All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 5.10.y] cifs: fix off-by-one in SMB2_query_info_init()
@ 2024-01-29  5:43 Harshit Mogalapalli
  2024-01-29  8:19 ` kovalev
  0 siblings, 1 reply; 5+ messages in thread
From: Harshit Mogalapalli @ 2024-01-29  5:43 UTC (permalink / raw)
  To: stable
  Cc: kovalev, abuehaze, smfrench, greg, linux-cifs, keescook,
	darren.kenny, pc, nspmangalore, vegard.nossum,
	Harshit Mogalapalli

Bug: After mounting the cifs fs, it complains with Resource temporarily
unavailable messages.

[root@vm1 xfstests-dev]# ./check -g quick -s smb3
TEST_DEV=//<SERVER_IP>/TEST is mounted but not a type cifs filesystem
[root@vm1 xfstests-dev]# df
df: /mnt/test: Resource temporarily unavailable

Paul's analysis of the bug:

	Bug is related to an off-by-one in smb2_set_next_command() when
	the client attempts to pad SMB2_QUERY_INFO request -- since it isn't
	8 byte aligned -- even though smb2_query_info_compound() doesn't
	provide an extra iov for such padding.

	v5.10.y doesn't have

        eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")

	and the commit does

		if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) ||
			     len > CIFSMaxBufSize))
			return -EINVAL;

	so sizeof(*req) will wrongly include the extra byte from
	smb2_query_info_req::Buffer making @len unaligned and therefore causing
	OOB in smb2_set_next_command().

Fixes: 203a412e52b5 ("smb: client: fix OOB in SMB2_query_info_init()")
Suggested-by: Paulo Alcantara <pc@manguebit.com>
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
This patch is only for v5.10.y stable kernel.
I have tested the patched kernel, after mounting it doesn't become
unavailable.

Context:
[1] https://lore.kernel.org/all/CAH2r5mv2ipr4KJfMDXwHgq9L+kGdnRd1C2svcM=PCoDjA7uALA@mail.gmail.com/#t

Note to Greg: This is alternative way to fix by not taking commit
eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with
flex-arrays").
before applying this patch a patch in the queue needs to be removed: https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-5.10/smb3-replace-smb2pdu-1-element-arrays-with-flex-arrays.patch

As I have stated in [1] I am unsure the which is the best way, but this
commit eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with
flex-arrays") is not in 5.15.y so I think we shouldn't queue it in
5.10.y
---
 fs/cifs/smb2pdu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 76679dc4e6328..514e2cf44d951 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -3379,7 +3379,7 @@ SMB2_query_info_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server,
 
 	iov[0].iov_base = (char *)req;
 	/* 1 for Buffer */
-	iov[0].iov_len = len;
+	iov[0].iov_len = len - 1;
 	return 0;
 }
 
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-01-29 16:52 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-29  5:43 [PATCH 5.10.y] cifs: fix off-by-one in SMB2_query_info_init() Harshit Mogalapalli
2024-01-29  8:19 ` kovalev
2024-01-29 16:27   ` Harshit Mogalapalli
2024-01-29 16:37     ` Greg KH
2024-01-29 16:52       ` Harshit Mogalapalli

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.