linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Shirish Pargaonkar <shirishpargaonkar@gmail.com>,
	Noah Morrison <noah.morrison@rubrik.com>,
	Steve French <stfrench@microsoft.com>
Subject: [PATCH 4.14 33/52] cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class
Date: Sun, 24 Jun 2018 23:21:26 +0800	[thread overview]
Message-ID: <20180624142746.458854608@linuxfoundation.org> (raw)
In-Reply-To: <20180624142744.234164867@linuxfoundation.org>

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shirish Pargaonkar <shirishpargaonkar@gmail.com>

commit ee25c6dd7b05113783ce1f4fab6b30fc00d29b8d upstream.

Validate_buf () function checks for an expected minimum sized response
passed to query_info() function.
For security information, the size of a security descriptor can be
smaller (one subauthority, no ACEs) than the size of the structure
that defines FileInfoClass of FileAllInformation.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199725
Cc: <stable@vger.kernel.org>
Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Reviewed-by: Noah Morrison <noah.morrison@rubrik.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/cifsacl.h |   14 ++++++++++++++
 fs/cifs/smb2pdu.c |    3 +--
 2 files changed, 15 insertions(+), 2 deletions(-)

--- a/fs/cifs/cifsacl.h
+++ b/fs/cifs/cifsacl.h
@@ -98,4 +98,18 @@ struct cifs_ace {
 	struct cifs_sid sid; /* ie UUID of user or group who gets these perms */
 } __attribute__((packed));
 
+/*
+ * Minimum security identifier can be one for system defined Users
+ * and Groups such as NULL SID and World or Built-in accounts such
+ * as Administrator and Guest and consists of
+ * Revision + Num (Sub)Auths + Authority + Domain (one Subauthority)
+ */
+#define MIN_SID_LEN  (1 + 1 + 6 + 4) /* in bytes */
+
+/*
+ * Minimum security descriptor can be one without any SACL and DACL and can
+ * consist of revision, type, and two sids of minimum size for owner and group
+ */
+#define MIN_SEC_DESC_LEN  (sizeof(struct cifs_ntsd) + (2 * MIN_SID_LEN))
+
 #endif /* _CIFSACL_H */
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2279,8 +2279,7 @@ SMB2_query_acl(const unsigned int xid, s
 
 	return query_info(xid, tcon, persistent_fid, volatile_fid,
 			  0, SMB2_O_INFO_SECURITY, additional_info,
-			  SMB2_MAX_BUFFER_SIZE,
-			  sizeof(struct smb2_file_all_info), data, plen);
+			  SMB2_MAX_BUFFER_SIZE, MIN_SEC_DESC_LEN, data, plen);
 }
 
 int



  parent reply	other threads:[~2018-06-24 15:30 UTC|newest]

Thread overview: 54+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-24 15:20 [PATCH 4.14 00/52] 4.14.52-stable review Greg Kroah-Hartman
2018-06-24 15:20 ` [PATCH 4.14 01/52] bonding: re-evaluate force_primary when the primary slave name changes Greg Kroah-Hartman
2018-06-24 15:20 ` [PATCH 4.14 03/52] ipv6: allow PMTU exceptions to local routes Greg Kroah-Hartman
2018-06-24 15:20 ` [PATCH 4.14 04/52] net: dsa: add error handling for pskb_trim_rcsum Greg Kroah-Hartman
2018-06-24 15:20 ` [PATCH 4.14 05/52] net/sched: act_simple: fix parsing of TCA_DEF_DATA Greg Kroah-Hartman
2018-06-24 15:20 ` [PATCH 4.14 06/52] tcp: verify the checksum of the first data segment in a new connection Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 07/52] socket: close race condition between sock_close() and sockfs_setattr() Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 08/52] udp: fix rx queue len reported by diag and proc interface Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 09/52] net: in virtio_net_hdr only add VLAN_HLEN to csum_start if payload holds vlan Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 10/52] hv_netvsc: Fix a network regression after ifdown/ifup Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 11/52] tls: fix use-after-free in tls_push_record Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 12/52] NFSv4.1: Fix up replays of interrupted requests Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 13/52] ext4: fix hole length detection in ext4_ind_map_blocks() Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 14/52] ext4: update mtime in ext4_punch_hole even if no blocks are released Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 15/52] ext4: do not allow external inodes for inline data Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 16/52] ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 17/52] ext4: correctly handle a zero-length xattr with a non-zero e_value_offs Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 18/52] ext4: fix fencepost error in check for inode count overflow during resize Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 19/52] driver core: Dont ignore class_dir_create_and_add() failure Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 20/52] Btrfs: fix clone vs chattr NODATASUM race Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 21/52] Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2() Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 22/52] btrfs: return error value if create_io_em failed in cow_file_range Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 23/52] btrfs: scrub: Dont use inode pages for device replace Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 24/52] ALSA: hda/realtek - Enable mic-mute hotkey for several Lenovo AIOs Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 25/52] ALSA: hda/conexant - Add fixup for HP Z2 G4 workstation Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 26/52] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 27/52] ALSA: hda: add dock and led support for HP EliteBook 830 G5 Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 28/52] ALSA: hda: add dock and led support for HP ProBook 640 G4 Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 29/52] x86/MCE: Fix stack out-of-bounds write in mce-inject.c: Flags_read() Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 30/52] smb3: fix various xid leaks Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 31/52] smb3: on reconnect set PreviousSessionId field Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 32/52] CIFS: 511c54a2f69195b28afb9dd119f03787b1625bb4 adds a check for session expiry Greg Kroah-Hartman
2018-06-24 15:21 ` Greg Kroah-Hartman [this message]
2018-06-24 15:21 ` [PATCH 4.14 34/52] nbd: fix nbd device deletion Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 35/52] nbd: update size when connected Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 36/52] nbd: use bd_set_size when updating disk size Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 37/52] blk-mq: reinit q->tag_set_list entry only after grace period Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 38/52] bdi: Move cgroup bdi_writeback to a dedicated low concurrency workqueue Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 39/52] cpufreq: Fix new policy initialization during limits updates via sysfs Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 40/52] cpufreq: governors: Fix long idle detection logic in load calculation Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 41/52] libata: zpodd: small read overflow in eject_tray() Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 42/52] libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 43/52] w1: mxc_w1: Enable clock before calling clk_get_rate() on it Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 44/52] x86/intel_rdt: Enable CMT and MBM on new Skylake stepping Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 45/52] iwlwifi: fw: harden page loading code Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 46/52] orangefs: set i_size on new symlink Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 47/52] orangefs: report attributes_mask and attributes for statx Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 48/52] HID: intel_ish-hid: ipc: register more pm callbacks to support hibernation Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 49/52] HID: wacom: Correct logical maximum Y for 2nd-gen Intuos Pro large Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 50/52] vhost: fix info leak due to uninitialized memory Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 51/52] fs/binfmt_misc.c: do not allow offset overflow Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.14 52/52] mm, page_alloc: do not break __GFP_THISNODE by zonelist reset Greg Kroah-Hartman
2018-06-25  6:43 ` [PATCH 4.14 00/52] 4.14.52-stable review Naresh Kamboju
2018-06-25 17:19 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180624142746.458854608@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=noah.morrison@rubrik.com \
    --cc=shirishpargaonkar@gmail.com \
    --cc=stable@vger.kernel.org \
    --cc=stfrench@microsoft.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).