From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hyunchul Lee <hyc.lee@gmail.com>,
Namjae Jeon <linkinjeon@kernel.org>,
Steve French <stfrench@microsoft.com>,
zdi-disclosures@trendmicro.com
Subject: [PATCH 5.15 04/14] ksmbd: prevent out of bound read for SMB2_WRITE
Date: Fri, 19 Aug 2022 17:40:20 +0200 [thread overview]
Message-ID: <20220819153711.816369367@linuxfoundation.org> (raw)
In-Reply-To: <20220819153711.658766010@linuxfoundation.org>
From: Hyunchul Lee <hyc.lee@gmail.com>
commit ac60778b87e45576d7bfdbd6f53df902654e6f09 upstream.
OOB read memory can be written to a file,
if DataOffset is 0 and Length is too large
in SMB2_WRITE request of compound request.
To prevent this, when checking the length of
the data area of SMB2_WRITE in smb2_get_data_area_len(),
let the minimum of DataOffset be the size of
SMB2 header + the size of SMB2_WRITE header.
This bug can lead an oops looking something like:
[ 798.008715] BUG: KASAN: slab-out-of-bounds in copy_page_from_iter_atomic+0xd3d/0x14b0
[ 798.008724] Read of size 252 at addr ffff88800f863e90 by task kworker/0:2/2859
...
[ 798.008754] Call Trace:
[ 798.008756] <TASK>
[ 798.008759] dump_stack_lvl+0x49/0x5f
[ 798.008764] print_report.cold+0x5e/0x5cf
[ 798.008768] ? __filemap_get_folio+0x285/0x6d0
[ 798.008774] ? copy_page_from_iter_atomic+0xd3d/0x14b0
[ 798.008777] kasan_report+0xaa/0x120
[ 798.008781] ? copy_page_from_iter_atomic+0xd3d/0x14b0
[ 798.008784] kasan_check_range+0x100/0x1e0
[ 798.008788] memcpy+0x24/0x60
[ 798.008792] copy_page_from_iter_atomic+0xd3d/0x14b0
[ 798.008795] ? pagecache_get_page+0x53/0x160
[ 798.008799] ? iov_iter_get_pages_alloc+0x1590/0x1590
[ 798.008803] ? ext4_write_begin+0xfc0/0xfc0
[ 798.008807] ? current_time+0x72/0x210
[ 798.008811] generic_perform_write+0x2c8/0x530
[ 798.008816] ? filemap_fdatawrite_wbc+0x180/0x180
[ 798.008820] ? down_write+0xb4/0x120
[ 798.008824] ? down_write_killable+0x130/0x130
[ 798.008829] ext4_buffered_write_iter+0x137/0x2c0
[ 798.008833] ext4_file_write_iter+0x40b/0x1490
[ 798.008837] ? __fsnotify_parent+0x275/0xb20
[ 798.008842] ? __fsnotify_update_child_dentry_flags+0x2c0/0x2c0
[ 798.008846] ? ext4_buffered_write_iter+0x2c0/0x2c0
[ 798.008851] __kernel_write+0x3a1/0xa70
[ 798.008855] ? __x64_sys_preadv2+0x160/0x160
[ 798.008860] ? security_file_permission+0x4a/0xa0
[ 798.008865] kernel_write+0xbb/0x360
[ 798.008869] ksmbd_vfs_write+0x27e/0xb90 [ksmbd]
[ 798.008881] ? ksmbd_vfs_read+0x830/0x830 [ksmbd]
[ 798.008892] ? _raw_read_unlock+0x2a/0x50
[ 798.008896] smb2_write+0xb45/0x14e0 [ksmbd]
[ 798.008909] ? __kasan_check_write+0x14/0x20
[ 798.008912] ? _raw_spin_lock_bh+0xd0/0xe0
[ 798.008916] ? smb2_read+0x15e0/0x15e0 [ksmbd]
[ 798.008927] ? memcpy+0x4e/0x60
[ 798.008931] ? _raw_spin_unlock+0x19/0x30
[ 798.008934] ? ksmbd_smb2_check_message+0x16af/0x2350 [ksmbd]
[ 798.008946] ? _raw_spin_lock_bh+0xe0/0xe0
[ 798.008950] handle_ksmbd_work+0x30e/0x1020 [ksmbd]
[ 798.008962] process_one_work+0x778/0x11c0
[ 798.008966] ? _raw_spin_lock_irq+0x8e/0xe0
[ 798.008970] worker_thread+0x544/0x1180
[ 798.008973] ? __cpuidle_text_end+0x4/0x4
[ 798.008977] kthread+0x282/0x320
[ 798.008982] ? process_one_work+0x11c0/0x11c0
[ 798.008985] ? kthread_complete_and_exit+0x30/0x30
[ 798.008989] ret_from_fork+0x1f/0x30
[ 798.008995] </TASK>
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17817
Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/smb2misc.c | 7 +++++--
fs/ksmbd/smb2pdu.c | 6 ++----
