* [PATCH AUTOSEL 6.4 01/54] ksmbd: Fix unsigned expression compared with zero
@ 2023-08-13 15:48 Sasha Levin
2023-08-13 15:48 ` [PATCH AUTOSEL 6.4 11/54] ksmbd: fix out of bounds in smb3_decrypt_req() Sasha Levin
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Sasha Levin @ 2023-08-13 15:48 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Wang Ming, Tom Talpey, Namjae Jeon, Steve French, Sasha Levin,
sfrench, linux-cifs
From: Wang Ming <machel@vivo.com>
[ Upstream commit 0266a2f791294e0b4ba36f4a1d89b8615ea3cac0 ]
The return value of the ksmbd_vfs_getcasexattr() is signed.
However, the return value is being assigned to an unsigned
variable and subsequently recasted, causing warnings. Use
a signed type.
Signed-off-by: Wang Ming <machel@vivo.com>
Acked-by: Tom Talpey <tom@talpey.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/vfs.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/smb/server/vfs.c b/fs/smb/server/vfs.c
index 81489fdedd8e0..525fda90ed686 100644
--- a/fs/smb/server/vfs.c
+++ b/fs/smb/server/vfs.c
@@ -416,7 +416,8 @@ static int ksmbd_vfs_stream_write(struct ksmbd_file *fp, char *buf, loff_t *pos,
{
char *stream_buf = NULL, *wbuf;
struct mnt_idmap *idmap = file_mnt_idmap(fp->filp);
- size_t size, v_len;
+ size_t size;
+ ssize_t v_len;
int err = 0;
ksmbd_debug(VFS, "write stream data pos : %llu, count : %zd\n",
@@ -433,9 +434,9 @@ static int ksmbd_vfs_stream_write(struct ksmbd_file *fp, char *buf, loff_t *pos,
fp->stream.name,
fp->stream.size,
&stream_buf);
- if ((int)v_len < 0) {
+ if (v_len < 0) {
pr_err("not found stream in xattr : %zd\n", v_len);
- err = (int)v_len;
+ err = v_len;
goto out;
}
--
2.40.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 6.4 11/54] ksmbd: fix out of bounds in smb3_decrypt_req()
2023-08-13 15:48 [PATCH AUTOSEL 6.4 01/54] ksmbd: Fix unsigned expression compared with zero Sasha Levin
@ 2023-08-13 15:48 ` Sasha Levin
2023-08-13 15:48 ` [PATCH AUTOSEL 6.4 12/54] ksmbd: validate session id and tree id in compound request Sasha Levin
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2023-08-13 15:48 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Namjae Jeon, zdi-disclosures, Steve French, Sasha Levin, sfrench,
linux-cifs
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit dc318846f3dd54574a36ae97fc8d8b75dd7cdb1e ]
smb3_decrypt_req() validate if pdu_length is smaller than
smb2_transform_hdr size.
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21589
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 1cc336f512851..bd3da6cc6a98e 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -8611,7 +8611,8 @@ int smb3_decrypt_req(struct ksmbd_work *work)
struct smb2_transform_hdr *tr_hdr = smb2_get_msg(buf);
int rc = 0;
- if (buf_data_size < sizeof(struct smb2_hdr)) {
+ if (pdu_length < sizeof(struct smb2_transform_hdr) ||
+ buf_data_size < sizeof(struct smb2_hdr)) {
pr_err("Transform message is too small (%u)\n",
pdu_length);
return -ECONNABORTED;
--
2.40.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 6.4 12/54] ksmbd: validate session id and tree id in compound request
2023-08-13 15:48 [PATCH AUTOSEL 6.4 01/54] ksmbd: Fix unsigned expression compared with zero Sasha Levin
2023-08-13 15:48 ` [PATCH AUTOSEL 6.4 11/54] ksmbd: fix out of bounds in smb3_decrypt_req() Sasha Levin
@ 2023-08-13 15:48 ` Sasha Levin
2023-08-13 15:48 ` [PATCH AUTOSEL 6.4 13/54] ksmbd: no response from compound read Sasha Levin
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2023-08-13 15:48 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Namjae Jeon, zdi-disclosures, Steve French, Sasha Levin, sfrench,
linux-cifs
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit 3df0411e132ee74a87aa13142dfd2b190275332e ]
`smb2_get_msg()` in smb2_get_ksmbd_tcon() and smb2_check_user_session()
will always return the first request smb2 header in a compound request.
if `SMB2_TREE_CONNECT_HE` is the first command in compound request, will
return 0, i.e. The tree id check is skipped.
