* [PATCH] cifs: fix crash for querying symlinks stored as reparse-points
@ 2019-06-27 4:57 Ronnie Sahlberg
2019-06-27 5:30 ` Steve French
0 siblings, 1 reply; 5+ messages in thread
From: Ronnie Sahlberg @ 2019-06-27 4:57 UTC (permalink / raw)
To: linux-cifs; +Cc: Steve French, Stable, Ronnie Sahlberg
We never parsed/returned any data from .get_link() when the object is a windows reparse-point
containing a symlink. This results in the VFS layer oopsing accessing an uninitialized buffer:
...
[ 171.407172] Call Trace:
[ 171.408039] readlink_copy+0x29/0x70
[ 171.408872] vfs_readlink+0xc1/0x1f0
[ 171.409709] ? readlink_copy+0x70/0x70
[ 171.410565] ? simple_attr_release+0x30/0x30
[ 171.411446] ? getname_flags+0x105/0x2a0
[ 171.412231] do_readlinkat+0x1b7/0x1e0
[ 171.412938] ? __ia32_compat_sys_newfstat+0x30/0x30
...
Fix this by adding code to handle these buffers and make sure we do return a valid buffer
to .get_link()
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
---
fs/cifs/smb2ops.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++----
fs/cifs/smb2pdu.h | 16 +++++++++++++-
2 files changed, 75 insertions(+), 5 deletions(-)
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index e921e6511728..74c826007069 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -2385,6 +2385,41 @@ smb2_get_dfs_refer(const unsigned int xid, struct cifs_ses *ses,
kfree(dfs_rsp);
return rc;
}
+
+static int
+parse_reparse_symlink(struct reparse_symlink_data_buffer *symlink_buf,
+ u32 plen, char **target_path,
+ struct cifs_sb_info *cifs_sb)
+{
+ unsigned int sub_len;
+ unsigned int sub_offset;
+
+ /* We only handle Symbolic Link : MS-FSCC 2.1.2.4 */
+ if (le32_to_cpu(symlink_buf->ReparseTag) != REPARSE_TAG_SYMLINK) {
+ cifs_dbg(VFS, "srv returned invalid symlink buffer\n");
+ return -EIO;
+ }
+
+ sub_offset = le16_to_cpu(symlink_buf->SubstituteNameOffset);
+ sub_len = le16_to_cpu(symlink_buf->SubstituteNameLength);
+ if (sub_offset + 20 > plen ||
+ sub_offset + sub_len + 20 > plen) {
+ cifs_dbg(VFS, "srv returned malformed symlink buffer\n");
+ return -EIO;
+ }
+
+ *target_path = cifs_strndup_from_utf16(
+ symlink_buf->PathBuffer + sub_offset,
+ sub_len, true, cifs_sb->local_nls);
+ if (!(*target_path))
+ return -ENOMEM;
+
+ convert_delimiter(*target_path, '/');
+ cifs_dbg(FYI, "%s: target path: %s\n", __func__, *target_path);
+
+ return 0;
+}
+
#define SMB2_SYMLINK_STRUCT_SIZE \
(sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp))
@@ -2414,11 +2449,13 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
struct kvec close_iov[1];
struct smb2_create_rsp *create_rsp;
struct smb2_ioctl_rsp *ioctl_rsp;
- char *ioctl_buf;
+ struct reparse_data_buffer *reparse_buf;
u32 plen;
cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);
+ *target_path = NULL;
+
if (smb3_encryption_required(tcon))
flags |= CIFS_TRANSFORM_REQ;
@@ -2496,17 +2533,36 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
if ((rc == 0) && (is_reparse_point)) {
/* See MS-FSCC 2.3.23 */
- ioctl_buf = (char *)ioctl_rsp + le32_to_cpu(ioctl_rsp->OutputOffset);
+ reparse_buf = (struct reparse_data_buffer *)
+ ((char *)ioctl_rsp +
+ le32_to_cpu(ioctl_rsp->OutputOffset));
plen = le32_to_cpu(ioctl_rsp->OutputCount);
if (plen + le32_to_cpu(ioctl_rsp->OutputOffset) >
rsp_iov[1].iov_len) {
- cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", plen);
+ cifs_dbg(VFS, "srv returned invalid ioctl len: %d\n",
+ plen);
+ rc = -EIO;
+ goto querty_exit;
+ }
+
+ if (plen < 8) {
+ cifs_dbg(VFS, "reparse buffer is too small. Must be "
+ "at least 8 bytes but was %d\n", plen);
+ rc = -EIO;
+ goto querty_exit;
+ }
+
+ if (plen < le16_to_cpu(reparse_buf->ReparseDataLength) + 8) {
+ cifs_dbg(VFS, "srv returned invalid reparse buf "
+ "length: %d\n", plen);
rc = -EIO;
goto querty_exit;
}
- /* Do stuff with ioctl_buf/plen */
+ rc = parse_reparse_symlink(
+ (struct reparse_symlink_data_buffer *)reparse_buf,
+ plen, target_path, cifs_sb);
goto querty_exit;
}
diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
index c7d5813bebd8..31f7c56e0ed8 100644
--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -888,6 +888,8 @@ struct file_allocated_range_buffer {
/* struct fsctl_reparse_info_req is empty, only response structs (see below) */
+#define REPARSE_TAG_SYMLINK 0xa000000c
+
struct reparse_data_buffer {
__le32 ReparseTag;
__le16 ReparseDataLength;
@@ -914,7 +916,19 @@ struct reparse_mount_point_data_buffer {
__u8 PathBuffer[0]; /* Variable Length */
} __packed;
-/* See MS-FSCC 2.1.2.4 and cifspdu.h for struct reparse_symlink_data */
+#define SYMLINK_FLAG_RELATIVE 0x00000001
+
+struct reparse_symlink_data_buffer {
+ __le32 ReparseTag;
+ __le16 ReparseDataLength;
+ __u16 Reserved;
+ __le16 SubstituteNameOffset;
+ __le16 SubstituteNameLength;
+ __le16 PrintNameOffset;
+ __le16 PrintNameLength;
+ __le32 Flags;
+ __u8 PathBuffer[0]; /* Variable Length */
+} __packed;
/* See MS-FSCC 2.1.2.6 and cifspdu.h for struct reparse_posix_data */
--
2.13.6
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] cifs: fix crash for querying symlinks stored as reparse-points
2019-06-27 4:57 [PATCH] cifs: fix crash for querying symlinks stored as reparse-points Ronnie Sahlberg
@ 2019-06-27 5:30 ` Steve French
0 siblings, 0 replies; 5+ messages in thread
From: Steve French @ 2019-06-27 5:30 UTC (permalink / raw)
To: Ronnie Sahlberg; +Cc: linux-cifs, Stable
[-- Attachment #1: Type: text/plain, Size: 6432 bytes --]
removed the duplicate definition of IO_REPARSE_TAG_SYMLINK and
tentatively merged to cifs-2.6.git for-next but looks good so far in
testing.
On Wed, Jun 26, 2019 at 11:57 PM Ronnie Sahlberg <lsahlber@redhat.com> wrote:
>
> We never parsed/returned any data from .get_link() when the object is a windows reparse-point
> containing a symlink. This results in the VFS layer oopsing accessing an uninitialized buffer:
>
> ...
> [ 171.407172] Call Trace:
> [ 171.408039] readlink_copy+0x29/0x70
> [ 171.408872] vfs_readlink+0xc1/0x1f0
> [ 171.409709] ? readlink_copy+0x70/0x70
> [ 171.410565] ? simple_attr_release+0x30/0x30
> [ 171.411446] ? getname_flags+0x105/0x2a0
> [ 171.412231] do_readlinkat+0x1b7/0x1e0
> [ 171.412938] ? __ia32_compat_sys_newfstat+0x30/0x30
> ...
>
> Fix this by adding code to handle these buffers and make sure we do return a valid buffer
> to .get_link()
>
> CC: Stable <stable@vger.kernel.org>
> Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
> ---
> fs/cifs/smb2ops.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++----
> fs/cifs/smb2pdu.h | 16 +++++++++++++-
> 2 files changed, 75 insertions(+), 5 deletions(-)
>
> diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
> index e921e6511728..74c826007069 100644
> --- a/fs/cifs/smb2ops.c
> +++ b/fs/cifs/smb2ops.c
> @@ -2385,6 +2385,41 @@ smb2_get_dfs_refer(const unsigned int xid, struct cifs_ses *ses,
> kfree(dfs_rsp);
> return rc;
> }
> +
> +static int
> +parse_reparse_symlink(struct reparse_symlink_data_buffer *symlink_buf,
> + u32 plen, char **target_path,
> + struct cifs_sb_info *cifs_sb)
> +{
> + unsigned int sub_len;
> + unsigned int sub_offset;
> +
> + /* We only handle Symbolic Link : MS-FSCC 2.1.2.4 */
> + if (le32_to_cpu(symlink_buf->ReparseTag) != REPARSE_TAG_SYMLINK) {
> + cifs_dbg(VFS, "srv returned invalid symlink buffer\n");
> + return -EIO;
> + }
> +
> + sub_offset = le16_to_cpu(symlink_buf->SubstituteNameOffset);
> + sub_len = le16_to_cpu(symlink_buf->SubstituteNameLength);
> + if (sub_offset + 20 > plen ||
> + sub_offset + sub_len + 20 > plen) {
> + cifs_dbg(VFS, "srv returned malformed symlink buffer\n");
> + return -EIO;
> + }
> +
> + *target_path = cifs_strndup_from_utf16(
> + symlink_buf->PathBuffer + sub_offset,
> + sub_len, true, cifs_sb->local_nls);
> + if (!(*target_path))
> + return -ENOMEM;
> +
> + convert_delimiter(*target_path, '/');
> + cifs_dbg(FYI, "%s: target path: %s\n", __func__, *target_path);
> +
> + return 0;
> +}
> +
> #define SMB2_SYMLINK_STRUCT_SIZE \
> (sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp))
>
> @@ -2414,11 +2449,13 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
> struct kvec close_iov[1];
> struct smb2_create_rsp *create_rsp;
> struct smb2_ioctl_rsp *ioctl_rsp;
> - char *ioctl_buf;
> + struct reparse_data_buffer *reparse_buf;
> u32 plen;
>
> cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);
>
> + *target_path = NULL;
> +
> if (smb3_encryption_required(tcon))
> flags |= CIFS_TRANSFORM_REQ;
>
> @@ -2496,17 +2533,36 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
> if ((rc == 0) && (is_reparse_point)) {
> /* See MS-FSCC 2.3.23 */
>
> - ioctl_buf = (char *)ioctl_rsp + le32_to_cpu(ioctl_rsp->OutputOffset);
> + reparse_buf = (struct reparse_data_buffer *)
> + ((char *)ioctl_rsp +
> + le32_to_cpu(ioctl_rsp->OutputOffset));
> plen = le32_to_cpu(ioctl_rsp->OutputCount);
>
> if (plen + le32_to_cpu(ioctl_rsp->OutputOffset) >
> rsp_iov[1].iov_len) {
> - cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", plen);
> + cifs_dbg(VFS, "srv returned invalid ioctl len: %d\n",
> + plen);
> + rc = -EIO;
> + goto querty_exit;
> + }
> +
> + if (plen < 8) {
> + cifs_dbg(VFS, "reparse buffer is too small. Must be "
> + "at least 8 bytes but was %d\n", plen);
> + rc = -EIO;
> + goto querty_exit;
> + }
> +
> + if (plen < le16_to_cpu(reparse_buf->ReparseDataLength) + 8) {
> + cifs_dbg(VFS, "srv returned invalid reparse buf "
> + "length: %d\n", plen);
> rc = -EIO;
> goto querty_exit;
> }
>
> - /* Do stuff with ioctl_buf/plen */
> + rc = parse_reparse_symlink(
> + (struct reparse_symlink_data_buffer *)reparse_buf,
> + plen, target_path, cifs_sb);
> goto querty_exit;
> }
>
> diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
> index c7d5813bebd8..31f7c56e0ed8 100644
> --- a/fs/cifs/smb2pdu.h
> +++ b/fs/cifs/smb2pdu.h
> @@ -888,6 +888,8 @@ struct file_allocated_range_buffer {
>
> /* struct fsctl_reparse_info_req is empty, only response structs (see below) */
>
> +#define REPARSE_TAG_SYMLINK 0xa000000c
> +
> struct reparse_data_buffer {
> __le32 ReparseTag;
> __le16 ReparseDataLength;
> @@ -914,7 +916,19 @@ struct reparse_mount_point_data_buffer {
> __u8 PathBuffer[0]; /* Variable Length */
> } __packed;
>
> -/* See MS-FSCC 2.1.2.4 and cifspdu.h for struct reparse_symlink_data */
> +#define SYMLINK_FLAG_RELATIVE 0x00000001
> +
> +struct reparse_symlink_data_buffer {
> + __le32 ReparseTag;
> + __le16 ReparseDataLength;
> + __u16 Reserved;
> + __le16 SubstituteNameOffset;
> + __le16 SubstituteNameLength;
> + __le16 PrintNameOffset;
> + __le16 PrintNameLength;
> + __le32 Flags;
> + __u8 PathBuffer[0]; /* Variable Length */
> +} __packed;
>
> /* See MS-FSCC 2.1.2.6 and cifspdu.h for struct reparse_posix_data */
>
> --
> 2.13.6
>
--
Thanks,
Steve
[-- Attachment #2: 0001-cifs-fix-crash-for-querying-symlinks-stored-as-repar.patch --]
[-- Type: text/x-patch, Size: 4945 bytes --]
From 2ccab39b92590e62a3a88c8f94e6a4fb7b3d9895 Mon Sep 17 00:00:00 2001
From: Ronnie Sahlberg <lsahlber@redhat.com>
Date: Thu, 27 Jun 2019 14:57:02 +1000
Subject: [PATCH] cifs: fix crash querying symlinks stored as
reparse-points
We never parsed/returned any data from .get_link() when the object is a windows reparse-point
containing a symlink. This results in the VFS layer oopsing accessing an uninitialized buffer:
...
[ 171.407172] Call Trace:
[ 171.408039] readlink_copy+0x29/0x70
[ 171.408872] vfs_readlink+0xc1/0x1f0
[ 171.409709] ? readlink_copy+0x70/0x70
[ 171.410565] ? simple_attr_release+0x30/0x30
[ 171.411446] ? getname_flags+0x105/0x2a0
[ 171.412231] do_readlinkat+0x1b7/0x1e0
[ 171.412938] ? __ia32_compat_sys_newfstat+0x30/0x30
...
Fix this by adding code to handle these buffers and make sure we do return a valid buffer
to .get_link()
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
fs/cifs/smb2ops.c | 64 ++++++++++++++++++++++++++++++++++++++++++++---
fs/cifs/smb2pdu.h | 16 +++++++++++-
2 files changed, 75 insertions(+), 5 deletions(-)
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 3fdc6a41b304..f9bd1e6e15c6 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -2372,6 +2372,41 @@ smb2_get_dfs_refer(const unsigned int xid, struct cifs_ses *ses,
kfree(dfs_rsp);
return rc;
}
+
+static int
+parse_reparse_symlink(struct reparse_symlink_data_buffer *symlink_buf,
+ u32 plen, char **target_path,
+ struct cifs_sb_info *cifs_sb)
+{
+ unsigned int sub_len;
+ unsigned int sub_offset;
+
+ /* We only handle Symbolic Link : MS-FSCC 2.1.2.4 */
+ if (le32_to_cpu(symlink_buf->ReparseTag) != IO_REPARSE_TAG_SYMLINK) {
+ cifs_dbg(VFS, "srv returned invalid symlink buffer\n");
+ return -EIO;
+ }
+
+ sub_offset = le16_to_cpu(symlink_buf->SubstituteNameOffset);
+ sub_len = le16_to_cpu(symlink_buf->SubstituteNameLength);
+ if (sub_offset + 20 > plen ||
+ sub_offset + sub_len + 20 > plen) {
+ cifs_dbg(VFS, "srv returned malformed symlink buffer\n");
+ return -EIO;
+ }
+
+ *target_path = cifs_strndup_from_utf16(
+ symlink_buf->PathBuffer + sub_offset,
+ sub_len, true, cifs_sb->local_nls);
+ if (!(*target_path))
+ return -ENOMEM;
+
+ convert_delimiter(*target_path, '/');
+ cifs_dbg(FYI, "%s: target path: %s\n", __func__, *target_path);
+
+ return 0;
+}
+
#define SMB2_SYMLINK_STRUCT_SIZE \
(sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp))
@@ -2401,11 +2436,13 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
struct kvec close_iov[1];
struct smb2_create_rsp *create_rsp;
struct smb2_ioctl_rsp *ioctl_rsp;
- char *ioctl_buf;
+ struct reparse_data_buffer *reparse_buf;
u32 plen;
cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);
+ *target_path = NULL;
+
if (smb3_encryption_required(tcon))
flags |= CIFS_TRANSFORM_REQ;
@@ -2483,17 +2520,36 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
if ((rc == 0) && (is_reparse_point)) {
/* See MS-FSCC 2.3.23 */
- ioctl_buf = (char *)ioctl_rsp + le32_to_cpu(ioctl_rsp->OutputOffset);
+ reparse_buf = (struct reparse_data_buffer *)
+ ((char *)ioctl_rsp +
+ le32_to_cpu(ioctl_rsp->OutputOffset));
plen = le32_to_cpu(ioctl_rsp->OutputCount);
if (plen + le32_to_cpu(ioctl_rsp->OutputOffset) >
rsp_iov[1].iov_len) {
- cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", plen);
+ cifs_dbg(VFS, "srv returned invalid ioctl len: %d\n",
+ plen);
+ rc = -EIO;
+ goto querty_exit;
+ }
+
+ if (plen < 8) {
+ cifs_dbg(VFS, "reparse buffer is too small. Must be "
+ "at least 8 bytes but was %d\n", plen);
+ rc = -EIO;
+ goto querty_exit;
+ }
+
+ if (plen < le16_to_cpu(reparse_buf->ReparseDataLength) + 8) {
+ cifs_dbg(VFS, "srv returned invalid reparse buf "
+ "length: %d\n", plen);
rc = -EIO;
goto querty_exit;
}
- /* Do stuff with ioctl_buf/plen */
+ rc = parse_reparse_symlink(
+ (struct reparse_symlink_data_buffer *)reparse_buf,
+ plen, target_path, cifs_sb);
goto querty_exit;
}
diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
index c7d5813bebd8..31f7c56e0ed8 100644
--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -914,7 +916,19 @@ struct reparse_mount_point_data_buffer {
__u8 PathBuffer[0]; /* Variable Length */
} __packed;
-/* See MS-FSCC 2.1.2.4 and cifspdu.h for struct reparse_symlink_data */
+#define SYMLINK_FLAG_RELATIVE 0x00000001
+
+struct reparse_symlink_data_buffer {
+ __le32 ReparseTag;
+ __le16 ReparseDataLength;
+ __u16 Reserved;
+ __le16 SubstituteNameOffset;
+ __le16 SubstituteNameLength;
+ __le16 PrintNameOffset;
+ __le16 PrintNameLength;
+ __le32 Flags;
+ __u8 PathBuffer[0]; /* Variable Length */
+} __packed;
/* See MS-FSCC 2.1.2.6 and cifspdu.h for struct reparse_posix_data */
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH] cifs: fix crash for querying symlinks stored as reparse-points
@ 2019-06-27 2:21 Ronnie Sahlberg
0 siblings, 0 replies; 5+ messages in thread
From: Ronnie Sahlberg @ 2019-06-27 2:21 UTC (permalink / raw)
To: linux-cifs; +Cc: Steve French, Stable, Ronnie Sahlberg
We never parsed/returned any data from .get_link() when the object is a windows reparse-point
containing a symlink. This results in the VFS layer oopsing accessing an uninitialized buffer:
...
[ 171.407172] Call Trace:
[ 171.408039] readlink_copy+0x29/0x70
[ 171.408872] vfs_readlink+0xc1/0x1f0
[ 171.409709] ? readlink_copy+0x70/0x70
[ 171.410565] ? simple_attr_release+0x30/0x30
[ 171.411446] ? getname_flags+0x105/0x2a0
[ 171.412231] do_readlinkat+0x1b7/0x1e0
[ 171.412938] ? __ia32_compat_sys_newfstat+0x30/0x30
...
Fix this by adding code to handle these buffers and make sure we do return a valid buffer
to .get_link()
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
---
fs/cifs/smb2ops.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++----
fs/cifs/smb2pdu.h | 14 +++++++++++-
2 files changed, 73 insertions(+), 5 deletions(-)
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index e921e6511728..f59758edd0f7 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -2385,6 +2385,41 @@ smb2_get_dfs_refer(const unsigned int xid, struct cifs_ses *ses,
kfree(dfs_rsp);
return rc;
}
+
+static int
+parse_reparse_symlink(struct reparse_symlink_data_buffer *symlink_buf,
+ u32 plen, char **target_path,
+ struct cifs_sb_info *cifs_sb)
+{
+ unsigned int sub_len;
+ unsigned int sub_offset;
+
+ /* We only handle Symbolic Link : MS-FSCC 2.1.2.4 */
+ if (!(le32_to_cpu(symlink_buf->ReparseTag) & 0x80000000)) {
+ cifs_dbg(VFS, "srv returned invalid symlink buffer\n");
+ return -EIO;
+ }
+
+ sub_offset = le16_to_cpu(symlink_buf->SubstituteNameOffset);
+ sub_len = le16_to_cpu(symlink_buf->SubstituteNameLength);
+ if (sub_offset + 20 > plen ||
+ sub_offset + sub_len + 20 > plen) {
+ cifs_dbg(VFS, "srv returned malformed symlink buffer\n");
+ return -EIO;
+ }
+
+ *target_path = cifs_strndup_from_utf16(
+ symlink_buf->PathBuffer + sub_offset,
+ sub_len, true, cifs_sb->local_nls);
+ if (!(*target_path))
+ return -ENOMEM;
+
+ convert_delimiter(*target_path, '/');
+ cifs_dbg(FYI, "%s: target path: %s\n", __func__, *target_path);
+
+ return 0;
+}
+
#define SMB2_SYMLINK_STRUCT_SIZE \
(sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp))
@@ -2414,11 +2449,13 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
struct kvec close_iov[1];
struct smb2_create_rsp *create_rsp;
struct smb2_ioctl_rsp *ioctl_rsp;
- char *ioctl_buf;
+ struct reparse_data_buffer *reparse_buf;
u32 plen;
cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);
+ *target_path = NULL;
+
if (smb3_encryption_required(tcon))
flags |= CIFS_TRANSFORM_REQ;
@@ -2496,17 +2533,36 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
if ((rc == 0) && (is_reparse_point)) {
/* See MS-FSCC 2.3.23 */
- ioctl_buf = (char *)ioctl_rsp + le32_to_cpu(ioctl_rsp->OutputOffset);
+ reparse_buf = (struct reparse_data_buffer *)
+ ((char *)ioctl_rsp +
+ le32_to_cpu(ioctl_rsp->OutputOffset));
plen = le32_to_cpu(ioctl_rsp->OutputCount);
if (plen + le32_to_cpu(ioctl_rsp->OutputOffset) >
rsp_iov[1].iov_len) {
- cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", plen);
+ cifs_dbg(VFS, "srv returned invalid ioctl len: %d\n",
+ plen);
+ rc = -EIO;
+ goto querty_exit;
+ }
+
+ if (plen < 8) {
+ cifs_dbg(VFS, "reparse buffer is too small. Must be "
+ "at least 8 bytes but was %d\n", plen);
+ rc = -EIO;
+ goto querty_exit;
+ }
+
+ if (plen < le16_to_cpu(reparse_buf->ReparseDataLength) + 8) {
+ cifs_dbg(VFS, "srv returned invalid reparse buf "
+ "length: %d\n", plen);
rc = -EIO;
goto querty_exit;
}
- /* Do stuff with ioctl_buf/plen */
+ rc = parse_reparse_symlink(
+ (struct reparse_symlink_data_buffer *)reparse_buf,
+ plen, target_path, cifs_sb);
goto querty_exit;
}
diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
index c7d5813bebd8..858353d20c39 100644
--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -914,7 +914,19 @@ struct reparse_mount_point_data_buffer {
__u8 PathBuffer[0]; /* Variable Length */
} __packed;
-/* See MS-FSCC 2.1.2.4 and cifspdu.h for struct reparse_symlink_data */
+#define SYMLINK_FLAG_RELATIVE 0x00000001
+
+struct reparse_symlink_data_buffer {
+ __le32 ReparseTag;
+ __le16 ReparseDataLength;
+ __u16 Reserved;
+ __le16 SubstituteNameOffset;
+ __le16 SubstituteNameLength;
+ __le16 PrintNameOffset;
+ __le16 PrintNameLength;
+ __le32 Flags;
+ __u8 PathBuffer[0]; /* Variable Length */
+} __packed;
/* See MS-FSCC 2.1.2.6 and cifspdu.h for struct reparse_posix_data */
--
2.13.6
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH] cifs: fix crash for querying symlinks stored as reparse-points
@ 2019-06-27 1:54 Ronnie Sahlberg
0 siblings, 0 replies; 5+ messages in thread
From: Ronnie Sahlberg @ 2019-06-27 1:54 UTC (permalink / raw)
To: linux-cifs; +Cc: Steve French, Stable, Ronnie Sahlberg
We never parsed/returned any data from .get_link() when the object is a windows reparse-point
containing a symlink. This results in the VFS layer oopsing accessing an uninitialized buffer:
...
[ 171.407172] Call Trace:
[ 171.408039] readlink_copy+0x29/0x70
[ 171.408872] vfs_readlink+0xc1/0x1f0
[ 171.409709] ? readlink_copy+0x70/0x70
[ 171.410565] ? simple_attr_release+0x30/0x30
[ 171.411446] ? getname_flags+0x105/0x2a0
[ 171.412231] do_readlinkat+0x1b7/0x1e0
[ 171.412938] ? __ia32_compat_sys_newfstat+0x30/0x30
...
Fix this by adding code to handle these buffers and make sure we do return a valid buffer
to .get_link()
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
---
fs/cifs/smb2ops.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++---
fs/cifs/smb2pdu.h | 14 +++++++++++++-
2 files changed, 65 insertions(+), 4 deletions(-)
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index e921e6511728..50a8dc8fb00c 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -2385,6 +2385,41 @@ smb2_get_dfs_refer(const unsigned int xid, struct cifs_ses *ses,
kfree(dfs_rsp);
return rc;
}
+
+static int
+parse_reparse_symlink(struct reparse_symlink_data_buffer *symlink_buf,
+ u32 plen, char **target_path,
+ struct cifs_sb_info *cifs_sb)
+{
+ unsigned int sub_len;
+ unsigned int sub_offset;
+
+ /* We only handle Symbolic Link : MS-FSCC 2.1.2.4 */
+ if (!(le32_to_cpu(symlink_buf->ReparseTag) & 0x80000000)) {
+ cifs_dbg(VFS, "srv returned invalid symlink buffer\n");
+ return -EIO;
+ }
+
+ sub_offset = le16_to_cpu(symlink_buf->SubstituteNameOffset);
+ sub_len = le16_to_cpu(symlink_buf->SubstituteNameLength);
+ if (sub_offset + 20 > plen ||
+ sub_offset + sub_len + 20 > plen) {
+ cifs_dbg(VFS, "srv returned malformed symlink buffer\n");
+ return -EIO;
+ }
+
+ *target_path = cifs_strndup_from_utf16(
+ symlink_buf->PathBuffer + sub_offset,
+ sub_len, true, cifs_sb->local_nls);
+ if (!(*target_path))
+ return -ENOMEM;
+
+ convert_delimiter(*target_path, '/');
+ cifs_dbg(FYI, "%s: target path: %s\n", __func__, *target_path);
+
+ return 0;
+}
+
#define SMB2_SYMLINK_STRUCT_SIZE \
(sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp))
@@ -2414,11 +2449,13 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
struct kvec close_iov[1];
struct smb2_create_rsp *create_rsp;
struct smb2_ioctl_rsp *ioctl_rsp;
- char *ioctl_buf;
+ struct reparse_data_buffer *reparse_buf;
u32 plen;
cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);
+ *target_path = NULL;
+
if (smb3_encryption_required(tcon))
flags |= CIFS_TRANSFORM_REQ;
@@ -2496,7 +2533,7 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
if ((rc == 0) && (is_reparse_point)) {
/* See MS-FSCC 2.3.23 */
- ioctl_buf = (char *)ioctl_rsp + le32_to_cpu(ioctl_rsp->OutputOffset);
+ reparse_buf = (struct reparse_data_buffer *)((char *)ioctl_rsp + le32_to_cpu(ioctl_rsp->OutputOffset));
plen = le32_to_cpu(ioctl_rsp->OutputCount);
if (plen + le32_to_cpu(ioctl_rsp->OutputOffset) >
@@ -2506,7 +2543,19 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
goto querty_exit;
}
- /* Do stuff with ioctl_buf/plen */
+ if (plen < 8) {
+ cifs_dbg(VFS, "reparse buffer is too small. Must be at least 8 bytes but was %d\n", plen);
+ rc = -EIO;
+ goto querty_exit;
+ }
+
+ if (plen < le16_to_cpu(reparse_buf->ReparseDataLength) + 8) {
+ cifs_dbg(VFS, "srv returned invalid reparse buf length: %d\n", plen);
+ rc = -EIO;
+ goto querty_exit;
+ }
+
+ rc = parse_reparse_symlink((struct reparse_symlink_data_buffer *)reparse_buf, plen, target_path, cifs_sb);
goto querty_exit;
}
diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
index c7d5813bebd8..858353d20c39 100644
--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -914,7 +914,19 @@ struct reparse_mount_point_data_buffer {
__u8 PathBuffer[0]; /* Variable Length */
} __packed;
-/* See MS-FSCC 2.1.2.4 and cifspdu.h for struct reparse_symlink_data */
+#define SYMLINK_FLAG_RELATIVE 0x00000001
+
+struct reparse_symlink_data_buffer {
+ __le32 ReparseTag;
+ __le16 ReparseDataLength;
+ __u16 Reserved;
+ __le16 SubstituteNameOffset;
+ __le16 SubstituteNameLength;
+ __le16 PrintNameOffset;
+ __le16 PrintNameLength;
+ __le32 Flags;
+ __u8 PathBuffer[0]; /* Variable Length */
+} __packed;
/* See MS-FSCC 2.1.2.6 and cifspdu.h for struct reparse_posix_data */
--
2.13.6
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH] cifs: fix crash for querying symlinks stored as reparse-points
@ 2019-06-27 1:44 Ronnie Sahlberg
0 siblings, 0 replies; 5+ messages in thread
From: Ronnie Sahlberg @ 2019-06-27 1:44 UTC (permalink / raw)
To: linux-cifs; +Cc: Steve French, Stable, Ronnie Sahlberg
We never parsed/returned any data from .get_link() when the object is a windows reparse-point
containing a symlink. This results in the VFS layer oopsing accessing an uninitialized buffer:
...
[ 171.407172] Call Trace:
[ 171.408039] readlink_copy+0x29/0x70
[ 171.408872] vfs_readlink+0xc1/0x1f0
[ 171.409709] ? readlink_copy+0x70/0x70
[ 171.410565] ? simple_attr_release+0x30/0x30
[ 171.411446] ? getname_flags+0x105/0x2a0
[ 171.412231] do_readlinkat+0x1b7/0x1e0
[ 171.412938] ? __ia32_compat_sys_newfstat+0x30/0x30
...
Fix this by adding code to handle these buffers and make sure we do return a valid buffer
to .get_link()
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
---
fs/cifs/smb2ops.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++---
fs/cifs/smb2pdu.h | 14 ++++++++++++-
2 files changed, 70 insertions(+), 4 deletions(-)
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index e921e6511728..69feb8c27dea 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -2385,6 +2385,46 @@ smb2_get_dfs_refer(const unsigned int xid, struct cifs_ses *ses,
kfree(dfs_rsp);
return rc;
}
+
+static int
+parse_reparse_symlink(struct reparse_symlink_data_buffer *symlink_buf,
+ u32 plen, char **target_path,
+ struct cifs_sb_info *cifs_sb)
+{
+ unsigned int sub_len;
+ unsigned int sub_offset;
+
+ /* We only handle Symbolic Link : MS-FSCC 2.1.2.4 */
+ if (!(le32_to_cpu(symlink_buf->ReparseTag) & 0x80000000)) {
+ cifs_dbg(VFS, "srv returned invalid sublink buffer\n");
+ return -EIO;
+ }
+
+ if (!(le32_to_cpu(symlink_buf->Flags) & SYMLINK_FLAG_RELATIVE)) {
+ cifs_dbg(VFS, "srv returned absolute symlink\n");
+ return -EIO;
+ }
+
+ sub_offset = le16_to_cpu(symlink_buf->SubstituteNameOffset);
+ sub_len = le16_to_cpu(symlink_buf->SubstituteNameLength);
+ if (sub_offset + 20 > plen ||
+ sub_offset + sub_len + 20 > plen) {
+ cifs_dbg(VFS, "srv returned malformed symlink buffer\n");
+ return -EIO;
+ }
+
+ *target_path = cifs_strndup_from_utf16(
+ symlink_buf->PathBuffer + sub_offset,
+ sub_len, true, cifs_sb->local_nls);
+ if (!(*target_path))
+ return -ENOMEM;
+
+ convert_delimiter(*target_path, '/');
+ cifs_dbg(FYI, "%s: target path: %s\n", __func__, *target_path);
+
+ return 0;
+}
+
#define SMB2_SYMLINK_STRUCT_SIZE \
(sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp))
@@ -2414,11 +2454,13 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
struct kvec close_iov[1];
struct smb2_create_rsp *create_rsp;
struct smb2_ioctl_rsp *ioctl_rsp;
- char *ioctl_buf;
+ struct reparse_data_buffer *reparse_buf;
u32 plen;
cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);
+ *target_path = NULL;
+
if (smb3_encryption_required(tcon))
flags |= CIFS_TRANSFORM_REQ;
@@ -2496,7 +2538,7 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
if ((rc == 0) && (is_reparse_point)) {
/* See MS-FSCC 2.3.23 */
- ioctl_buf = (char *)ioctl_rsp + le32_to_cpu(ioctl_rsp->OutputOffset);
+ reparse_buf = (struct reparse_data_buffer *)((char *)ioctl_rsp + le32_to_cpu(ioctl_rsp->OutputOffset));
plen = le32_to_cpu(ioctl_rsp->OutputCount);
if (plen + le32_to_cpu(ioctl_rsp->OutputOffset) >
@@ -2506,7 +2548,19 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
goto querty_exit;
}
- /* Do stuff with ioctl_buf/plen */
+ if (plen < 8) {
+ cifs_dbg(VFS, "reparse buffer is too small. Must be at least 8 bytes but was %d\n", plen);
+ rc = -EIO;
+ goto querty_exit;
+ }
+
+ if (plen < le16_to_cpu(reparse_buf->ReparseDataLength) + 8) {
+ cifs_dbg(VFS, "srv returned invalid reparse buf length: %d\n", plen);
+ rc = -EIO;
+ goto querty_exit;
+ }
+
+ rc = parse_reparse_symlink((struct reparse_symlink_data_buffer *)reparse_buf, plen, target_path, cifs_sb);
goto querty_exit;
}
diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
index c7d5813bebd8..858353d20c39 100644
--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -914,7 +914,19 @@ struct reparse_mount_point_data_buffer {
__u8 PathBuffer[0]; /* Variable Length */
} __packed;
-/* See MS-FSCC 2.1.2.4 and cifspdu.h for struct reparse_symlink_data */
+#define SYMLINK_FLAG_RELATIVE 0x00000001
+
+struct reparse_symlink_data_buffer {
+ __le32 ReparseTag;
+ __le16 ReparseDataLength;
+ __u16 Reserved;
+ __le16 SubstituteNameOffset;
+ __le16 SubstituteNameLength;
+ __le16 PrintNameOffset;
+ __le16 PrintNameLength;
+ __le32 Flags;
+ __u8 PathBuffer[0]; /* Variable Length */
+} __packed;
/* See MS-FSCC 2.1.2.6 and cifspdu.h for struct reparse_posix_data */
--
2.13.6
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-06-27 5:31 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-27 4:57 [PATCH] cifs: fix crash for querying symlinks stored as reparse-points Ronnie Sahlberg
2019-06-27 5:30 ` Steve French
-- strict thread matches above, loose matches on Subject: below --
2019-06-27 2:21 Ronnie Sahlberg
2019-06-27 1:54 Ronnie Sahlberg
2019-06-27 1:44 Ronnie Sahlberg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).