From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F0F363FC3 for ; Sat, 18 Sep 2021 21:43:52 +0000 (UTC) Received: by mail.kernel.org (Postfix) with ESMTPSA id 6F2F3610A6 for ; Sat, 18 Sep 2021 21:43:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1632001432; bh=Wrf4mzIFZlsxh/J69mudywq4gRdCPFY3UTqhinPrr0s=; h=In-Reply-To:References:From:Date:Subject:To:Cc:From; b=OkUt0RwImjBP+Uc4tmQuWO+edR6thN3A1TQOmtmgVAEGDcjg54TPgYFwvZuKukBkV 13kc8jERLiBRAKQmUBC1lOHFvV+P9WiGkE/veSNP51XmFnsrfvQZN+nGQjAhp6N2Qw XRTQVuDkJc+3/xyEcXNNSlmtWWX3WrzTh5tWzoNqNkiJ11ZFQJYShGJ3Hmu9sbflNs hmv9v3GZT9CE2dsr7gjgnsxDAhRTsNEYj14R/e3ijGlSqEp+aHUU6GcTBYBZWUYFoU +m6ASkWiOwz5N6ANlENtgjpgTt6HQK+C+ZTCRLj/YnTSTRucn1FqM6Fch9bu78Nd5j oLDTWm964+hdw== Received: by mail-ot1-f46.google.com with SMTP id n2-20020a9d6f02000000b0054455dae485so12693757otq.3 for ; Sat, 18 Sep 2021 14:43:52 -0700 (PDT) X-Gm-Message-State: AOAM532r+kPa4ddD8yQRJhywR1LCJeHNN9COmY+xpscACMQGWG3N+Csg yZST9JiYrscUV9VVBugj+1O5BZbCEWL/8fFbL5A= X-Google-Smtp-Source: ABdhPJysKns+bv3JlrpAGjT6uzIWgeL2v9zQM3XmuP6WR+CBRQQpZGFlSVYT4PW4t8qy0LYgZBjTbqDxK3WtrAMcM7o= X-Received: by 2002:a9d:5e05:: with SMTP id d5mr15021152oti.61.1632001431810; Sat, 18 Sep 2021 14:43:51 -0700 (PDT) Precedence: bulk X-Mailing-List: llvm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Received: by 2002:a8a:1342:0:0:0:0:0 with HTTP; Sat, 18 Sep 2021 14:43:51 -0700 (PDT) In-Reply-To: <202109190257.fZUGN7K6-lkp@intel.com> References: <20210918094513.89480-2-linkinjeon@kernel.org> <202109190257.fZUGN7K6-lkp@intel.com> From: Namjae Jeon Date: Sun, 19 Sep 2021 06:43:51 +0900 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 2/4] ksmbd: add validation in smb2_ioctl To: kernel test robot Cc: linux-cifs@vger.kernel.org, llvm@lists.linux.dev, kbuild-all@lists.01.org, Ronnie Sahlberg , =?UTF-8?B?UmFscGggQsO2aG1l?= , Steve French Content-Type: text/plain; charset="UTF-8" 2021-09-19 3:51 GMT+09:00, kernel test robot : > Hi Namjae, Hi, I will fix it, Thanks for your report! > > I love your patch! Perhaps something to improve: > > [auto build test WARNING on linus/master] > [also build test WARNING on v5.15-rc1 next-20210917] > [If your patch is applied to the wrong git tree, kindly drop us a note. > And when submitting patch, we suggest to use '--base' as documented in > https://git-scm.com/docs/git-format-patch] > > url: > https://github.com/0day-ci/linux/commits/Namjae-Jeon/ksmbd-add-request-buffer-validation-in-smb2_set_info/20210918-174717 > base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git > 4357f03d6611753936e4d52fc251b54a6afb1b54 > config: hexagon-randconfig-r022-20210918 (attached as .config) > compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project > c8b3d7d6d6de37af68b2f379d0e37304f78e115f) > reproduce (this is a W=1 build): > wget > https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O > ~/bin/make.cross > chmod +x ~/bin/make.cross > # > https://github.com/0day-ci/linux/commit/57e7ede2bf2d38cb0f368f2fc54d646168b3d119 > git remote add linux-review https://github.com/0day-ci/linux > git fetch --no-tags linux-review > Namjae-Jeon/ksmbd-add-request-buffer-validation-in-smb2_set_info/20210918-174717 > git checkout 57e7ede2bf2d38cb0f368f2fc54d646168b3d119 > # save the attached .config to linux build tree > COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 > ARCH=hexagon > > If you fix the issue, kindly add following tag as appropriate > Reported-by: kernel test robot > > All warnings (new ones prefixed by >>): > >>> fs/ksmbd/smb2pdu.c:7037:6: warning: variable 'ret' is used uninitialized >>> whenever 'if' condition is true [-Wsometimes-uninitialized] > if (chunk_count == 0) > ^~~~~~~~~~~~~~~~ > fs/ksmbd/smb2pdu.c:7120:9: note: uninitialized use occurs here > return ret; > ^~~ > fs/ksmbd/smb2pdu.c:7037:2: note: remove the 'if' if its condition is > always false > if (chunk_count == 0) > ^~~~~~~~~~~~~~~~~~~~~ > fs/ksmbd/smb2pdu.c:7020:9: note: initialize the variable 'ret' to silence > this warning > int ret, cnt_code; > ^ > = 0 > 1 warning generated. > > > vim +7037 fs/ksmbd/smb2pdu.c > > 7009 > 7010 static int fsctl_copychunk(struct ksmbd_work *work, struct > smb2_ioctl_req *req, > 7011 struct smb2_ioctl_rsp *rsp) > 7012 { > 7013 struct copychunk_ioctl_req *ci_req; > 7014 struct copychunk_ioctl_rsp *ci_rsp; > 7015 struct ksmbd_file *src_fp = NULL, *dst_fp = NULL; > 7016 struct srv_copychunk *chunks; > 7017 unsigned int i, chunk_count, chunk_count_written = 0; > 7018 unsigned int chunk_size_written = 0; > 7019 loff_t total_size_written = 0; > 7020 int ret, cnt_code; > 7021 > 7022 cnt_code = le32_to_cpu(req->CntCode); > 7023 ci_req = (struct copychunk_ioctl_req *)&req->Buffer[0]; > 7024 ci_rsp = (struct copychunk_ioctl_rsp *)&rsp->Buffer[0]; > 7025 > 7026 rsp->VolatileFileId = req->VolatileFileId; > 7027 rsp->PersistentFileId = req->PersistentFileId; > 7028 ci_rsp->ChunksWritten = > 7029 cpu_to_le32(ksmbd_server_side_copy_max_chunk_count()); > 7030 ci_rsp->ChunkBytesWritten = > 7031 cpu_to_le32(ksmbd_server_side_copy_max_chunk_size()); > 7032 ci_rsp->TotalBytesWritten = > 7033 cpu_to_le32(ksmbd_server_side_copy_max_total_size()); > 7034 > 7035 chunks = (struct srv_copychunk *)&ci_req->Chunks[0]; > 7036 chunk_count = le32_to_cpu(ci_req->ChunkCount); >> 7037 if (chunk_count == 0) > 7038 goto out; > 7039 total_size_written = 0; > 7040 > 7041 /* verify the SRV_COPYCHUNK_COPY packet */ > 7042 if (chunk_count > ksmbd_server_side_copy_max_chunk_count() || > 7043 le32_to_cpu(req->InputCount) < > 7044 offsetof(struct copychunk_ioctl_req, Chunks) + > 7045 chunk_count * sizeof(struct srv_copychunk)) { > 7046 rsp->hdr.Status = STATUS_INVALID_PARAMETER; > 7047 return -EINVAL; > 7048 } > 7049 > 7050 for (i = 0; i < chunk_count; i++) { > 7051 if (le32_to_cpu(chunks[i].Length) == 0 || > 7052 le32_to_cpu(chunks[i].Length) > > ksmbd_server_side_copy_max_chunk_size()) > 7053 break; > 7054 total_size_written += le32_to_cpu(chunks[i].Length); > 7055 } > 7056 > 7057 if (i < chunk_count || > 7058 total_size_written > ksmbd_server_side_copy_max_total_size()) { > 7059 rsp->hdr.Status = STATUS_INVALID_PARAMETER; > 7060 return -EINVAL; > 7061 } > 7062 > 7063 src_fp = ksmbd_lookup_foreign_fd(work, > 7064 le64_to_cpu(ci_req->ResumeKey[0])); > 7065 dst_fp = ksmbd_lookup_fd_slow(work, > 7066 le64_to_cpu(req->VolatileFileId), > 7067 le64_to_cpu(req->PersistentFileId)); > 7068 ret = -EINVAL; > 7069 if (!src_fp || > 7070 src_fp->persistent_id != le64_to_cpu(ci_req->ResumeKey[1])) { > 7071 rsp->hdr.Status = STATUS_OBJECT_NAME_NOT_FOUND; > 7072 goto out; > 7073 } > 7074 > 7075 if (!dst_fp) { > 7076 rsp->hdr.Status = STATUS_FILE_CLOSED; > 7077 goto out; > 7078 } > 7079 > 7080 /* > 7081 * FILE_READ_DATA should only be included in > 7082 * the FSCTL_COPYCHUNK case > 7083 */ > 7084 if (cnt_code == FSCTL_COPYCHUNK && > 7085 !(dst_fp->daccess & (FILE_READ_DATA_LE | FILE_GENERIC_READ_LE))) > { > 7086 rsp->hdr.Status = STATUS_ACCESS_DENIED; > 7087 goto out; > 7088 } > 7089 > 7090 ret = ksmbd_vfs_copy_file_ranges(work, src_fp, dst_fp, > 7091 chunks, chunk_count, > 7092 &chunk_count_written, > 7093 &chunk_size_written, > 7094 &total_size_written); > 7095 if (ret < 0) { > 7096 if (ret == -EACCES) > 7097 rsp->hdr.Status = STATUS_ACCESS_DENIED; > 7098 if (ret == -EAGAIN) > 7099 rsp->hdr.Status = STATUS_FILE_LOCK_CONFLICT; > 7100 else if (ret == -EBADF) > 7101 rsp->hdr.Status = STATUS_INVALID_HANDLE; > 7102 else if (ret == -EFBIG || ret == -ENOSPC) > 7103 rsp->hdr.Status = STATUS_DISK_FULL; > 7104 else if (ret == -EINVAL) > 7105 rsp->hdr.Status = STATUS_INVALID_PARAMETER; > 7106 else if (ret == -EISDIR) > 7107 rsp->hdr.Status = STATUS_FILE_IS_A_DIRECTORY; > 7108 else if (ret == -E2BIG) > 7109 rsp->hdr.Status = STATUS_INVALID_VIEW_SIZE; > 7110 else > 7111 rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR; > 7112 } > 7113 > 7114 ci_rsp->ChunksWritten = cpu_to_le32(chunk_count_written); > 7115 ci_rsp->ChunkBytesWritten = cpu_to_le32(chunk_size_written); > 7116 ci_rsp->TotalBytesWritten = cpu_to_le32(total_size_written); > 7117 out: > 7118 ksmbd_fd_put(work, src_fp); > 7119 ksmbd_fd_put(work, dst_fp); > 7120 return ret; > 7121 } > 7122 > > --- > 0-DAY CI Kernel Test Service, Intel Corporation > https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org > From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============7184035942327125463==" MIME-Version: 1.0 From: Namjae Jeon To: kbuild-all@lists.01.org Subject: Re: [PATCH 2/4] ksmbd: add validation in smb2_ioctl Date: Sun, 19 Sep 2021 06:43:51 +0900 Message-ID: In-Reply-To: <202109190257.fZUGN7K6-lkp@intel.com> List-Id: --===============7184035942327125463== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable 2021-09-19 3:51 GMT+09:00, kernel test robot : > Hi Namjae, Hi, I will fix it, Thanks for your report! > > I love your patch! Perhaps something to improve: > > [auto build test WARNING on linus/master] > [also build test WARNING on v5.15-rc1 next-20210917] > [If your patch is applied to the wrong git tree, kindly drop us a note. > And when submitting patch, we suggest to use '--base' as documented in > https://git-scm.com/docs/git-format-patch] > > url: > https://github.com/0day-ci/linux/commits/Namjae-Jeon/ksmbd-add-request-bu= ffer-validation-in-smb2_set_info/20210918-174717 > base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git > 4357f03d6611753936e4d52fc251b54a6afb1b54 > config: hexagon-randconfig-r022-20210918 (attached as .config) > compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project > c8b3d7d6d6de37af68b2f379d0e37304f78e115f) > reproduce (this is a W=3D1 build): > wget > https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross = -O > ~/bin/make.cross > chmod +x ~/bin/make.cross > # > https://github.com/0day-ci/linux/commit/57e7ede2bf2d38cb0f368f2fc54d64616= 8b3d119 > git remote add linux-review https://github.com/0day-ci/linux > git fetch --no-tags linux-review > Namjae-Jeon/ksmbd-add-request-buffer-validation-in-smb2_set_info/20210918= -174717 > git checkout 57e7ede2bf2d38cb0f368f2fc54d646168b3d119 > # save the attached .config to linux build tree > COMPILER_INSTALL_PATH=3D$HOME/0day COMPILER=3Dclang make.cross W= =3D1 > ARCH=3Dhexagon > > If you fix the issue, kindly add following tag as appropriate > Reported-by: kernel test robot > > All warnings (new ones prefixed by >>): > >>> fs/ksmbd/smb2pdu.c:7037:6: warning: variable 'ret' is used uninitialized >>> whenever 'if' condition is true [-Wsometimes-uninitialized] > if (chunk_count =3D=3D 0) > ^~~~~~~~~~~~~~~~ > fs/ksmbd/smb2pdu.c:7120:9: note: uninitialized use occurs here > return ret; > ^~~ > fs/ksmbd/smb2pdu.c:7037:2: note: remove the 'if' if its condition is > always false > if (chunk_count =3D=3D 0) > ^~~~~~~~~~~~~~~~~~~~~ > fs/ksmbd/smb2pdu.c:7020:9: note: initialize the variable 'ret' to sile= nce > this warning > int ret, cnt_code; > ^ > =3D 0 > 1 warning generated. > > > vim +7037 fs/ksmbd/smb2pdu.c > > 7009 = > 7010 static int fsctl_copychunk(struct ksmbd_work *work, struct > smb2_ioctl_req *req, > 7011 struct smb2_ioctl_rsp *rsp) > 7012 { > 7013 struct copychunk_ioctl_req *ci_req; > 7014 struct copychunk_ioctl_rsp *ci_rsp; > 7015 struct ksmbd_file *src_fp =3D NULL, *dst_fp =3D NULL; > 7016 struct srv_copychunk *chunks; > 7017 unsigned int i, chunk_count, chunk_count_written =3D 0; > 7018 unsigned int chunk_size_written =3D 0; > 7019 loff_t total_size_written =3D 0; > 7020 int ret, cnt_code; > 7021 = > 7022 cnt_code =3D le32_to_cpu(req->CntCode); > 7023 ci_req =3D (struct copychunk_ioctl_req *)&req->Buffer[0]; > 7024 ci_rsp =3D (struct copychunk_ioctl_rsp *)&rsp->Buffer[0]; > 7025 = > 7026 rsp->VolatileFileId =3D req->VolatileFileId; > 7027 rsp->PersistentFileId =3D req->PersistentFileId; > 7028 ci_rsp->ChunksWritten =3D > 7029 cpu_to_le32(ksmbd_server_side_copy_max_chunk_count()); > 7030 ci_rsp->ChunkBytesWritten =3D > 7031 cpu_to_le32(ksmbd_server_side_copy_max_chunk_size()); > 7032 ci_rsp->TotalBytesWritten =3D > 7033 cpu_to_le32(ksmbd_server_side_copy_max_total_size()); > 7034 = > 7035 chunks =3D (struct srv_copychunk *)&ci_req->Chunks[0]; > 7036 chunk_count =3D le32_to_cpu(ci_req->ChunkCount); >> 7037 if (chunk_count =3D=3D 0) > 7038 goto out; > 7039 total_size_written =3D 0; > 7040 = > 