ksmbd_conn_handler_loop() > that there is enough space for the smb2 header > (ksmbd_pdu_size_has_room()) but that function assumes that the smb2 > header always start at the head of the buffer. > So if you have a compound chain, this functrion only checks the first pdu= . I think that is_chained_smb2_message() will check all pdu as well as first = pdu. there is loop do { } while (is_chained_smb2_message(work)); in server.c > > > I know that the buffer handling is copied from the cifs client. It > used to also do these "just pass a buffer around and the first 4 bytes > is the size" (and still does for smb1) and there was a lot of > terrible +4 or -4 to all sort of casts and conditionals. > I changed that in cifs.ko to remove the 4 byte length completely from > the buffer. > I also changed it as part of the compounding to pass an array of > requests (each containing an iovector) to the functions instead of > just one large byte array. > That made things a lot easier to manage since you could then assume > that the SMB2 header would always start at offset 0 in the > corresponding iovector, even for compounded commands since they all > had their own private vector. > And since an iovector contains both a pointer and a length there is no > need anymore to read the first 4 bytes/validate them/and covnert into > a length all the time. Right. fully agreed. > > I think that would help, but it would be a MAJOR amount of work, so > maybe that should wait until later. Agreed, I will do that after fixing current urgent issues first! > That approach is very nice since it completely avoids keeping track of > offset-to-where-this-pdu-starts which makes all checks and > conditionals so much more complex. Thanks! > > > regards > ronnie sahlberg > > >> -- >> 2.25.1 >> >