From: Sergey Senozhatsky <senozhatsky@chromium.org>
To: Namjae Jeon <linkinjeon@kernel.org>
Cc: linux-cifs@vger.kernel.org, smfrench@gmail.com,
senozhatsky@chromium.org, tom@talpey.com,
atteh.mailbox@gmail.com, Pumpkin <cc85nod@gmail.com>
Subject: Re: [PATCH 1/6] ksmbd: fix global-out-of-bounds in smb2_find_context_vals
Date: Mon, 8 May 2023 10:05:06 +0900 [thread overview]
Message-ID: <20230508010506.GA11511@google.com> (raw)
In-Reply-To: <20230505151108.5911-1-linkinjeon@kernel.org>
On (23/05/06 00:11), Namjae Jeon wrote:
> From: Pumpkin <cc85nod@gmail.com>
>
> If the length of CreateContext name is larger than the tag, it will access
> the data following the tag and trigger KASAN global-out-of-bounds.
>
> Currently all CreateContext names are defined as string, so we can use
> strcmp instead of memcmp to avoid the out-of-bound access.
[..]
> +++ b/fs/ksmbd/oplock.c
> @@ -1492,7 +1492,7 @@ struct create_context *smb2_find_context_vals(void *open_req, const char *tag)
> return ERR_PTR(-EINVAL);
>
> name = (char *)cc + name_off;
> - if (memcmp(name, tag, name_len) == 0)
> + if (!strcmp(name, tag))
> return cc;
>
> remain_len -= next;
I'm slightly surprised that that huge `if` before memcmp() doesn't catch
it
if ((next & 0x7) != 0 ||
next > remain_len ||
name_off != offsetof(struct create_context, Buffer) ||
name_len < 4 ||
name_off + name_len > cc_len ||
(value_off & 0x7) != 0 ||
(value_off && (value_off < name_off + name_len)) ||
((u64)value_off + value_len > cc_len))
return ERR_PTR(-EINVAL);
Is that because we should check `name_len` instead of `name_off + name_len`?
IOW
if (name_len != cc_len)
return ERR_PTR();
next prev parent reply other threads:[~2023-05-08 1:05 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-05 15:11 [PATCH 1/6] ksmbd: fix global-out-of-bounds in smb2_find_context_vals Namjae Jeon
2023-05-05 15:11 ` [PATCH 2/6] ksmbd: fix wrong UserName check in session_user Namjae Jeon
2023-05-06 3:10 ` Sergey Senozhatsky
2023-05-07 0:52 ` Namjae Jeon
2023-05-05 15:11 ` [PATCH 3/6] ksmbd: allocate one more byte for implied bcc[0] Namjae Jeon
2023-05-05 15:11 ` [PATCH 4/6] ksmbd: smb2: Allow messages padded to 8byte boundary Namjae Jeon
2023-05-05 15:11 ` [PATCH 5/6] ksmbd: remove unused ksmbd_tree_conn_share function Namjae Jeon
2023-05-08 1:07 ` Sergey Senozhatsky
2023-05-05 15:11 ` [PATCH 6/6] ksmbd: use kzalloc() instead of __GFP_ZERO Namjae Jeon
2023-05-08 1:06 ` Sergey Senozhatsky
2023-05-08 1:05 ` Sergey Senozhatsky [this message]
2023-05-08 12:58 ` [PATCH 1/6] ksmbd: fix global-out-of-bounds in smb2_find_context_vals Namjae Jeon
2023-05-09 3:05 ` Sergey Senozhatsky
[not found] ` <CAAn9K_vRCOtYZXRBDKY4GzPA-TyrQ_Zh-qssu51Vr6sTwg5w4w@mail.gmail.com>
2023-05-12 14:14 ` Namjae Jeon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230508010506.GA11511@google.com \
--to=senozhatsky@chromium.org \
--cc=atteh.mailbox@gmail.com \
--cc=cc85nod@gmail.com \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=smfrench@gmail.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox