From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jianhong Yin <jiyin@redhat.com>,
Stefano Brivio <sbrivio@redhat.com>,
Steve French <stfrench@microsoft.com>
Subject: [PATCH 4.17 21/56] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting
Date: Tue, 10 Jul 2018 20:25:03 +0200 [thread overview]
Message-ID: <20180710182504.695242119@linuxfoundation.org> (raw)
In-Reply-To: <20180710182503.544433950@linuxfoundation.org>
4.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Brivio <sbrivio@redhat.com>
commit f46ecbd97f508e68a7806291a139499794874f3d upstream.
A "small" CIFS buffer is not big enough in general to hold a
setacl request for SMB2, and we end up overflowing the buffer in
send_set_info(). For instance:
# mount.cifs //127.0.0.1/test /mnt/test -o username=test,password=test,nounix,cifsacl
# touch /mnt/test/acltest
# getcifsacl /mnt/test/acltest
REVISION:0x1
CONTROL:0x9004
OWNER:S-1-5-21-2926364953-924364008-418108241-1000
GROUP:S-1-22-2-1001
ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
ACL:S-1-22-2-1001:ALLOWED/0x0/R
ACL:S-1-22-2-1001:ALLOWED/0x0/R
ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
ACL:S-1-1-0:ALLOWED/0x0/R
# setcifsacl -a "ACL:S-1-22-2-1004:ALLOWED/0x0/R" /mnt/test/acltest
this setacl will cause the following KASAN splat:
[ 330.777927] BUG: KASAN: slab-out-of-bounds in send_set_info+0x4dd/0xc20 [cifs]
[ 330.779696] Write of size 696 at addr ffff88010d5e2860 by task setcifsacl/1012
[ 330.781882] CPU: 1 PID: 1012 Comm: setcifsacl Not tainted 4.18.0-rc2+ #2
[ 330.783140] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 330.784395] Call Trace:
[ 330.784789] dump_stack+0xc2/0x16b
[ 330.786777] print_address_description+0x6a/0x270
[ 330.787520] kasan_report+0x258/0x380
[ 330.788845] memcpy+0x34/0x50
[ 330.789369] send_set_info+0x4dd/0xc20 [cifs]
[ 330.799511] SMB2_set_acl+0x76/0xa0 [cifs]
[ 330.801395] set_smb2_acl+0x7ac/0xf30 [cifs]
[ 330.830888] cifs_xattr_set+0x963/0xe40 [cifs]
[ 330.840367] __vfs_setxattr+0x84/0xb0
[ 330.842060] __vfs_setxattr_noperm+0xe6/0x370
[ 330.843848] vfs_setxattr+0xc2/0xd0
[ 330.845519] setxattr+0x258/0x320
[ 330.859211] path_setxattr+0x15b/0x1b0
[ 330.864392] __x64_sys_setxattr+0xc0/0x160
[ 330.866133] do_syscall_64+0x14e/0x4b0
[ 330.876631] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 330.878503] RIP: 0033:0x7ff2e507db0a
[ 330.880151] Code: 48 8b 0d 89 93 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 56 93 2c 00 f7 d8 64 89 01 48
[ 330.885358] RSP: 002b:00007ffdc4903c18 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
[ 330.887733] RAX: ffffffffffffffda RBX: 000055d1170de140 RCX: 00007ff2e507db0a
[ 330.890067] RDX: 000055d1170de7d0 RSI: 000055d115b39184 RDI: 00007ffdc4904818
[ 330.892410] RBP: 0000000000000001 R08: 0000000000000000 R09: 000055d1170de7e4
[ 330.894785] R10: 00000000000002b8 R11: 0000000000000246 R12: 0000000000000007
[ 330.897148] R13: 000055d1170de0c0 R14: 0000000000000008 R15: 000055d1170de550
[ 330.901057] Allocated by task 1012:
[ 330.902888] kasan_kmalloc+0xa0/0xd0
[ 330.904714] kmem_cache_alloc+0xc8/0x1d0
[ 330.906615] mempool_alloc+0x11e/0x380
[ 330.908496] cifs_small_buf_get+0x35/0x60 [cifs]
[ 330.910510] smb2_plain_req_init+0x4a/0xd60 [cifs]
[ 330.912551] send_set_info+0x198/0xc20 [cifs]
[ 330.914535] SMB2_set_acl+0x76/0xa0 [cifs]
[ 330.916465] set_smb2_acl+0x7ac/0xf30 [cifs]
[ 330.918453] cifs_xattr_set+0x963/0xe40 [cifs]
[ 330.920426] __vfs_setxattr+0x84/0xb0
[ 330.922284] __vfs_setxattr_noperm+0xe6/0x370
[ 330.924213] vfs_setxattr+0xc2/0xd0
[ 330.926008] setxattr+0x258/0x320
[ 330.927762] path_setxattr+0x15b/0x1b0
[ 330.929592] __x64_sys_setxattr+0xc0/0x160
[ 330.931459] do_syscall_64+0x14e/0x4b0
[ 330.933314] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 330.936843] Freed by task 0:
[ 330.938588] (stack is not available)
[ 330.941886] The buggy address belongs to the object at ffff88010d5e2800
which belongs to the cache cifs_small_rq of size 448
[ 330.946362] The buggy address is located 96 bytes inside of
448-byte region [ffff88010d5e2800, ffff88010d5e29c0)
[ 330.950722] The buggy address belongs to the page:
[ 330.952789] page:ffffea0004357880 count:1 mapcount:0 mapping:ffff880108fdca80 index:0x0 compound_mapcount: 0
[ 330.955665] flags: 0x17ffffc0008100(slab|head)
[ 330.957760] raw: 0017ffffc0008100 dead000000000100 dead000000000200 ffff880108fdca80
[ 330.960356] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 330.963005] page dumped because: kasan: bad access detected
[ 330.967039] Memory state around the buggy address:
[ 330.969255] ffff88010d5e2880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 330.971833] ffff88010d5e2900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 330.974397] >ffff88010d5e2980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[ 330.976956] ^
[ 330.979226] ffff88010d5e2a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 330.981755] ffff88010d5e2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 330.984225] ==================================================================
Fix this by allocating a regular CIFS buffer in
smb2_plain_req_init() if the request command is SMB2_SET_INFO.
Reported-by: Jianhong Yin <jiyin@redhat.com>
Fixes: 366ed846df60 ("cifs: Use smb 2 - 3 and cifsacl mount options setacl function")
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-and-tested-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/smb2pdu.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -339,7 +339,10 @@ smb2_plain_req_init(__le16 smb2_command,
return rc;
/* BB eventually switch this to SMB2 specific small buf size */
- *request_buf = cifs_small_buf_get();
+ if (smb2_command == SMB2_SET_INFO)
+ *request_buf = cifs_buf_get();
+ else
+ *request_buf = cifs_small_buf_get();
if (*request_buf == NULL) {
/* BB should we add a retry in here if not a writepage? */
return -ENOMEM;
@@ -3363,7 +3366,7 @@ send_set_info(const unsigned int xid, st
rc = smb2_send_recv(xid, ses, iov, num, &resp_buftype, flags,
&rsp_iov);
- cifs_small_buf_release(req);
+ cifs_buf_release(req);
rsp = (struct smb2_set_info_rsp *)rsp_iov.iov_base;
if (rc != 0)
next prev parent reply other threads:[~2018-07-10 18:35 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-10 18:24 [PATCH 4.17 00/56] 4.17.6-stable review Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 01/56] userfaultfd: hugetlbfs: fix userfaultfd_huge_must_wait() pte access Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 02/56] mm: hugetlb: yield when prepping struct pages Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 03/56] mm: teach dump_page() to correctly output poisoned " Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 04/56] PCI / ACPI / PM: Resume bridges w/o drivers on suspend-to-RAM Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 05/56] ACPICA: Drop leading newlines from error messages Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 06/56] ACPI / battery: Safe unregistering of hooks Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 07/56] drm/amdgpu: Make struct amdgpu_atif private to amdgpu_acpi.c Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 08/56] tracing: Avoid string overflow Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 09/56] tracing: Fix missing return symbol in function_graph output Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 10/56] scsi: sg: mitigate read/write abuse Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 11/56] scsi: aacraid: Fix PD performance regression over incorrect qd being set Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 12/56] scsi: target: Fix truncated PR-in ReadKeys response Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 13/56] s390: Correct register corruption in critical section cleanup Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 14/56] drbd: fix access after free Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 15/56] vfio: Use get_user_pages_longterm correctly Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 16/56] ARM: dts: imx51-zii-rdu1: fix touchscreen pinctrl Greg Kroah-Hartman
2018-07-10 18:24 ` [PATCH 4.17 17/56] ARM: dts: omap3: Fix am3517 mdio and emac clock references Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 18/56] ARM: dts: dra7: Disable metastability workaround for USB2 Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 19/56] cifs: Fix use after free of a mid_q_entry Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 20/56] cifs: Fix memory leak in smb2_set_ea() Greg Kroah-Hartman
2018-07-10 18:25 ` Greg Kroah-Hartman [this message]
2018-07-10 18:25 ` [PATCH 4.17 22/56] cifs: Fix infinite loop when using hard mount option Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 23/56] drm: Use kvzalloc for allocating blob property memory Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 24/56] drm/udl: fix display corruption of the last line Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 25/56] drm/amdgpu: Add amdgpu_atpx_get_dhandle() Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 26/56] drm/amdgpu: Dynamically probe for ATIF handle (v2) Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 27/56] jbd2: dont mark block as modified if the handle is out of credits Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 28/56] ext4: add corruption check in ext4_xattr_set_entry() Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 29/56] ext4: always verify the magic number in xattr blocks Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 30/56] ext4: make sure bitmaps and the inode table dont overlap with bg descriptors Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 31/56] ext4: always check block group bounds in ext4_init_block_bitmap() Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 32/56] ext4: only look at the bg_flags field if it is valid Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 33/56] ext4: verify the depth of extent tree in ext4_find_extent() Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 34/56] ext4: include the illegal physical block in the bad map ext4_error msg Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 35/56] ext4: clear i_data in ext4_inode_info when removing inline data Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 36/56] ext4: never move the system.data xattr out of the inode body Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 37/56] ext4: avoid running out of journal credits when appending to an inline file Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 38/56] ext4: add more inode number paranoia checks Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 39/56] ext4: add more mount time checks of the superblock Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 40/56] ext4: check superblock mapped prior to committing Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 41/56] HID: i2c-hid: Fix "incomplete report" noise Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 42/56] HID: hiddev: fix potential Spectre v1 Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 43/56] HID: debug: check length before copy_to_user() Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 44/56] HID: core: allow concurrent registration of drivers Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 45/56] i2c: core: smbus: fix a potential missing-check bug Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 46/56] i2c: smbus: kill memory leak on emulated and failed DMA SMBus xfers Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 47/56] fs: allow per-device dax status checking for filesystems Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 48/56] dax: change bdev_dax_supported() to support boolean returns Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 49/56] dax: check for QUEUE_FLAG_DAX in bdev_dax_supported() Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 50/56] dm: prevent DAX mounts if not supported Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 51/56] mtd: cfi_cmdset_0002: Change definition naming to retry write operation Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 52/56] mtd: cfi_cmdset_0002: Change erase functions to retry for error Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 53/56] mtd: cfi_cmdset_0002: Change erase functions to check chip good only Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 54/56] netfilter: nf_log: dont hold nf_log_mutex during user access Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 55/56] staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write() Greg Kroah-Hartman
2018-07-10 18:25 ` [PATCH 4.17 56/56] Revert mm/vmstat.c: fix vmstat_update() preemption BUG Greg Kroah-Hartman
2018-07-11 11:18 ` [PATCH 4.17 00/56] 4.17.6-stable review Naresh Kamboju
2018-07-11 13:23 ` Greg Kroah-Hartman
2018-07-11 13:41 ` Guenter Roeck
2018-07-11 14:03 ` Greg Kroah-Hartman
2018-07-11 15:23 ` Shuah Khan
2018-07-11 15:28 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180710182504.695242119@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jiyin@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sbrivio@redhat.com \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.