2 files changed, 7 insertions(+), 6 deletions(-)
--- a/fs/ksmbd/smb2misc.c
+++ b/fs/ksmbd/smb2misc.c
@@ -132,8 +132,11 @@ static int smb2_get_data_area_len(unsign
*len = le16_to_cpu(((struct smb2_read_req *)hdr)->ReadChannelInfoLength);
break;
case SMB2_WRITE:
- if (((struct smb2_write_req *)hdr)->DataOffset) {
- *off = le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset);
+ if (((struct smb2_write_req *)hdr)->DataOffset ||
+ ((struct smb2_write_req *)hdr)->Length) {
+ *off = max_t(unsigned int,
+ le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset),
+ offsetof(struct smb2_write_req, Buffer) - 4);
*len = le32_to_cpu(((struct smb2_write_req *)hdr)->Length);
break;
}
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -6471,10 +6471,8 @@ int smb2_write(struct ksmbd_work *work)
(offsetof(struct smb2_write_req, Buffer) - 4)) {
data_buf = (char *)&req->Buffer[0];
} else {
- if ((u64)le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req)) {
- pr_err("invalid write data offset %u, smb_len %u\n",
- le16_to_cpu(req->DataOffset),
- get_rfc1002_len(req));
+ if (le16_to_cpu(req->DataOffset) <
+ offsetof(struct smb2_write_req, Buffer)) {
err = -EINVAL;
goto out;
}
next prev parent reply other threads:[~2022-08-19 15:42 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-19 15:40 [PATCH 5.15 00/14] 5.15.62-rc1 review Greg Kroah-Hartman
2022-08-19 15:40 ` [PATCH 5.15 01/14] io_uring: use original request task for inflight tracking Greg Kroah-Hartman
2022-08-19 15:40 ` [PATCH 5.15 02/14] tee: add overflow check in register_shm_helper() Greg Kroah-Hartman
2022-08-19 15:40 ` [PATCH 5.15 03/14] net_sched: cls_route: disallow handle of 0 Greg Kroah-Hartman
2022-08-19 15:40 ` Greg Kroah-Hartman [this message]
2022-08-19 15:40 ` [PATCH 5.15 05/14] ksmbd: fix heap-based overflow in set_ntacl_dacl() Greg Kroah-Hartman
2022-08-19 15:40 ` [PATCH 5.15 06/14] Revert "x86/ftrace: Use alternative RET encoding" Greg Kroah-Hartman
2022-08-19 15:40 ` [PATCH 5.15 07/14] x86/ibt,ftrace: Make function-graph play nice Greg Kroah-Hartman
2022-08-19 15:40 ` [PATCH 5.15 08/14] x86/ftrace: Use alternative RET encoding Greg Kroah-Hartman
2022-08-19 15:40 ` [PATCH 5.15 09/14] btrfs: only write the sectors in the vertical stripe which has data stripes Greg Kroah-Hartman
2022-08-19 15:40 ` [PATCH 5.15 10/14] btrfs: raid56: dont trust any cached sector in __raid56_parity_recover() Greg Kroah-Hartman
2022-08-19 15:40 ` [PATCH 5.15 11/14] kexec_file: drop weak attribute from functions Greg Kroah-Hartman
2022-08-19 15:40 ` [PATCH 5.15 12/14] kexec: clean up arch_kexec_kernel_verify_sig Greg Kroah-Hartman
2022-08-19 15:40 ` [PATCH 5.15 13/14] kexec, KEYS: make the code in bzImage64_verify_sig generic Greg Kroah-Hartman
2022-08-19 15:40 ` [PATCH 5.15 14/14] arm64: kexec_file: use more system keyrings to verify kernel image signature Greg Kroah-Hartman
2022-08-20 0:42 ` [PATCH 5.15 00/14] 5.15.62-rc1 review Shuah Khan
2022-08-20 8:27 ` Naresh Kamboju
2022-08-20 18:17 ` Greg Kroah-Hartman
2022-08-20 10:05 ` Bagas Sanjaya
2022-08-20 10:42 ` Sudip Mukherjee (Codethink)
2022-08-20 22:23 ` Ron Economos
2022-08-21 0:56 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220819153711.816369367@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hyc.lee@gmail.com \
--cc=linkinjeon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
--cc=zdi-disclosures@trendmicro.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).