From: Paulo Alcantara <pc@cjr.nz>
To: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>,
linux-cifs@vger.kernel.org, zhangxiaoxu5@huawei.com,
sfrench@samba.org, smfrench@gmail.com, lsahlber@redhat.com,
sprasad@microsoft.com, tom@talpey.com
Subject: Re: [PATCH v2] cifs: Fix OOB read in parse_server_interfaces()
Date: Mon, 21 Nov 2022 11:36:56 -0300 [thread overview]
Message-ID: <875yf81iif.fsf@cjr.nz> (raw)
In-Reply-To: <20221118031222.3072694-1-zhangxiaoxu5@huawei.com>
Zhang Xiaoxu <zhangxiaoxu5@huawei.com> writes:
> There is a OOB read in when decode the server interfaces response:
>
> BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x9ca/0xb80
> Read of size 4 at addr ffff8881711f2f98 by task mount.cifs/1402
>
> CPU: 6 PID: 1402 Comm: mount.cifs Not tainted 6.1.0-rc5+ #69
> Call Trace:
> <TASK>
> dump_stack_lvl+0x34/0x44
> print_report+0x171/0x472
> kasan_report+0xad/0x130
> kasan_check_range+0x145/0x1a0
> parse_server_interfaces+0x9ca/0xb80
> SMB3_request_interfaces+0x174/0x1e0
> smb3_qfs_tcon+0x150/0x2a0
> mount_get_conns+0x218/0x750
> cifs_mount+0x103/0xd00
> cifs_smb3_do_mount+0x1dd/0xcb0
> smb3_get_tree+0x1d5/0x300
> vfs_get_tree+0x41/0xf0
> path_mount+0x9b3/0xdd0
> __x64_sys_mount+0x190/0x1d0
> do_syscall_64+0x35/0x80
> entry_SYSCALL_64_after_hwframe+0x46/0xb0
>
> Allocated by task 1402:
> kasan_save_stack+0x1e/0x40
> kasan_set_track+0x21/0x30
> __kasan_kmalloc+0x7a/0x90
> __kmalloc_node_track_caller+0x60/0x140
> kmemdup+0x22/0x50
> SMB2_ioctl+0x58d/0x5d0
> SMB3_request_interfaces+0xcd/0x1e0
> smb3_qfs_tcon+0x150/0x2a0
> mount_get_conns+0x218/0x750
> cifs_mount+0x103/0xd00
> cifs_smb3_do_mount+0x1dd/0xcb0
> smb3_get_tree+0x1d5/0x300
> vfs_get_tree+0x41/0xf0
> path_mount+0x9b3/0xdd0
> __x64_sys_mount+0x190/0x1d0
> do_syscall_64+0x35/0x80
> entry_SYSCALL_64_after_hwframe+0x46/0xb0
>
> It can be reproduce with mount.cifs over rdma.
>
> When decode ioctl(FSCTL_QUERY_NETWORK_INTERFACE_INFO) response complete,
> still try to decode the 'p->Next' check whether has interface not decode.
> Since no more data in the response, then OOB read occurred.
>
> Let's just check the bytes still not decode to determine whether has
> uncomplete interface in the response.
>
> Fixes: fe856be475f7 ("CIFS: parse and store info on iface queries")
> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
> ---
> v2: Update commit message and fixes tag.
>
> fs/cifs/smb2ops.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
Acked-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
prev parent reply other threads:[~2022-11-21 14:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-18 3:12 [PATCH v2] cifs: Fix OOB read in parse_server_interfaces() Zhang Xiaoxu
2022-11-19 20:08 ` Steve French
2022-11-21 14:36 ` Paulo Alcantara [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=875yf81iif.fsf@cjr.nz \
--to=pc@cjr.nz \
--cc=linux-cifs@vger.kernel.org \
--cc=lsahlber@redhat.com \
--cc=sfrench@samba.org \
--cc=smfrench@gmail.com \
--cc=sprasad@microsoft.com \
--cc=tom@talpey.com \
--cc=zhangxiaoxu5@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox