From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Robert Morris <rtm@csail.mit.edu>,
"Paulo Alcantara (SUSE)" <pc@manguebit.com>,
Steve French <stfrench@microsoft.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 24/47] smb: client: fix NULL deref in asn1_ber_decoder()
Date: Fri, 5 Jan 2024 15:39:11 +0100 [thread overview]
Message-ID: <20240105143816.460905982@linuxfoundation.org> (raw)
In-Reply-To: <20240105143815.541462991@linuxfoundation.org>
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.com>
[ Upstream commit 90d025c2e953c11974e76637977c473200593a46 ]
If server replied SMB2_NEGOTIATE with a zero SecurityBufferOffset,
smb2_get_data_area() sets @len to non-zero but return NULL, so
decode_negTokeninit() ends up being called with a NULL @security_blob:
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 2 PID: 871 Comm: mount.cifs Not tainted 6.7.0-rc4 #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
RIP: 0010:asn1_ber_decoder+0x173/0xc80
Code: 01 4c 39 2c 24 75 09 45 84 c9 0f 85 2f 03 00 00 48 8b 14 24 4c 29 ea 48 83 fa 01 0f 86 1e 07 00 00 48 8b 74 24 28 4d 8d 5d 01 <42> 0f b6 3c 2e 89 fa 40 88 7c 24 5c f7 d2 83 e2 1f 0f 84 3d 07 00
RSP: 0018:ffffc9000063f950 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000000 RCX: 000000000000004a
RDX: 000000000000004a RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 000000000000004d R15: 0000000000000000
FS: 00007fce52b0fbc0(0000) GS:ffff88806ba00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000001ae64000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die+0x23/0x70
? page_fault_oops+0x181/0x480
? __stack_depot_save+0x1e6/0x480
? exc_page_fault+0x6f/0x1c0
? asm_exc_page_fault+0x26/0x30
? asn1_ber_decoder+0x173/0xc80
? check_object+0x40/0x340
decode_negTokenInit+0x1e/0x30 [cifs]
SMB2_negotiate+0xc99/0x17c0 [cifs]
? smb2_negotiate+0x46/0x60 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
smb2_negotiate+0x46/0x60 [cifs]
cifs_negotiate_protocol+0xae/0x130 [cifs]
cifs_get_smb_ses+0x517/0x1040 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? queue_delayed_work_on+0x5d/0x90
cifs_mount_get_session+0x78/0x200 [cifs]
dfs_mount_share+0x13a/0x9f0 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
? lock_acquire+0xbf/0x2b0
? find_nls+0x16/0x80
? srso_alias_return_thunk+0x5/0xfbef5
cifs_mount+0x7e/0x350 [cifs]
cifs_smb3_do_mount+0x128/0x780 [cifs]
smb3_get_tree+0xd9/0x290 [cifs]
vfs_get_tree+0x2c/0x100
? capable+0x37/0x70
path_mount+0x2d7/0xb80
? srso_alias_return_thunk+0x5/0xfbef5
? _raw_spin_unlock_irqrestore+0x44/0x60
__x64_sys_mount+0x11a/0x150
do_syscall_64+0x47/0xf0
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7fce52c2ab1e
Fix this by setting @len to zero when @off == 0 so callers won't
attempt to dereference non-existing data areas.
Reported-by: Robert Morris <rtm@csail.mit.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/smb2misc.c | 26 ++++++++++----------------
1 file changed, 10 insertions(+), 16 deletions(-)
diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
index 7177720e822e1..d3d5d2c6c4013 100644
--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -302,6 +302,9 @@ static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = {
char *
smb2_get_data_area_len(int *off, int *len, struct smb2_sync_hdr *shdr)
{
+ const int max_off = 4096;
+ const int max_len = 128 * 1024;
+
*off = 0;
*len = 0;
@@ -369,29 +372,20 @@ smb2_get_data_area_len(int *off, int *len, struct smb2_sync_hdr *shdr)
* Invalid length or offset probably means data area is invalid, but
* we have little choice but to ignore the data area in this case.
*/
- if (*off > 4096) {
- cifs_dbg(VFS, "offset %d too large, data area ignored\n", *off);
- *len = 0;
- *off = 0;
- } else if (*off < 0) {
- cifs_dbg(VFS, "negative offset %d to data invalid ignore data area\n",
- *off);
+ if (unlikely(*off < 0 || *off > max_off ||
+ *len < 0 || *len > max_len)) {
+ cifs_dbg(VFS, "%s: invalid data area (off=%d len=%d)\n",
+ __func__, *off, *len);
*off = 0;
*len = 0;
- } else if (*len < 0) {
- cifs_dbg(VFS, "negative data length %d invalid, data area ignored\n",
- *len);
- *len = 0;
- } else if (*len > 128 * 1024) {
- cifs_dbg(VFS, "data area larger than 128K: %d\n", *len);
+ } else if (*off == 0) {
*len = 0;
}
/* return pointer to beginning of data area, ie offset from SMB start */
- if ((*off != 0) && (*len != 0))
+ if (*off > 0 && *len > 0)
return (char *)shdr + *off;
- else
- return NULL;
+ return NULL;
}
/*
--
2.43.0
next prev parent reply other threads:[~2024-01-05 14:43 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-05 14:38 [PATCH 5.4 00/47] 5.4.266-rc1 review Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 5.4 01/47] ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5 Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 5.4 02/47] ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 5.4 03/47] ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 5.4 04/47] reset: Fix crash when freeing non-existent optional resets Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 5.4 05/47] s390/vx: fix save/restore of fpu kernel context Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 5.4 06/47] wifi: mac80211: mesh_plink: fix matches_local logic Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 5.4 07/47] Revert "net/mlx5e: fix double free of encap_header" Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 5.4 08/47] net/mlx5: improve some comments Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 5.4 09/47] net/mlx5: Fix fw tracer first block check Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 5.4 10/47] net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 5.4 11/47] net: sched: ife: fix potential use-after-free Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 5.4 12/47] ethernet: atheros: fix a memleak in atl1e_setup_ring_resources Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 13/47] net/rose: fix races in rose_kill_by_device() Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 14/47] net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 15/47] afs: Fix the dynamic roots d_delete to always delete unused dentries Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 16/47] afs: Fix dynamic root lookup DNS check Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 17/47] net: warn if gso_type isnt set for a GSO SKB Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 18/47] net: check dev->gso_max_size in gso_features_check() Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 19/47] afs: Fix overwriting of result of DNS query Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 20/47] i2c: aspeed: Handle the coalesced stop conditions with the start conditions Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 21/47] pinctrl: at91-pio4: use dedicated lock class for IRQ Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 22/47] ALSA: hda/hdmi: Add quirk to force pin connectivity on NUC10 Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 23/47] ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB Greg Kroah-Hartman
2024-01-05 14:39 ` Greg Kroah-Hartman [this message]
2024-01-05 14:39 ` [PATCH 5.4 25/47] btrfs: do not allow non subvolume root targets for snapshot Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 26/47] interconnect: Treat xlate() returning NULL node as an error Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 27/47] iio: imu: inv_mpu6050: fix an error code problem in inv_mpu6050_read_raw Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 28/47] Input: ipaq-micro-keys - add error handling for devm_kmemdup Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 29/47] scsi: bnx2fc: Fix skb double free in bnx2fc_rcv() Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 30/47] iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time table Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 31/47] iio: adc: ti_am335x_adc: Fix return value check of tiadc_request_dma() Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 32/47] wifi: cfg80211: Add my certificate Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 33/47] wifi: cfg80211: fix certs build to not depend on file order Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 34/47] USB: serial: ftdi_sio: update Actisense PIDs constant names Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 35/47] USB: serial: option: add Quectel EG912Y module support Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 36/47] USB: serial: option: add Foxconn T99W265 with new baseline Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 37/47] USB: serial: option: add Quectel RM500Q R13 firmware support Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 38/47] Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 39/47] net: 9p: avoid freeing uninit memory in p9pdu_vreadf Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 40/47] net: rfkill: gpio: set GPIO direction Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 41/47] x86/alternatives: Sync core before enabling interrupts Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 42/47] usb: fotg210-hcd: delete an incorrect bounds test Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 43/47] smb: client: fix OOB in smbCalcSize() Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 44/47] bus: ti-sysc: Use fsleep() instead of usleep_range() in sysc_reset() Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 45/47] bus: ti-sysc: Flush posted write only after srst_udelay Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 46/47] ring-buffer: Fix wake ups when buffer_percent is set to 100 Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 5.4 47/47] block: Dont invalidate pagecache for invalid falloc modes Greg Kroah-Hartman
2024-01-05 16:04 ` [PATCH 5.4 00/47] 5.4.266-rc1 review Daniel Díaz
2024-01-05 17:01 ` Daniel Díaz
2024-01-06 8:38 ` Greg Kroah-Hartman
2024-01-05 21:51 ` Shreeya Patel
2024-01-06 8:39 ` Greg Kroah-Hartman
2024-01-06 5:57 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240105143816.460905982@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=patches@lists.linux.dev \
--cc=pc@manguebit.com \
--cc=rtm@csail.mit.edu \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.