7041 /* verify the SRV_COPYCHUNK_COPY packet */ > 7042 if (chunk_count > ksmbd_server_side_copy_max_chunk_count() || > 7043 le32_to_cpu(req->InputCount) < > 7044 offsetof(struct copychunk_ioctl_req, Chunks) + > 7045 chunk_count * sizeof(struct srv_copychunk)) { > 7046 rsp->hdr.Status =3D STATUS_INVALID_PARAMETER; > 7047 return -EINVAL; > 7048 } > 7049 = > 7050 for (i =3D 0; i < chunk_count; i++) { > 7051 if (le32_to_cpu(chunks[i].Length) =3D=3D 0 || > 7052 le32_to_cpu(chunks[i].Length) > > ksmbd_server_side_copy_max_chunk_size()) > 7053 break; > 7054 total_size_written +=3D le32_to_cpu(chunks[i].Length); > 7055 } > 7056 = > 7057 if (i < chunk_count || > 7058 total_size_written > ksmbd_server_side_copy_max_total_size())= { > 7059 rsp->hdr.Status =3D STATUS_INVALID_PARAMETER; > 7060 return -EINVAL; > 7061 } > 7062 = > 7063 src_fp =3D ksmbd_lookup_foreign_fd(work, > 7064 le64_to_cpu(ci_req->ResumeKey[0])); > 7065 dst_fp =3D ksmbd_lookup_fd_slow(work, > 7066 le64_to_cpu(req->VolatileFileId), > 7067 le64_to_cpu(req->PersistentFileId)); > 7068 ret =3D -EINVAL; > 7069 if (!src_fp || > 7070 src_fp->persistent_id !=3D le64_to_cpu(ci_req->ResumeKey[1]))= { > 7071 rsp->hdr.Status =3D STATUS_OBJECT_NAME_NOT_FOUND; > 7072 goto out; > 7073 } > 7074 = > 7075 if (!dst_fp) { > 7076 rsp->hdr.Status =3D STATUS_FILE_CLOSED; > 7077 goto out; > 7078 } > 7079 = > 7080 /* > 7081 * FILE_READ_DATA should only be included in > 7082 * the FSCTL_COPYCHUNK case > 7083 */ > 7084 if (cnt_code =3D=3D FSCTL_COPYCHUNK && > 7085 !(dst_fp->daccess & (FILE_READ_DATA_LE | FILE_GENERIC_READ_LE= ))) > { > 7086 rsp->hdr.Status =3D STATUS_ACCESS_DENIED; > 7087 goto out; > 7088 } > 7089 = > 7090 ret =3D ksmbd_vfs_copy_file_ranges(work, src_fp, dst_fp, > 7091 chunks, chunk_count, > 7092 &chunk_count_written, > 7093 &chunk_size_written, > 7094 &total_size_written); > 7095 if (ret < 0) { > 7096 if (ret =3D=3D -EACCES) > 7097 rsp->hdr.Status =3D STATUS_ACCESS_DENIED; > 7098 if (ret =3D=3D -EAGAIN) > 7099 rsp->hdr.Status =3D STATUS_FILE_LOCK_CONFLICT; > 7100 else if (ret =3D=3D -EBADF) > 7101 rsp->hdr.Status =3D STATUS_INVALID_HANDLE; > 7102 else if (ret =3D=3D -EFBIG || ret =3D=3D -ENOSPC) > 7103 rsp->hdr.Status =3D STATUS_DISK_FULL; > 7104 else if (ret =3D=3D -EINVAL) > 7105 rsp->hdr.Status =3D STATUS_INVALID_PARAMETER; > 7106 else if (ret =3D=3D -EISDIR) > 7107 rsp->hdr.Status =3D STATUS_FILE_IS_A_DIRECTORY; > 7108 else if (ret =3D=3D -E2BIG) > 7109 rsp->hdr.Status =3D STATUS_INVALID_VIEW_SIZE; > 7110 else > 7111 rsp->hdr.Status =3D STATUS_UNEXPECTED_IO_ERROR; > 7112 } > 7113 = > 7114 ci_rsp->ChunksWritten =3D cpu_to_le32(chunk_count_written); > 7115 ci_rsp->ChunkBytesWritten =3D cpu_to_le32(chunk_size_written); > 7116 ci_rsp->TotalBytesWritten =3D cpu_to_le32(total_size_written); > 7117 out: > 7118 ksmbd_fd_put(work, src_fp); > 7119 ksmbd_fd_put(work, dst_fp); > 7120 return ret; > 7121 } > 7122 = > > --- > 0-DAY CI Kernel Test Service, Intel Corporation > https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org > --===============7184035942327125463==--