From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Robert Morris <rtm@csail.mit.edu>,
Paulo Alcantara <pc@manguebit.com>,
Steve French <stfrench@microsoft.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 57/75] smb: client: fix OOB in SMB2_query_info_init()
Date: Wed, 3 Jan 2024 17:55:38 +0100 [thread overview]
Message-ID: <20240103164851.728113794@linuxfoundation.org> (raw)
In-Reply-To: <20240103164842.953224409@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.com>
[ Upstream commit 33eae65c6f49770fec7a662935d4eb4a6406d24b ]
A small CIFS buffer (448 bytes) isn't big enough to hold
SMB2_QUERY_INFO request along with user's input data from
CIFS_QUERY_INFO ioctl. That is, if the user passed an input buffer >
344 bytes, the client will memcpy() off the end of @req->Buffer in
SMB2_query_info_init() thus causing the following KASAN splat:
BUG: KASAN: slab-out-of-bounds in SMB2_query_info_init+0x242/0x250 [cifs]
Write of size 1023 at addr ffff88801308c5a8 by task a.out/1240
CPU: 1 PID: 1240 Comm: a.out Not tainted 6.7.0-rc4 #5
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x4a/0x80
print_report+0xcf/0x650
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? __phys_addr+0x46/0x90
kasan_report+0xd8/0x110
? SMB2_query_info_init+0x242/0x250 [cifs]
? SMB2_query_info_init+0x242/0x250 [cifs]
kasan_check_range+0x105/0x1b0
__asan_memcpy+0x3c/0x60
SMB2_query_info_init+0x242/0x250 [cifs]
? __pfx_SMB2_query_info_init+0x10/0x10 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
? smb_rqst_len+0xa6/0xc0 [cifs]
smb2_ioctl_query_info+0x4f4/0x9a0 [cifs]
? __pfx_smb2_ioctl_query_info+0x10/0x10 [cifs]
? __pfx_cifsConvertToUTF16+0x10/0x10 [cifs]
? kasan_set_track+0x25/0x30
? srso_alias_return_thunk+0x5/0xfbef5
? __kasan_kmalloc+0x8f/0xa0
? srso_alias_return_thunk+0x5/0xfbef5
? cifs_strndup_to_utf16+0x12d/0x1a0 [cifs]
? __build_path_from_dentry_optional_prefix+0x19d/0x2d0 [cifs]
? __pfx_smb2_ioctl_query_info+0x10/0x10 [cifs]
cifs_ioctl+0x11c7/0x1de0 [cifs]
? __pfx_cifs_ioctl+0x10/0x10 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
? rcu_is_watching+0x23/0x50
? srso_alias_return_thunk+0x5/0xfbef5
? __rseq_handle_notify_resume+0x6cd/0x850
? __pfx___schedule+0x10/0x10
? blkcg_iostat_update+0x250/0x290
? srso_alias_return_thunk+0x5/0xfbef5
? ksys_write+0xe9/0x170
__x64_sys_ioctl+0xc9/0x100
do_syscall_64+0x47/0xf0
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f893dde49cf
Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48
89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89>
c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00
RSP: 002b:00007ffc03ff4160 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffc03ff4378 RCX: 00007f893dde49cf
RDX: 00007ffc03ff41d0 RSI: 00000000c018cf07 RDI: 0000000000000003
RBP: 00007ffc03ff4260 R08: 0000000000000410 R09: 0000000000000001
R10: 00007f893dce7300 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc03ff4388 R14: 00007f893df15000 R15: 0000000000406de0
</TASK>
Fix this by increasing size of SMB2_QUERY_INFO request buffers and
validating input length to prevent other callers from overflowing @req
in SMB2_query_info_init() as well.
Fixes: f5b05d622a3e ("cifs: add IOCTL for QUERY_INFO passthrough to userspace")
Cc: stable@vger.kernel.org
Reported-by: Robert Morris <rtm@csail.mit.edu>
Signed-off-by: Paulo Alcantara <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/smb2pdu.c | 29 ++++++++++++++++++++++-------
1 file changed, 22 insertions(+), 7 deletions(-)
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 9a80047bc9b7b..76679dc4e6328 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -373,10 +373,15 @@ static int __smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon,
void **request_buf, unsigned int *total_len)
{
/* BB eventually switch this to SMB2 specific small buf size */
- if (smb2_command == SMB2_SET_INFO)
+ switch (smb2_command) {
+ case SMB2_SET_INFO:
+ case SMB2_QUERY_INFO:
*request_buf = cifs_buf_get();
- else
+ break;
+ default:
*request_buf = cifs_small_buf_get();
+ break;
+ }
if (*request_buf == NULL) {
/* BB should we add a retry in here if not a writepage? */
return -ENOMEM;
@@ -3346,8 +3351,13 @@ SMB2_query_info_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server,
struct smb2_query_info_req *req;
struct kvec *iov = rqst->rq_iov;
unsigned int total_len;
+ size_t len;
int rc;
+ if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) ||
+ len > CIFSMaxBufSize))
+ return -EINVAL;
+
rc = smb2_plain_req_init(SMB2_QUERY_INFO, tcon, server,
(void **) &req, &total_len);
if (rc)
@@ -3369,7 +3379,7 @@ SMB2_query_info_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server,
iov[0].iov_base = (char *)req;
/* 1 for Buffer */
- iov[0].iov_len = total_len - 1 + input_len;
+ iov[0].iov_len = len;
return 0;
}
@@ -3377,7 +3387,7 @@ void
SMB2_query_info_free(struct smb_rqst *rqst)
{
if (rqst && rqst->rq_iov)
- cifs_small_buf_release(rqst->rq_iov[0].iov_base); /* request */
+ cifs_buf_release(rqst->rq_iov[0].iov_base); /* request */
}
static int
@@ -5104,6 +5114,11 @@ build_qfs_info_req(struct kvec *iov, struct cifs_tcon *tcon,
return 0;
}
+static inline void free_qfs_info_req(struct kvec *iov)
+{
+ cifs_buf_release(iov->iov_base);
+}
+
int
SMB311_posix_qfs_info(const unsigned int xid, struct cifs_tcon *tcon,
u64 persistent_fid, u64 volatile_fid, struct kstatfs *fsdata)
@@ -5135,7 +5150,7 @@ SMB311_posix_qfs_info(const unsigned int xid, struct cifs_tcon *tcon,
rc = cifs_send_recv(xid, ses, server,
&rqst, &resp_buftype, flags, &rsp_iov);
- cifs_small_buf_release(iov.iov_base);
+ free_qfs_info_req(&iov);
if (rc) {
cifs_stats_fail_inc(tcon, SMB2_QUERY_INFO_HE);
goto posix_qfsinf_exit;
@@ -5186,7 +5201,7 @@ SMB2_QFS_info(const unsigned int xid, struct cifs_tcon *tcon,
rc = cifs_send_recv(xid, ses, server,
&rqst, &resp_buftype, flags, &rsp_iov);
- cifs_small_buf_release(iov.iov_base);
+ free_qfs_info_req(&iov);
if (rc) {
cifs_stats_fail_inc(tcon, SMB2_QUERY_INFO_HE);
goto qfsinf_exit;
@@ -5253,7 +5268,7 @@ SMB2_QFS_attr(const unsigned int xid, struct cifs_tcon *tcon,
rc = cifs_send_recv(xid, ses, server,
&rqst, &resp_buftype, flags, &rsp_iov);
- cifs_small_buf_release(iov.iov_base);
+ free_qfs_info_req(&iov);
if (rc) {
cifs_stats_fail_inc(tcon, SMB2_QUERY_INFO_HE);
goto qfsattr_exit;
--
2.43.0
next prev parent reply other threads:[~2024-01-03 17:12 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-03 16:54 [PATCH 5.10 00/75] 5.10.206-rc1 review Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 01/75] ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 02/75] smb: client: fix OOB in smb2_query_reparse_point() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 03/75] ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 04/75] reset: Fix crash when freeing non-existent optional resets Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 05/75] s390/vx: fix save/restore of fpu kernel context Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 06/75] wifi: mac80211: mesh_plink: fix matches_local logic Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 07/75] Revert "net/mlx5e: fix double free of encap_header" Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 08/75] net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 09/75] net/mlx5: Fix fw tracer first block check Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 10/75] net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 11/75] net: sched: ife: fix potential use-after-free Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 12/75] ethernet: atheros: fix a memleak in atl1e_setup_ring_resources Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 13/75] net/rose: fix races in rose_kill_by_device() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 14/75] net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 15/75] afs: Fix the dynamic roots d_delete to always delete unused dentries Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 16/75] afs: Fix dynamic root lookup DNS check Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 17/75] net: warn if gso_type isnt set for a GSO SKB Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 18/75] net: check dev->gso_max_size in gso_features_check() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 19/75] keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 20/75] afs: Fix overwriting of result of DNS query Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 21/75] i2c: aspeed: Handle the coalesced stop conditions with the start conditions Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 22/75] pinctrl: at91-pio4: use dedicated lock class for IRQ Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 23/75] ALSA: hda/hdmi: Add quirk to force pin connectivity on NUC10 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 24/75] ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 25/75] smb: client: fix NULL deref in asn1_ber_decoder() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 26/75] btrfs: do not allow non subvolume root targets for snapshot Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 27/75] interconnect: Treat xlate() returning NULL node as an error Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 28/75] iio: imu: inv_mpu6050: fix an error code problem in inv_mpu6050_read_raw Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 29/75] interconnect: qcom: sm8250: Enable sync_state Greg Kroah-Hartman
2024-01-03 17:29 ` Konrad Dybcio
2024-01-03 16:55 ` [PATCH 5.10 30/75] Input: ipaq-micro-keys - add error handling for devm_kmemdup Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 31/75] scsi: bnx2fc: Fix skb double free in bnx2fc_rcv() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 32/75] iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time table Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 33/75] iio: adc: ti_am335x_adc: Fix return value check of tiadc_request_dma() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 34/75] wifi: cfg80211: Add my certificate Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 35/75] wifi: cfg80211: fix certs build to not depend on file order Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 36/75] USB: serial: ftdi_sio: update Actisense PIDs constant names Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 37/75] USB: serial: option: add Quectel EG912Y module support Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 38/75] USB: serial: option: add Foxconn T99W265 with new baseline Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 39/75] USB: serial: option: add Quectel RM500Q R13 firmware support Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 40/75] Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 41/75] Bluetooth: L2CAP: Send reject on command corrupted request Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 42/75] Input: soc_button_array - add mapping for airplane mode button Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 43/75] net: 9p: avoid freeing uninit memory in p9pdu_vreadf Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 44/75] net: rfkill: gpio: set GPIO direction Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 45/75] net: ks8851: Fix TX stall caused by TX buffer overrun Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 46/75] dt-bindings: nvmem: mxs-ocotp: Document fsl,ocotp Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 47/75] tracing / synthetic: Disable events after testing in synth_event_gen_test_init() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 48/75] bus: ti-sysc: Flush posted write only after srst_udelay Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 49/75] lib/vsprintf: Fix %pfwf when current node refcount == 0 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 50/75] x86/alternatives: Sync core before enabling interrupts Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 51/75] 9p/net: fix possible memory leak in p9_check_errors() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 52/75] ARM: dts: Fix occasional boot hang for am3 usb Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 53/75] Bluetooth: SMP: Convert BT_ERR/BT_DBG to bt_dev_err/bt_dev_dbg Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 54/75] Bluetooth: use inclusive language in SMP Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 55/75] Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 56/75] usb: fotg210-hcd: delete an incorrect bounds test Greg Kroah-Hartman
2024-01-03 16:55 ` Greg Kroah-Hartman [this message]
2024-01-03 16:55 ` [PATCH 5.10 58/75] smb: client: fix OOB in smbCalcSize() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 59/75] Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 60/75] spi: atmel: Switch to transfer_one transfer method Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 61/75] spi: atmel: Fix CS and initialization bug Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 62/75] scsi: core: Add scsi_prot_ref_tag() helper Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 63/75] scsi: core: Introduce scsi_get_sector() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 64/75] scsi: core: Make scsi_get_lba() return the LBA Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 65/75] scsi: core: Use scsi_cmd_to_rq() instead of scsi_cmnd.request Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 66/75] scsi: core: Use a structure member to track the SCSI command submitter Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 67/75] scsi: core: Always send batch on reset or error handling command Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 68/75] ring-buffer: Fix wake ups when buffer_percent is set to 100 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 69/75] tracing: Fix blocked reader of snapshot buffer Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 70/75] netfilter: nf_tables: skip set commit for deleted/destroyed sets Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 71/75] dm-integrity: dont modify bios immutable bio_vec in integrity_metadata() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 72/75] tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 73/75] Revert "MIPS: Loongson64: Enable DMA noncoherent support" Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 74/75] Bluetooth: SMP: Fix crash when receiving new connection when debug is enabled Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 75/75] spi: atmel: Fix PDC transfer setup bug Greg Kroah-Hartman
2024-01-03 19:15 ` [PATCH 5.10 00/75] 5.10.206-rc1 review Florian Fainelli
2024-01-04 0:40 ` Dominique Martinet
2024-01-04 9:16 ` Daniel Díaz
2024-01-04 9:25 ` Greg Kroah-Hartman
2024-01-08 17:47 ` Francis Laniel
2024-01-04 12:11 ` Jon Hunter
2024-01-04 12:15 ` Pavel Machek
2024-01-05 1:03 ` Guenter Roeck
2024-01-05 11:12 ` Shreeya Patel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240103164851.728113794@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=patches@lists.linux.dev \
--cc=pc@manguebit.com \
--cc=rtm@csail.mit.edu \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.