From: Dan Carpenter <dan.carpenter@oracle.com>
To: lsahlber@redhat.com
Cc: linux-cifs@vger.kernel.org
Subject: [bug report] cifs: refactor create_sd_buf() and and avoid corrupting the buffer
Date: Fri, 17 Sep 2021 14:58:20 +0300 [thread overview]
Message-ID: <20210917115820.GA27137@kili> (raw)
Hello Ronnie Sahlberg,
The patch ea64370bcae1: "cifs: refactor create_sd_buf() and and avoid
corrupting the buffer" from Nov 30, 2020, leads to the following
Smatch static checker warning:
fs/smbfs_client/smb2pdu.c:2425 create_sd_buf()
warn: struct type mismatch 'smb3_acl vs cifs_acl'
fs/smbfs_client/smb2pdu.c
2344 static struct crt_sd_ctxt *
2345 create_sd_buf(umode_t mode, bool set_owner, unsigned int *len)
2346 {
2347 struct crt_sd_ctxt *buf;
2348 __u8 *ptr, *aclptr;
2349 unsigned int acelen, acl_size, ace_count;
2350 unsigned int owner_offset = 0;
2351 unsigned int group_offset = 0;
2352 struct smb3_acl acl;
^^^^^^^^^^^^^^^^^^^
2353
2354 *len = roundup(sizeof(struct crt_sd_ctxt) + (sizeof(struct cifs_ace) * 4), 8);
2355
2356 if (set_owner) {
2357 /* sizeof(struct owner_group_sids) is already multiple of 8 so no need to round */
2358 *len += sizeof(struct owner_group_sids);
2359 }
2360
2361 buf = kzalloc(*len, GFP_KERNEL);
2362 if (buf == NULL)
2363 return buf;
2364
2365 ptr = (__u8 *)&buf[1];
2366 if (set_owner) {
2367 /* offset fields are from beginning of security descriptor not of create context */
2368 owner_offset = ptr - (__u8 *)&buf->sd;
2369 buf->sd.OffsetOwner = cpu_to_le32(owner_offset);
2370 group_offset = owner_offset + offsetof(struct owner_group_sids, group);
2371 buf->sd.OffsetGroup = cpu_to_le32(group_offset);
2372
2373 setup_owner_group_sids(ptr);
2374 ptr += sizeof(struct owner_group_sids);
2375 } else {
2376 buf->sd.OffsetOwner = 0;
2377 buf->sd.OffsetGroup = 0;
2378 }
2379
2380 buf->ccontext.DataOffset = cpu_to_le16(offsetof(struct crt_sd_ctxt, sd));
2381 buf->ccontext.NameOffset = cpu_to_le16(offsetof(struct crt_sd_ctxt, Name));
2382 buf->ccontext.NameLength = cpu_to_le16(4);
2383 /* SMB2_CREATE_SD_BUFFER_TOKEN is "SecD" */
2384 buf->Name[0] = 'S';
2385 buf->Name[1] = 'e';
2386 buf->Name[2] = 'c';
2387 buf->Name[3] = 'D';
2388 buf->sd.Revision = 1; /* Must be one see MS-DTYP 2.4.6 */
2389
2390 /*
2391 * ACL is "self relative" ie ACL is stored in contiguous block of memory
2392 * and "DP" ie the DACL is present
2393 */
2394 buf->sd.Control = cpu_to_le16(ACL_CONTROL_SR | ACL_CONTROL_DP);
2395
2396 /* offset owner, group and Sbz1 and SACL are all zero */
2397 buf->sd.OffsetDacl = cpu_to_le32(ptr - (__u8 *)&buf->sd);
2398 /* Ship the ACL for now. we will copy it into buf later. */
2399 aclptr = ptr;
2400 ptr += sizeof(struct cifs_acl);
2401
2402 /* create one ACE to hold the mode embedded in reserved special SID */
2403 acelen = setup_special_mode_ACE((struct cifs_ace *)ptr, (__u64)mode);
2404 ptr += acelen;
2405 acl_size = acelen + sizeof(struct smb3_acl);
^^^^^^^^^^^^^^^
2406 ace_count = 1;
2407
2408 if (set_owner) {
2409 /* we do not need to reallocate buffer to add the two more ACEs. plenty of space */
2410 acelen = setup_special_user_owner_ACE((struct cifs_ace *)ptr);
2411 ptr += acelen;
2412 acl_size += acelen;
2413 ace_count += 1;
2414 }
2415
2416 /* and one more ACE to allow access for authenticated users */
2417 acelen = setup_authusers_ACE((struct cifs_ace *)ptr);
2418 ptr += acelen;
2419 acl_size += acelen;
2420 ace_count += 1;
2421
2422 acl.AclRevision = ACL_REVISION; /* See 2.4.4.1 of MS-DTYP */
2423 acl.AclSize = cpu_to_le16(acl_size);
2424 acl.AceCount = cpu_to_le16(ace_count);
--> 2425 memcpy(aclptr, &acl, sizeof(struct cifs_acl));
^^^^^^^^^^^^^^^^^^^^^^^
smb3_acl and cifs_acl structs are both 8 bytes, but their data is quite
different.
(This old warnings are all showing up as new warnings because the file
was moved).
2426
2427 buf->ccontext.DataLength = cpu_to_le32(ptr - (__u8 *)&buf->sd);
2428 *len = roundup(ptr - (__u8 *)buf, 8);
2429
2430 return buf;
2431 }
regards,
dan carpenter
next reply other threads:[~2021-09-17 11:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-17 11:58 Dan Carpenter [this message]
2021-09-23 21:08 ` [bug report] cifs: refactor create_sd_buf() and and avoid corrupting the buffer Steve French
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210917115820.GA27137@kili \
--to=dan.carpenter@oracle.com \
--cc=linux-cifs@vger.kernel.org \
--cc=lsahlber@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox