Re: [PATCH 2/4] ksmbd: add validation in smb2_ioctl

public inbox for linux-cifs@vger.kernel.org
 help / color / mirror / Atom feed

From: kernel test robot <lkp@intel.com>
To: Namjae Jeon <linkinjeon@kernel.org>, linux-cifs@vger.kernel.org
Cc: llvm@lists.linux.dev, kbuild-all@lists.01.org,
	"Namjae Jeon" <linkinjeon@kernel.org>,
	"Ronnie Sahlberg" <ronniesahlberg@gmail.com>,
	"Ralph Böhme" <slow@samba.org>,
	"Steve French" <smfrench@gmail.com>
Subject: Re: [PATCH 2/4] ksmbd: add validation in smb2_ioctl
Date: Sun, 19 Sep 2021 02:51:04 +0800	[thread overview]
Message-ID: <202109190257.fZUGN7K6-lkp@intel.com> (raw)
In-Reply-To: <20210918094513.89480-2-linkinjeon@kernel.org>

[-- Attachment #1: Type: text/plain, Size: 6667 bytes --]

Hi Namjae,

I love your patch! Perhaps something to improve:

[auto build test WARNING on linus/master]
[also build test WARNING on v5.15-rc1 next-20210917]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Namjae-Jeon/ksmbd-add-request-buffer-validation-in-smb2_set_info/20210918-174717
base:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 4357f03d6611753936e4d52fc251b54a6afb1b54
config: hexagon-randconfig-r022-20210918 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project c8b3d7d6d6de37af68b2f379d0e37304f78e115f)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/57e7ede2bf2d38cb0f368f2fc54d646168b3d119
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Namjae-Jeon/ksmbd-add-request-buffer-validation-in-smb2_set_info/20210918-174717
        git checkout 57e7ede2bf2d38cb0f368f2fc54d646168b3d119
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 ARCH=hexagon 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

>> fs/ksmbd/smb2pdu.c:7037:6: warning: variable 'ret' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
           if (chunk_count == 0)
               ^~~~~~~~~~~~~~~~
   fs/ksmbd/smb2pdu.c:7120:9: note: uninitialized use occurs here
           return ret;
                  ^~~
   fs/ksmbd/smb2pdu.c:7037:2: note: remove the 'if' if its condition is always false
           if (chunk_count == 0)
           ^~~~~~~~~~~~~~~~~~~~~
   fs/ksmbd/smb2pdu.c:7020:9: note: initialize the variable 'ret' to silence this warning
           int ret, cnt_code;
                  ^
                   = 0
   1 warning generated.


vim +7037 fs/ksmbd/smb2pdu.c

  7009	
  7010	static int fsctl_copychunk(struct ksmbd_work *work, struct smb2_ioctl_req *req,
  7011				   struct smb2_ioctl_rsp *rsp)
  7012	{
  7013		struct copychunk_ioctl_req *ci_req;
  7014		struct copychunk_ioctl_rsp *ci_rsp;
  7015		struct ksmbd_file *src_fp = NULL, *dst_fp = NULL;
  7016		struct srv_copychunk *chunks;
  7017		unsigned int i, chunk_count, chunk_count_written = 0;
  7018		unsigned int chunk_size_written = 0;
  7019		loff_t total_size_written = 0;
  7020		int ret, cnt_code;
  7021	
  7022		cnt_code = le32_to_cpu(req->CntCode);
  7023		ci_req = (struct copychunk_ioctl_req *)&req->Buffer[0];
  7024		ci_rsp = (struct copychunk_ioctl_rsp *)&rsp->Buffer[0];
  7025	
  7026		rsp->VolatileFileId = req->VolatileFileId;
  7027		rsp->PersistentFileId = req->PersistentFileId;
  7028		ci_rsp->ChunksWritten =
  7029			cpu_to_le32(ksmbd_server_side_copy_max_chunk_count());
  7030		ci_rsp->ChunkBytesWritten =
  7031			cpu_to_le32(ksmbd_server_side_copy_max_chunk_size());
  7032		ci_rsp->TotalBytesWritten =
  7033			cpu_to_le32(ksmbd_server_side_copy_max_total_size());
  7034	
  7035		chunks = (struct srv_copychunk *)&ci_req->Chunks[0];
  7036		chunk_count = le32_to_cpu(ci_req->ChunkCount);
> 7037		if (chunk_count == 0)
  7038			goto out;
  7039		total_size_written = 0;
  7040	
  7041		/* verify the SRV_COPYCHUNK_COPY packet */
  7042		if (chunk_count > ksmbd_server_side_copy_max_chunk_count() ||
  7043		    le32_to_cpu(req->InputCount) <
  7044		     offsetof(struct copychunk_ioctl_req, Chunks) +
  7045		     chunk_count * sizeof(struct srv_copychunk)) {
  7046			rsp->hdr.Status = STATUS_INVALID_PARAMETER;
  7047			return -EINVAL;
  7048		}
  7049	
  7050		for (i = 0; i < chunk_count; i++) {
  7051			if (le32_to_cpu(chunks[i].Length) == 0 ||
  7052			    le32_to_cpu(chunks[i].Length) > ksmbd_server_side_copy_max_chunk_size())
  7053				break;
  7054			total_size_written += le32_to_cpu(chunks[i].Length);
  7055		}
  7056	
  7057		if (i < chunk_count ||
  7058		    total_size_written > ksmbd_server_side_copy_max_total_size()) {
  7059			rsp->hdr.Status = STATUS_INVALID_PARAMETER;
  7060			return -EINVAL;
  7061		}
  7062	
  7063		src_fp = ksmbd_lookup_foreign_fd(work,
  7064						 le64_to_cpu(ci_req->ResumeKey[0]));
  7065		dst_fp = ksmbd_lookup_fd_slow(work,
  7066					      le64_to_cpu(req->VolatileFileId),
  7067					      le64_to_cpu(req->PersistentFileId));
  7068		ret = -EINVAL;
  7069		if (!src_fp ||
  7070		    src_fp->persistent_id != le64_to_cpu(ci_req->ResumeKey[1])) {
  7071			rsp->hdr.Status = STATUS_OBJECT_NAME_NOT_FOUND;
  7072			goto out;
  7073		}
  7074	
  7075		if (!dst_fp) {
  7076			rsp->hdr.Status = STATUS_FILE_CLOSED;
  7077			goto out;
  7078		}
  7079	
  7080		/*
  7081		 * FILE_READ_DATA should only be included in
  7082		 * the FSCTL_COPYCHUNK case
  7083		 */
  7084		if (cnt_code == FSCTL_COPYCHUNK &&
  7085		    !(dst_fp->daccess & (FILE_READ_DATA_LE | FILE_GENERIC_READ_LE))) {
  7086			rsp->hdr.Status = STATUS_ACCESS_DENIED;
  7087			goto out;
  7088		}
  7089	
  7090		ret = ksmbd_vfs_copy_file_ranges(work, src_fp, dst_fp,
  7091						 chunks, chunk_count,
  7092						 &chunk_count_written,
  7093						 &chunk_size_written,
  7094						 &total_size_written);
  7095		if (ret < 0) {
  7096			if (ret == -EACCES)
  7097				rsp->hdr.Status = STATUS_ACCESS_DENIED;
  7098			if (ret == -EAGAIN)
  7099				rsp->hdr.Status = STATUS_FILE_LOCK_CONFLICT;
  7100			else if (ret == -EBADF)
  7101				rsp->hdr.Status = STATUS_INVALID_HANDLE;
  7102			else if (ret == -EFBIG || ret == -ENOSPC)
  7103				rsp->hdr.Status = STATUS_DISK_FULL;
  7104			else if (ret == -EINVAL)
  7105				rsp->hdr.Status = STATUS_INVALID_PARAMETER;
  7106			else if (ret == -EISDIR)
  7107				rsp->hdr.Status = STATUS_FILE_IS_A_DIRECTORY;
  7108			else if (ret == -E2BIG)
  7109				rsp->hdr.Status = STATUS_INVALID_VIEW_SIZE;
  7110			else
  7111				rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR;
  7112		}
  7113	
  7114		ci_rsp->ChunksWritten = cpu_to_le32(chunk_count_written);
  7115		ci_rsp->ChunkBytesWritten = cpu_to_le32(chunk_size_written);
  7116		ci_rsp->TotalBytesWritten = cpu_to_le32(total_size_written);
  7117	out:
  7118		ksmbd_fd_put(work, src_fp);
  7119		ksmbd_fd_put(work, dst_fp);
  7120		return ret;
  7121	}
  7122	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 25522 bytes --]

next prev parent reply	other threads:[~2021-09-18 18:51 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-18  9:45 [PATCH 1/4] ksmbd: add request buffer validation in smb2_set_info Namjae Jeon
2021-09-18  9:45 ` [PATCH 2/4] ksmbd: add validation in smb2_ioctl Namjae Jeon
2021-09-18 18:51   ` kernel test robot [this message]
2021-09-18 21:43     ` Namjae Jeon
2021-09-18  9:45 ` [PATCH 3/4] ksmbd: add validatioin for FILE_FULL_EA_INFORMATION of smb2_get_info Namjae Jeon
2021-09-18 15:55   ` Steve French
2021-09-18 17:57     ` Steve French
2021-09-18 18:10     ` Ralph Boehme
2021-09-18  9:45 ` [PATCH 4/4] ksmbd: add buffer validation for SMB2_CREATE_CONTEXT Namjae Jeon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202109190257.fZUGN7K6-lkp@intel.com \
    --to=lkp@intel.com \
    --cc=kbuild-all@lists.01.org \
    --cc=linkinjeon@kernel.org \
    --cc=linux-cifs@vger.kernel.org \
    --cc=llvm@lists.linux.dev \
    --cc=ronniesahlberg@gmail.com \
    --cc=slow@samba.org \
    --cc=smfrench@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox