[patch] cifs: integer overflow in parse_dacl()

[patch] cifs: integer overflow in parse_dacl()

[Dan Carpenter]

On 32 bit systems num_aces * sizeof(struct cifs_ace *) could overflow
leading to a smaller ppace buffer than we expected.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
index 72ddf23..c1b2544 100644
--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -909,6 +909,8 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
 		umode_t group_mask = S_IRWXG;
 		umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO;
 
+		if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
+			return;
 		ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
 				GFP_KERNEL);
 		if (!ppace) {

Re: [patch] cifs: integer overflow in parse_dacl()

[Jeff Layton]

On Wed, 11 Jan 2012 10:46:27 +0300
Dan Carpenter <dan.carpenter@oracle.com> wrote:

> On 32 bit systems num_aces * sizeof(struct cifs_ace *) could overflow
> leading to a smaller ppace buffer than we expected.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
> index 72ddf23..c1b2544 100644
> --- a/fs/cifs/cifsacl.c
> +++ b/fs/cifs/cifsacl.c
> @@ -909,6 +909,8 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
>  		umode_t group_mask = S_IRWXG;
>  		umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO;
>  
> +		if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
> +			return;
>  		ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
>  				GFP_KERNEL);
>  		if (!ppace) {


Looks plausible. This function could use some work. I'm not sure why
num_aces is signed here too...

The first arg to kmalloc is a size_t. Does that boil down to an unsigned
long on all arches?

-- 
Jeff Layton <jlayton@samba.org>

Re: [patch] cifs: integer overflow in parse_dacl()

[Dan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 1668 bytes --]

On Wed, Jan 11, 2012 at 07:20:29AM -0500, Jeff Layton wrote:
> On Wed, 11 Jan 2012 10:46:27 +0300
> Dan Carpenter <dan.carpenter@oracle.com> wrote:
> 
> > On 32 bit systems num_aces * sizeof(struct cifs_ace *) could overflow
> > leading to a smaller ppace buffer than we expected.
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > 
> > diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
> > index 72ddf23..c1b2544 100644
> > --- a/fs/cifs/cifsacl.c
> > +++ b/fs/cifs/cifsacl.c
> > @@ -909,6 +909,8 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
> >  		umode_t group_mask = S_IRWXG;
> >  		umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO;
> >  
> > +		if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
> > +			return;
> >  		ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
> >  				GFP_KERNEL);
> >  		if (!ppace) {
> 
> 
> Looks plausible. This function could use some work. I'm not sure why
> num_aces is signed here too...
> 
> The first arg to kmalloc is a size_t. Does that boil down to an unsigned
> long on all arches?

People have been submitting a lot of patches recently based on that
assumption.  It matches the check in kcalloc() as well.  According
to include/asm-generic/posix_types.h:

/*
 * Most 32 bit architectures use "unsigned int" size_t,
 * and all 64 bit architectures use "unsigned long" size_t.
 */

It would be better to user a lower limit, but I don't know the code
well enough to say if which one is good that won't break things...
A high number can trigger a kmalloc() failure and that puts annoying
spam in the dmesg.

regards,
dan carpenter

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [patch] cifs: integer overflow in parse_dacl()

[Jeff Layton]

[-- Attachment #1: Type: text/plain, Size: 1923 bytes --]

On Wed, 11 Jan 2012 15:41:32 +0300
Dan Carpenter <dan.carpenter@oracle.com> wrote:

> On Wed, Jan 11, 2012 at 07:20:29AM -0500, Jeff Layton wrote:
> > On Wed, 11 Jan 2012 10:46:27 +0300
> > Dan Carpenter <dan.carpenter@oracle.com> wrote:
> > 
> > > On 32 bit systems num_aces * sizeof(struct cifs_ace *) could overflow
> > > leading to a smaller ppace buffer than we expected.
> > > 
> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > 
> > > diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
> > > index 72ddf23..c1b2544 100644
> > > --- a/fs/cifs/cifsacl.c
> > > +++ b/fs/cifs/cifsacl.c
> > > @@ -909,6 +909,8 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
> > >  		umode_t group_mask = S_IRWXG;
> > >  		umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO;
> > >  
> > > +		if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
> > > +			return;
> > >  		ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
> > >  				GFP_KERNEL);
> > >  		if (!ppace) {
> > 
> > 
> > Looks plausible. This function could use some work. I'm not sure why
> > num_aces is signed here too...
> > 
> > The first arg to kmalloc is a size_t. Does that boil down to an unsigned
> > long on all arches?
> 
> People have been submitting a lot of patches recently based on that
> assumption.  It matches the check in kcalloc() as well.  According
> to include/asm-generic/posix_types.h:
> 
> /*
>  * Most 32 bit architectures use "unsigned int" size_t,
>  * and all 64 bit architectures use "unsigned long" size_t.
>  */
> 
> It would be better to user a lower limit, but I don't know the code
> well enough to say if which one is good that won't break things...
> A high number can trigger a kmalloc() failure and that puts annoying
> spam in the dmesg.
> 
> regards,
> dan carpenter

Ok, thanks. In that case...

Acked-by: Jeff Layton <jlayton@samba.org>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [patch] cifs: integer overflow in parse_dacl()

[Shirish Pargaonkar]

On Wed, Jan 11, 2012 at 1:46 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> On 32 bit systems num_aces * sizeof(struct cifs_ace *) could overflow
> leading to a smaller ppace buffer than we expected.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
> index 72ddf23..c1b2544 100644
> --- a/fs/cifs/cifsacl.c
> +++ b/fs/cifs/cifsacl.c
> @@ -909,6 +909,8 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
>                umode_t group_mask = S_IRWXG;
>                umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO;
>
> +               if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))

Should an error/warning (like cifs client can't handle these many aces or
possible erroneous number of aces sent by server etc.) be logged before
returning?

> +                       return;
>                ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
>                                GFP_KERNEL);
>                if (!ppace) {
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [patch] cifs: integer overflow in parse_dacl()

[Steve French]

On Wed, Jan 11, 2012 at 9:50 AM, Shirish Pargaonkar
<shirishpargaonkar@gmail.com> wrote:
> On Wed, Jan 11, 2012 at 1:46 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>> On 32 bit systems num_aces * sizeof(struct cifs_ace *) could overflow
>> leading to a smaller ppace buffer than we expected.
>>
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>>
>> diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
>> index 72ddf23..c1b2544 100644
>> --- a/fs/cifs/cifsacl.c
>> +++ b/fs/cifs/cifsacl.c
>> @@ -909,6 +909,8 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
>>                umode_t group_mask = S_IRWXG;
>>                umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO;
>>
>> +               if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
>
> Should an error/warning (like cifs client can't handle these many aces or
> possible erroneous number of aces sent by server etc.) be logged before
> returning?
>
>> +                       return;
>>                ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
>>                                GFP_KERNEL);
>>                if (!ppace) {

Perhaps.   Also note that you would overflow maximum smb size if num
aces is huge
so would you have even gotten this far?

-- 
Thanks,

Steve
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [patch] cifs: integer overflow in parse_dacl()

[Jeff Layton]

On Wed, 11 Jan 2012 11:24:03 -0600
Steve French <smfrench@gmail.com> wrote:

> On Wed, Jan 11, 2012 at 9:50 AM, Shirish Pargaonkar
> <shirishpargaonkar@gmail.com> wrote:
> > On Wed, Jan 11, 2012 at 1:46 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> >> On 32 bit systems num_aces * sizeof(struct cifs_ace *) could overflow
> >> leading to a smaller ppace buffer than we expected.
> >>
> >> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> >>
> >> diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
> >> index 72ddf23..c1b2544 100644
> >> --- a/fs/cifs/cifsacl.c
> >> +++ b/fs/cifs/cifsacl.c
> >> @@ -909,6 +909,8 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
> >>                umode_t group_mask = S_IRWXG;
> >>                umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO;
> >>
> >> +               if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
> >
> > Should an error/warning (like cifs client can't handle these many aces or
> > possible erroneous number of aces sent by server etc.) be logged before
> > returning?
> >
> >> +                       return;
> >>                ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
> >>                                GFP_KERNEL);
> >>                if (!ppace) {
> 
> Perhaps.   Also note that you would overflow maximum smb size if num
> aces is huge
> so would you have even gotten this far?
> 

Only if the smb frame is properly formed. It's possible that it's
corrupt in such a way that the num_aces field is much larger than it
should be, but the rest of the frame looks OK.

-- 
Jeff Layton <jlayton@samba.org>

Re: [patch] cifs: integer overflow in parse_dacl()

[Steve French]

We could calculate max_aces based on a minimum sized ace and maximum
smb frame size (which would be 64K presumably for Windows for
non-Writes, but larger for Samba), but not sure if it is worth the
trouble unless you find a path where we would parse beyond end of
frame,

On Wed, Jan 11, 2012 at 12:20 PM, Jeff Layton <jlayton@samba.org> wrote:
> On Wed, 11 Jan 2012 11:24:03 -0600
> Steve French <smfrench@gmail.com> wrote:
>
>> On Wed, Jan 11, 2012 at 9:50 AM, Shirish Pargaonkar
>> <shirishpargaonkar@gmail.com> wrote:
>> > On Wed, Jan 11, 2012 at 1:46 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>> >> On 32 bit systems num_aces * sizeof(struct cifs_ace *) could overflow
>> >> leading to a smaller ppace buffer than we expected.
>> >>
>> >> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>> >>
>> >> diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
>> >> index 72ddf23..c1b2544 100644
>> >> --- a/fs/cifs/cifsacl.c
>> >> +++ b/fs/cifs/cifsacl.c
>> >> @@ -909,6 +909,8 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
>> >>                umode_t group_mask = S_IRWXG;
>> >>                umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO;
>> >>
>> >> +               if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
>> >
>> > Should an error/warning (like cifs client can't handle these many aces or
>> > possible erroneous number of aces sent by server etc.) be logged before
>> > returning?
>> >
>> >> +                       return;
>> >>                ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
>> >>                                GFP_KERNEL);
>> >>                if (!ppace) {
>>
>> Perhaps.   Also note that you would overflow maximum smb size if num
>> aces is huge
>> so would you have even gotten this far?
>>
>
> Only if the smb frame is properly formed. It's possible that it's
> corrupt in such a way that the num_aces field is much larger than it
> should be, but the rest of the frame looks OK.
>
> --
> Jeff Layton <jlayton@samba.org>



-- 
Thanks,

Steve
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [patch] cifs: integer overflow in parse_dacl()

[Dan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 618 bytes --]

On Wed, Jan 11, 2012 at 12:31:34PM -0600, Steve French wrote:
> We could calculate max_aces based on a minimum sized ace and maximum
> smb frame size (which would be 64K presumably for Windows for
> non-Writes, but larger for Samba), but not sure if it is worth the
> trouble unless you find a path where we would parse beyond end of
> frame,

This was a static checker test and I haven't tried to exploit it.
You guys are more familiar with the code obviously and you've lost
me with the talk about max_aces.  I don't see that anywhere in the
code...

$ grep max_aces fs/cifs/ -iR | wc -l
0

regards,
dan carpenter



[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [patch] cifs: integer overflow in parse_dacl()

[Steve French]

Merged into cifs-2.6.git

On Wed, Jan 11, 2012 at 1:46 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> On 32 bit systems num_aces * sizeof(struct cifs_ace *) could overflow
> leading to a smaller ppace buffer than we expected.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
> index 72ddf23..c1b2544 100644
> --- a/fs/cifs/cifsacl.c
> +++ b/fs/cifs/cifsacl.c
> @@ -909,6 +909,8 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
>                umode_t group_mask = S_IRWXG;
>                umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO;
>
> +               if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
> +                       return;
>                ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
>                                GFP_KERNEL);
>                if (!ppace) {
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Thanks,

Steve
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html