From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Robert Morris <rtm@csail.mit.edu>,
"Paulo Alcantara (SUSE)" <pc@manguebit.com>,
Steve French <stfrench@microsoft.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 34/95] smb: client: fix OOB in smb2_query_reparse_point()
Date: Wed, 3 Jan 2024 17:54:42 +0100 [thread overview]
Message-ID: <20240103164859.216670369@linuxfoundation.org> (raw)
In-Reply-To: <20240103164853.921194838@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.com>
[ Upstream commit 3a42709fa909e22b0be4bb1e2795aa04ada732a3 ]
Validate @ioctl_rsp->OutputOffset and @ioctl_rsp->OutputCount so that
their sum does not wrap to a number that is smaller than @reparse_buf
and we end up with a wild pointer as follows:
BUG: unable to handle page fault for address: ffff88809c5cd45f
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 4a01067 P4D 4a01067 PUD 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 2 PID: 1260 Comm: mount.cifs Not tainted 6.7.0-rc4 #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
RIP: 0010:smb2_query_reparse_point+0x3e0/0x4c0 [cifs]
Code: ff ff e8 f3 51 fe ff 41 89 c6 58 5a 45 85 f6 0f 85 14 fe ff ff
49 8b 57 48 8b 42 60 44 8b 42 64 42 8d 0c 00 49 39 4f 50 72 40 <8b>
04 02 48 8b 9d f0 fe ff ff 49 8b 57 50 89 03 48 8b 9d e8 fe ff
RSP: 0018:ffffc90000347a90 EFLAGS: 00010212
RAX: 000000008000001f RBX: ffff88800ae11000 RCX: 00000000000000ec
RDX: ffff88801c5cd440 RSI: 0000000000000000 RDI: ffffffff82004aa4
RBP: ffffc90000347bb0 R08: 00000000800000cd R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000024 R12: ffff8880114d4100
R13: ffff8880114d4198 R14: 0000000000000000 R15: ffff8880114d4000
FS: 00007f02c07babc0(0000) GS:ffff88806ba00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88809c5cd45f CR3: 0000000011750000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die+0x23/0x70
? page_fault_oops+0x181/0x480
? search_module_extables+0x19/0x60
? srso_alias_return_thunk+0x5/0xfbef5
? exc_page_fault+0x1b6/0x1c0
? asm_exc_page_fault+0x26/0x30
? _raw_spin_unlock_irqrestore+0x44/0x60
? smb2_query_reparse_point+0x3e0/0x4c0 [cifs]
cifs_get_fattr+0x16e/0xa50 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
? lock_acquire+0xbf/0x2b0
cifs_root_iget+0x163/0x5f0 [cifs]
cifs_smb3_do_mount+0x5bd/0x780 [cifs]
smb3_get_tree+0xd9/0x290 [cifs]
vfs_get_tree+0x2c/0x100
? capable+0x37/0x70
path_mount+0x2d7/0xb80
? srso_alias_return_thunk+0x5/0xfbef5
? _raw_spin_unlock_irqrestore+0x44/0x60
__x64_sys_mount+0x11a/0x150
do_syscall_64+0x47/0xf0
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f02c08d5b1e
Fixes: 2e4564b31b64 ("smb3: add support for stat of WSL reparse points for special file types")
Cc: stable@vger.kernel.org
Reported-by: Robert Morris <rtm@csail.mit.edu>
Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/smb2ops.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 7c2ecbb17f542..f31da2647d042 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -3263,7 +3263,7 @@ smb2_query_reparse_tag(const unsigned int xid, struct cifs_tcon *tcon,
struct kvec close_iov[1];
struct smb2_ioctl_rsp *ioctl_rsp;
struct reparse_data_buffer *reparse_buf;
- u32 plen;
+ u32 off, count, len;
cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);
@@ -3343,16 +3343,22 @@ smb2_query_reparse_tag(const unsigned int xid, struct cifs_tcon *tcon,
*/
if (rc == 0) {
/* See MS-FSCC 2.3.23 */
+ off = le32_to_cpu(ioctl_rsp->OutputOffset);
+ count = le32_to_cpu(ioctl_rsp->OutputCount);
+ if (check_add_overflow(off, count, &len) ||
+ len > rsp_iov[1].iov_len) {
+ cifs_tcon_dbg(VFS, "%s: invalid ioctl: off=%d count=%d\n",
+ __func__, off, count);
+ rc = -EIO;
+ goto query_rp_exit;
+ }
- reparse_buf = (struct reparse_data_buffer *)
- ((char *)ioctl_rsp +
- le32_to_cpu(ioctl_rsp->OutputOffset));
- plen = le32_to_cpu(ioctl_rsp->OutputCount);
-
- if (plen + le32_to_cpu(ioctl_rsp->OutputOffset) >
- rsp_iov[1].iov_len) {
- cifs_tcon_dbg(FYI, "srv returned invalid ioctl len: %d\n",
- plen);
+ reparse_buf = (void *)((u8 *)ioctl_rsp + off);
+ len = sizeof(*reparse_buf);
+ if (count < len ||
+ count < le16_to_cpu(reparse_buf->ReparseDataLength) + len) {
+ cifs_tcon_dbg(VFS, "%s: invalid ioctl: off=%d count=%d\n",
+ __func__, off, count);
rc = -EIO;
goto query_rp_exit;
}
--
2.43.0
next prev parent reply other threads:[~2024-01-03 17:05 UTC|newest]
Thread overview: 109+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-03 16:54 [PATCH 5.15 00/95] 5.15.146-rc1 review Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 01/95] ARM: dts: dra7: Fix DRA7 L3 NoC node register size Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 02/95] ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 03/95] reset: Fix crash when freeing non-existent optional resets Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 04/95] s390/vx: fix save/restore of fpu kernel context Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 05/95] wifi: iwlwifi: pcie: add another missing bh-disable for rxq->lock Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 06/95] wifi: mac80211: mesh_plink: fix matches_local logic Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 07/95] Revert "net/mlx5e: fix double free of encap_header in update funcs" Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 08/95] Revert "net/mlx5e: fix double free of encap_header" Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 09/95] net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 10/95] net/mlx5e: fix a potential double-free in fs_udp_create_groups Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 11/95] net/mlx5: Fix fw tracer first block check Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 12/95] net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 13/95] net: sched: ife: fix potential use-after-free Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 14/95] ethernet: atheros: fix a memleak in atl1e_setup_ring_resources Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 15/95] net/rose: fix races in rose_kill_by_device() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 16/95] net: mana: select PAGE_POOL Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 17/95] net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 18/95] afs: Fix the dynamic roots d_delete to always delete unused dentries Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 19/95] afs: Fix dynamic root lookup DNS check Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 20/95] net: check dev->gso_max_size in gso_features_check() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 21/95] keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 22/95] afs: Fix overwriting of result of DNS query Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 23/95] afs: Use refcount_t rather than atomic_t Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 24/95] afs: Fix use-after-free due to get/remove race in volume tree Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 25/95] ASoC: hdmi-codec: fix missing report for jack initial status Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 26/95] i2c: aspeed: Handle the coalesced stop conditions with the start conditions Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 27/95] pinctrl: at91-pio4: use dedicated lock class for IRQ Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 28/95] gpiolib: cdev: add gpio_device locking wrapper around gpio_ioctl() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 29/95] ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 30/95] drm/i915/mtl: limit second scaler vertical scaling in ver >= 14 Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 31/95] drm/i915: Relocate intel_atomic_setup_scalers() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 32/95] drm/i915: Fix intel_atomic_setup_scalers() plane_state handling Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 33/95] smb: client: fix NULL deref in asn1_ber_decoder() Greg Kroah-Hartman
2024-01-03 16:54 ` Greg Kroah-Hartman [this message]
2024-01-03 16:54 ` [PATCH 5.15 35/95] interconnect: Treat xlate() returning NULL node as an error Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 36/95] iio: imu: inv_mpu6050: fix an error code problem in inv_mpu6050_read_raw Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 37/95] interconnect: qcom: sm8250: Enable sync_state Greg Kroah-Hartman
2024-01-03 17:29 ` Konrad Dybcio
2024-01-04 8:51 ` Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 38/95] Input: ipaq-micro-keys - add error handling for devm_kmemdup Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 39/95] scsi: bnx2fc: Fix skb double free in bnx2fc_rcv() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 40/95] iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time table Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 41/95] iio: adc: ti_am335x_adc: Fix return value check of tiadc_request_dma() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 42/95] iio: triggered-buffer: prevent possible freeing of wrong buffer Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 43/95] ALSA: usb-audio: Increase delay in MOTU M quirk Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 44/95] wifi: cfg80211: Add my certificate Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 45/95] wifi: cfg80211: fix certs build to not depend on file order Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 46/95] USB: serial: ftdi_sio: update Actisense PIDs constant names Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 47/95] USB: serial: option: add Quectel EG912Y module support Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 48/95] USB: serial: option: add Foxconn T99W265 with new baseline Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 49/95] USB: serial: option: add Quectel RM500Q R13 firmware support Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 50/95] Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 51/95] Bluetooth: L2CAP: Send reject on command corrupted request Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 52/95] Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 53/95] Input: soc_button_array - add mapping for airplane mode button Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 54/95] net: 9p: avoid freeing uninit memory in p9pdu_vreadf Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 55/95] net: rfkill: gpio: set GPIO direction Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 56/95] net: ks8851: Fix TX stall caused by TX buffer overrun Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 57/95] dt-bindings: nvmem: mxs-ocotp: Document fsl,ocotp Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 58/95] scsi: core: Always send batch on reset or error handling command Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 59/95] tracing / synthetic: Disable events after testing in synth_event_gen_test_init() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 60/95] bus: ti-sysc: Flush posted write only after srst_udelay Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 61/95] gpio: dwapb: mask/unmask IRQ when disable/enale it Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 62/95] lib/vsprintf: Fix %pfwf when current node refcount == 0 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 63/95] KVM: arm64: vgic: Force vcpu vgic teardown on vcpu destroy Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 64/95] x86/alternatives: Sync core before enabling interrupts Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 65/95] fuse: share lookup state between submount and its parent Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 66/95] ksmbd: have a dependency on cifs ARC4 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 67/95] ksmbd: set epoch in create context v2 lease Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 68/95] ksmbd: set v2 lease capability Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 69/95] ksmbd: downgrade RWH lease caching state to RH for directory Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 70/95] ksmbd: send v2 lease break notification " Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 71/95] ksmbd: lazy v2 lease break on smb2_write() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 72/95] ksmbd: avoid duplicate opinfo_put() call on error of smb21_lease_break_ack() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 73/95] ksmbd: fix wrong allocation size update in smb2_open() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 74/95] ARM: dts: Fix occasional boot hang for am3 usb Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 75/95] usb: fotg210-hcd: delete an incorrect bounds test Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 76/95] ethernet: constify references to netdev->dev_addr in drivers Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 77/95] net: usb: ax88179_178a: clean up pm calls Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 78/95] net: usb: ax88179_178a: wol optimizations Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 79/95] net: usb: ax88179_178a: avoid failed operations when device is disconnected Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 80/95] device property: Add const qualifier to device_get_match_data() parameter Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 81/95] spi: Introduce spi_get_device_match_data() helper Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 82/95] iio: imu: adis16475: add spi_device_id table Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 83/95] smb: client: fix OOB in SMB2_query_info_init() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 84/95] smb: client: fix OOB in smbCalcSize() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 85/95] Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 86/95] mm/filemap: avoid buffered read/write race to read inconsistent data Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 87/95] ring-buffer: Fix wake ups when buffer_percent is set to 100 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 88/95] tracing: Fix blocked reader of snapshot buffer Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 89/95] ring-buffer: Remove useless update to write_stamp in rb_try_to_discard() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 90/95] ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 91/95] netfilter: nf_tables: skip set commit for deleted/destroyed sets Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 92/95] ring-buffer: Fix slowpath of interrupted event Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 93/95] dm-integrity: dont modify bios immutable bio_vec in integrity_metadata() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 94/95] device property: Allow const parameter to dev_fwnode() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 95/95] bpf: Fix prog_array_map_poke_run map poke update Greg Kroah-Hartman
2024-01-03 18:54 ` [PATCH 5.15 00/95] 5.15.146-rc1 review SeongJae Park
2024-01-03 19:15 ` Florian Fainelli
2024-01-03 23:37 ` Kelsey Steele
2024-01-04 0:56 ` Shuah Khan
2024-01-04 6:45 ` Namjae Jeon
2024-01-04 11:28 ` Naresh Kamboju
2024-01-04 11:54 ` Harshit Mogalapalli
2024-01-04 16:52 ` Jon Hunter
2024-01-05 1:05 ` Guenter Roeck
2024-01-05 7:59 ` Ron Economos
2024-01-05 11:13 ` Shreeya Patel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240103164859.216670369@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=patches@lists.linux.dev \
--cc=pc@manguebit.com \
--cc=rtm@csail.mit.edu \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.