* [PATCH 1/3] ksmbd: fix wrong DataOffset validation of create context
@ 2023-08-25 14:48 Namjae Jeon
2023-08-25 14:48 ` [PATCH 2/3] ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() Namjae Jeon
2023-08-25 14:48 ` [PATCH 3/3] ksmbd: replace one-element array with flex-array member in struct smb2_ea_info Namjae Jeon
0 siblings, 2 replies; 3+ messages in thread
From: Namjae Jeon @ 2023-08-25 14:48 UTC (permalink / raw)
To: linux-cifs
Cc: smfrench, senozhatsky, tom, hyc.lee, atteh.mailbox, Namjae Jeon,
zdi-disclosures
If ->DataOffset of create context is 0, DataBuffer size is not correctly
validated. This patch change wrong validation code and consider tag
length in request.
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21824
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
fs/smb/server/oplock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/smb/server/oplock.c b/fs/smb/server/oplock.c
index 6bc8a1e48171..9bc0103720f5 100644
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -1481,7 +1481,7 @@ struct create_context *smb2_find_context_vals(void *open_req, const char *tag, i
name_len < 4 ||
name_off + name_len > cc_len ||
(value_off & 0x7) != 0 ||
- (value_off && (value_off < name_off + name_len)) ||
+ (value_len && value_off < name_off + (name_len < 8 ? 8 : name_len)) ||
((u64)value_off + value_len > cc_len))
return ERR_PTR(-EINVAL);
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/3] ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob()
2023-08-25 14:48 [PATCH 1/3] ksmbd: fix wrong DataOffset validation of create context Namjae Jeon
@ 2023-08-25 14:48 ` Namjae Jeon
2023-08-25 14:48 ` [PATCH 3/3] ksmbd: replace one-element array with flex-array member in struct smb2_ea_info Namjae Jeon
1 sibling, 0 replies; 3+ messages in thread
From: Namjae Jeon @ 2023-08-25 14:48 UTC (permalink / raw)
To: linux-cifs
Cc: smfrench, senozhatsky, tom, hyc.lee, atteh.mailbox, Namjae Jeon,
zdi-disclosures
If authblob->SessionKey.Length is bigger than session key
size(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes.
cifs_arc4_crypt copy to session key array from SessionKey from client.
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21940
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
fs/smb/server/auth.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/smb/server/auth.c b/fs/smb/server/auth.c
index af7b2cdba126..229a6527870d 100644
--- a/fs/smb/server/auth.c
+++ b/fs/smb/server/auth.c
@@ -355,6 +355,9 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob,
if (blob_len < (u64)sess_key_off + sess_key_len)
return -EINVAL;
+ if (sess_key_len > CIFS_KEY_SIZE)
+ return -EINVAL;
+
ctx_arc4 = kmalloc(sizeof(*ctx_arc4), GFP_KERNEL);
if (!ctx_arc4)
return -ENOMEM;
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 3/3] ksmbd: replace one-element array with flex-array member in struct smb2_ea_info
2023-08-25 14:48 [PATCH 1/3] ksmbd: fix wrong DataOffset validation of create context Namjae Jeon
2023-08-25 14:48 ` [PATCH 2/3] ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() Namjae Jeon
@ 2023-08-25 14:48 ` Namjae Jeon
1 sibling, 0 replies; 3+ messages in thread
From: Namjae Jeon @ 2023-08-25 14:48 UTC (permalink / raw)
To: linux-cifs
Cc: smfrench, senozhatsky, tom, hyc.lee, atteh.mailbox, Namjae Jeon
UBSAN complains about out-of-bounds array indexes on 1-element arrays in
struct smb2_ea_info.
UBSAN: array-index-out-of-bounds in fs/smb/server/smb2pdu.c:4335:15
index 1 is out of range for type 'char [1]'
CPU: 1 PID: 354 Comm: kworker/1:4 Not tainted 6.5.0-rc4 #1
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop
Reference Platform, BIOS 6.00 07/22/2020
Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
Call Trace:
<TASK>
__dump_stack linux/lib/dump_stack.c:88
dump_stack_lvl+0x48/0x70 linux/lib/dump_stack.c:106
dump_stack+0x10/0x20 linux/lib/dump_stack.c:113
ubsan_epilogue linux/lib/ubsan.c:217
__ubsan_handle_out_of_bounds+0xc6/0x110 linux/lib/ubsan.c:348
smb2_get_ea linux/fs/smb/server/smb2pdu.c:4335
smb2_get_info_file linux/fs/smb/server/smb2pdu.c:4900
smb2_query_info+0x63ae/0x6b20 linux/fs/smb/server/smb2pdu.c:5275
__process_request linux/fs/smb/server/server.c:145
__handle_ksmbd_work linux/fs/smb/server/server.c:213
handle_ksmbd_work+0x348/0x10b0 linux/fs/smb/server/server.c:266
process_one_work+0x85a/0x1500 linux/kernel/workqueue.c:2597
worker_thread+0xf3/0x13a0 linux/kernel/workqueue.c:2748
kthread+0x2b7/0x390 linux/kernel/kthread.c:389
ret_from_fork+0x44/0x90 linux/arch/x86/kernel/process.c:145
ret_from_fork_asm+0x1b/0x30 linux/arch/x86/entry/entry_64.S:304
</TASK>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
fs/smb/server/smb2pdu.c | 2 +-
fs/smb/server/smb2pdu.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 2d4b8efaf19f..d12d995f52d7 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -4335,7 +4335,7 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp,
if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
name_len -= XATTR_USER_PREFIX_LEN;
- ptr = (char *)(&eainfo->name + name_len + 1);
+ ptr = eainfo->name + name_len + 1;
buf_free_len -= (offsetof(struct smb2_ea_info, name) +
name_len + 1);
/* bailout if xattr can't fit in buf_free_len */
diff --git a/fs/smb/server/smb2pdu.h b/fs/smb/server/smb2pdu.h
index 2767c08a534a..d12cfd3b0927 100644
--- a/fs/smb/server/smb2pdu.h
+++ b/fs/smb/server/smb2pdu.h
@@ -361,7 +361,7 @@ struct smb2_ea_info {
__u8 Flags;
__u8 EaNameLength;
__le16 EaValueLength;
- char name[1];
+ char name[];
/* optionally followed by value */
} __packed; /* level 15 Query */
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-08-25 14:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-25 14:48 [PATCH 1/3] ksmbd: fix wrong DataOffset validation of create context Namjae Jeon
2023-08-25 14:48 ` [PATCH 2/3] ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() Namjae Jeon
2023-08-25 14:48 ` [PATCH 3/3] ksmbd: replace one-element array with flex-array member in struct smb2_ea_info Namjae Jeon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).