This patch use ksmbd_req_buf_next() to get current command in compound.
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21506
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index bd3da6cc6a98e..f4421d4bff0f8 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -87,9 +87,9 @@ struct channel *lookup_chann_list(struct ksmbd_session *sess, struct ksmbd_conn
*/
int smb2_get_ksmbd_tcon(struct ksmbd_work *work)
{
- struct smb2_hdr *req_hdr = smb2_get_msg(work->request_buf);
+ struct smb2_hdr *req_hdr = ksmbd_req_buf_next(work);
unsigned int cmd = le16_to_cpu(req_hdr->Command);
- int tree_id;
+ unsigned int tree_id;
if (cmd == SMB2_TREE_CONNECT_HE ||
cmd == SMB2_CANCEL_HE ||
@@ -114,7 +114,7 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work)
pr_err("The first operation in the compound does not have tcon\n");
return -EINVAL;
}
- if (work->tcon->id != tree_id) {
+ if (tree_id != UINT_MAX && work->tcon->id != tree_id) {
pr_err("tree id(%u) is different with id(%u) in first operation\n",
tree_id, work->tcon->id);
return -EINVAL;
@@ -559,9 +559,9 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work)
*/
int smb2_check_user_session(struct ksmbd_work *work)
{
- struct smb2_hdr *req_hdr = smb2_get_msg(work->request_buf);
+ struct smb2_hdr *req_hdr = ksmbd_req_buf_next(work);
struct ksmbd_conn *conn = work->conn;
- unsigned int cmd = conn->ops->get_cmd_val(work);
+ unsigned int cmd = le16_to_cpu(req_hdr->Command);
unsigned long long sess_id;
/*
@@ -587,7 +587,7 @@ int smb2_check_user_session(struct ksmbd_work *work)
pr_err("The first operation in the compound does not have sess\n");
return -EINVAL;
}
- if (work->sess->id != sess_id) {
+ if (sess_id != ULLONG_MAX && work->sess->id != sess_id) {
pr_err("session id(%llu) is different with the first operation(%lld)\n",
sess_id, work->sess->id);
return -EINVAL;
--
2.40.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 6.4 13/54] ksmbd: no response from compound read
2023-08-13 15:48 [PATCH AUTOSEL 6.4 01/54] ksmbd: Fix unsigned expression compared with zero Sasha Levin
2023-08-13 15:48 ` [PATCH AUTOSEL 6.4 11/54] ksmbd: fix out of bounds in smb3_decrypt_req() Sasha Levin
2023-08-13 15:48 ` [PATCH AUTOSEL 6.4 12/54] ksmbd: validate session id and tree id in compound request Sasha Levin
@ 2023-08-13 15:48 ` Sasha Levin
2023-08-13 15:48 ` [PATCH AUTOSEL 6.4 14/54] ksmbd: fix out of bounds in init_smb2_rsp_hdr() Sasha Levin
2023-08-13 15:49 ` [PATCH AUTOSEL 6.4 27/54] cifs: fix charset issue in reconnection Sasha Levin
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2023-08-13 15:48 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Namjae Jeon, zdi-disclosures, Steve French, Sasha Levin, sfrench,
linux-cifs
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit e202a1e8634b186da38cbbff85382ea2b9e297cf ]
ksmbd doesn't support compound read. If client send read-read in
compound to ksmbd, there can be memory leak from read buffer.
Windows and linux clients doesn't send it to server yet. For now,
No response from compound read. compound read will be supported soon.
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21587, ZDI-CAN-21588
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index f4421d4bff0f8..a10478fb78c88 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -6211,6 +6211,11 @@ int smb2_read(struct ksmbd_work *work)
unsigned int max_read_size = conn->vals->max_read_size;
WORK_BUFFERS(work, req, rsp);
+ if (work->next_smb2_rcv_hdr_off) {
+ work->send_no_response = 1;
+ err = -EOPNOTSUPP;
+ goto out;
+ }
if (test_share_config_flag(work->tcon->share_conf,
KSMBD_SHARE_FLAG_PIPE)) {
--
2.40.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 6.4 14/54] ksmbd: fix out of bounds in init_smb2_rsp_hdr()
2023-08-13 15:48 [PATCH AUTOSEL 6.4 01/54] ksmbd: Fix unsigned expression compared with zero Sasha Levin
` (2 preceding siblings ...)
2023-08-13 15:48 ` [PATCH AUTOSEL 6.4 13/54] ksmbd: no response from compound read Sasha Levin
@ 2023-08-13 15:48 ` Sasha Levin
2023-08-13 15:49 ` [PATCH AUTOSEL 6.4 27/54] cifs: fix charset issue in reconnection Sasha Levin
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2023-08-13 15:48 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Namjae Jeon, zdi-disclosures, Steve French, Sasha Levin, sfrench,
linux-cifs
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit 536bb492d39bb6c080c92f31e8a55fe9934f452b ]
If client send smb2 negotiate request and then send smb1 negotiate
request, init_smb2_rsp_hdr is called for smb1 negotiate request since
need_neg is set to false. This patch ignore smb1 packets after ->need_neg
is set to false.
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21541
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/server.c | 7 ++++++-
fs/smb/server/smb_common.c | 19 +++++++++++--------
fs/smb/server/smb_common.h | 2 +-
3 files changed, 18 insertions(+), 10 deletions(-)
diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c
index ced7a9e916f01..9df121bdf3492 100644
--- a/fs/smb/server/server.c
+++ b/fs/smb/server/server.c
@@ -286,6 +286,7 @@ static void handle_ksmbd_work(struct work_struct *wk)
static int queue_ksmbd_work(struct ksmbd_conn *conn)
{
struct ksmbd_work *work;
+ int err;
work = ksmbd_alloc_work_struct();
if (!work) {
@@ -297,7 +298,11 @@ static int queue_ksmbd_work(struct ksmbd_conn *conn)
work->request_buf = conn->request_buf;
conn->request_buf = NULL;
- ksmbd_init_smb_server(work);
+ err = ksmbd_init_smb_server(work);
+ if (err) {
+ ksmbd_free_work_struct(work);
+ return 0;
+ }
ksmbd_conn_enqueue_request(work);
atomic_inc(&conn->r_count);
diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c
index 3e391a7d5a3ab..27b8bd039791e 100644
--- a/fs/smb/server/smb_common.c
+++ b/fs/smb/server/smb_common.c
@@ -388,26 +388,29 @@ static struct smb_version_cmds smb1_server_cmds[1] = {
[SMB_COM_NEGOTIATE_EX] = { .proc = smb1_negotiate, },
};
-static void init_smb1_server(struct ksmbd_conn *conn)
+static int init_smb1_server(struct ksmbd_conn *conn)
{
conn->ops = &smb1_server_ops;
conn->cmds = smb1_server_cmds;
conn->max_cmds = ARRAY_SIZE(smb1_server_cmds);
+ return 0;
}
-void ksmbd_init_smb_server(struct ksmbd_work *work)
+int ksmbd_init_smb_server(struct ksmbd_work *work)
{
struct ksmbd_conn *conn = work->conn;
__le32 proto;
- if (conn->need_neg == false)
- return;
-
proto = *(__le32 *)((struct smb_hdr *)work->request_buf)->Protocol;
+ if (conn->need_neg == false) {
+ if (proto == SMB1_PROTO_NUMBER)
+ return -EINVAL;
+ return 0;
+ }
+
if (proto == SMB1_PROTO_NUMBER)
- init_smb1_server(conn);
- else
- init_smb3_11_server(conn);
+ return init_smb1_server(conn);
+ return init_smb3_11_server(conn);
}
int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, int info_level,
diff --git a/fs/smb/server/smb_common.h b/fs/smb/server/smb_common.h
index 6b0d5f1fe85ca..f0134d16067fb 100644
--- a/fs/smb/server/smb_common.h
+++ b/fs/smb/server/smb_common.h
@@ -427,7 +427,7 @@ bool ksmbd_smb_request(struct ksmbd_conn *conn);
int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count);
-void ksmbd_init_smb_server(struct ksmbd_work *work);
+int ksmbd_init_smb_server(struct ksmbd_work *work);
struct ksmbd_kstat;
int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work,
--
2.40.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 6.4 27/54] cifs: fix charset issue in reconnection
2023-08-13 15:48 [PATCH AUTOSEL 6.4 01/54] ksmbd: Fix unsigned expression compared with zero Sasha Levin
` (3 preceding siblings ...)
2023-08-13 15:48 ` [PATCH AUTOSEL 6.4 14/54] ksmbd: fix out of bounds in init_smb2_rsp_hdr() Sasha Levin
@ 2023-08-13 15:49 ` Sasha Levin
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2023-08-13 15:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Winston Wen, Paulo Alcantara, Steve French, Sasha Levin, sfrench,
linux-cifs, samba-technical
From: Winston Wen <wentao@uniontech.com>
[ Upstream commit a43f95fdd39490f7b156fd126f1e90ec2d5553f1 ]
We need to specify charset, like "iocharset=utf-8", in mount options for
Chinese path if the nls_default don't support it, such as iso8859-1, the
default value for CONFIG_NLS_DEFAULT.
But now in reconnection the nls_default is used, instead of the one we
specified and used in mount, and this can lead to mount failure.
Signed-off-by: Winston Wen <wentao@uniontech.com>
Reviewed-by: Paulo Alcantara <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/cifsglob.h | 1 +
fs/smb/client/cifssmb.c | 3 +--
fs/smb/client/connect.c | 5 +++++
fs/smb/client/misc.c | 1 +
fs/smb/client/smb2pdu.c | 3 +--
5 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h
index ca2da713c5fe9..87c6ce54c72d0 100644
--- a/fs/smb/client/cifsglob.h
+++ b/fs/smb/client/cifsglob.h
@@ -1062,6 +1062,7 @@ struct cifs_ses {
unsigned long chans_need_reconnect;
/* ========= end: protected by chan_lock ======== */
struct cifs_ses *dfs_root_ses;
+ struct nls_table *local_nls;
};
static inline bool
diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
index a0c4e9874b010..a49f95ea7cf6f 100644
--- a/fs/smb/client/cifssmb.c
+++ b/fs/smb/client/cifssmb.c
@@ -129,7 +129,7 @@ cifs_reconnect_tcon(struct cifs_tcon *tcon, int smb_command)
}
spin_unlock(&server->srv_lock);
- nls_codepage = load_nls_default();
+ nls_codepage = ses->local_nls;
/*
* need to prevent multiple threads trying to simultaneously
@@ -200,7 +200,6 @@ cifs_reconnect_tcon(struct cifs_tcon *tcon, int smb_command)
rc = -EAGAIN;
}
- unload_nls(nls_codepage);
return rc;
}
diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c
index 853209268f507..e965196e4f746 100644
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -1837,6 +1837,10 @@ static int match_session(struct cifs_ses *ses, struct smb3_fs_context *ctx)
CIFS_MAX_PASSWORD_LEN))
return 0;
}
+
+ if (strcmp(ctx->local_nls->charset, ses->local_nls->charset))
+ return 0;
+
return 1;
}
@@ -2280,6 +2284,7 @@ cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb3_fs_context *ctx)
ses->sectype = ctx->sectype;
ses->sign = ctx->sign;
+ ses->local_nls = load_nls(ctx->local_nls->charset);
/* add server as first channel */
spin_lock(&ses->chan_lock);
diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c
index 70dbfe6584f9e..d7e85d9a26553 100644
--- a/fs/smb/client/misc.c
+++ b/fs/smb/client/misc.c
@@ -95,6 +95,7 @@ sesInfoFree(struct cifs_ses *buf_to_free)
return;
}
+ unload_nls(buf_to_free->local_nls);
atomic_dec(&sesInfoAllocCount);
kfree(buf_to_free->serverOS);
kfree(buf_to_free->serverDomain);
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index 17fe212ab895d..5f20a754fb13b 100644
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -242,7 +242,7 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon,
}
spin_unlock(&server->srv_lock);
- nls_codepage = load_nls_default();
+ nls_codepage = ses->local_nls;
/*
* need to prevent multiple threads trying to simultaneously
@@ -324,7 +324,6 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon,
rc = -EAGAIN;
}
failed:
- unload_nls(nls_codepage);
return rc;
}
--
2.40.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-08-13 15:53 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-13 15:48 [PATCH AUTOSEL 6.4 01/54] ksmbd: Fix unsigned expression compared with zero Sasha Levin
2023-08-13 15:48 ` [PATCH AUTOSEL 6.4 11/54] ksmbd: fix out of bounds in smb3_decrypt_req() Sasha Levin
2023-08-13 15:48 ` [PATCH AUTOSEL 6.4 12/54] ksmbd: validate session id and tree id in compound request Sasha Levin
2023-08-13 15:48 ` [PATCH AUTOSEL 6.4 13/54] ksmbd: no response from compound read Sasha Levin
2023-08-13 15:48 ` [PATCH AUTOSEL 6.4 14/54] ksmbd: fix out of bounds in init_smb2_rsp_hdr() Sasha Levin
2023-08-13 15:49 ` [PATCH AUTOSEL 6.4 27/54] cifs: fix charset issue in reconnection Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).