[bug report] ksmbd: fix heap-based overflow in set_ntacl_dacl()

Linux CIFS filesystem development
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: linkinjeon@kernel.org
Cc: linux-cifs@vger.kernel.org
Subject: [bug report] ksmbd: fix heap-based overflow in set_ntacl_dacl()
Date: Thu, 4 Aug 2022 17:33:04 +0300	[thread overview]
Message-ID: <YuvYoM5nknSDxJFj@kili> (raw)

Hello Namjae Jeon,

The patch 982979772f2b: "ksmbd: fix heap-based overflow in
set_ntacl_dacl()" from Jul 28, 2022, leads to the following Smatch
static checker warning:

	fs/ksmbd/smb2pdu.c:5182 smb2_get_info_sec()
	error: uninitialized symbol 'secdesclen'.

fs/ksmbd/smb2pdu.c
    5109 static int smb2_get_info_sec(struct ksmbd_work *work,
    5110                              struct smb2_query_info_req *req,
    5111                              struct smb2_query_info_rsp *rsp)
    5112 {
    5113         struct ksmbd_file *fp;
    5114         struct user_namespace *user_ns;
    5115         struct smb_ntsd *pntsd = (struct smb_ntsd *)rsp->Buffer, *ppntsd = NULL;
    5116         struct smb_fattr fattr = {{0}};
    5117         struct inode *inode;
    5118         __u32 secdesclen;
    5119         unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID;
    5120         int addition_info = le32_to_cpu(req->AdditionalInformation);
    5121         int rc = 0, ppntsd_size = 0;
    5122 
    5123         if (addition_info & ~(OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO |
    5124                               PROTECTED_DACL_SECINFO |
    5125                               UNPROTECTED_DACL_SECINFO)) {
    5126                 ksmbd_debug(SMB, "Unsupported addition info: 0x%x)\n",
    5127                        addition_info);
    5128 
    5129                 pntsd->revision = cpu_to_le16(1);
    5130                 pntsd->type = cpu_to_le16(SELF_RELATIVE | DACL_PROTECTED);
    5131                 pntsd->osidoffset = 0;
    5132                 pntsd->gsidoffset = 0;
    5133                 pntsd->sacloffset = 0;
    5134                 pntsd->dacloffset = 0;
    5135 
    5136                 secdesclen = sizeof(struct smb_ntsd);
    5137                 rsp->OutputBufferLength = cpu_to_le32(secdesclen);
    5138                 inc_rfc1001_len(work->response_buf, secdesclen);
    5139 
    5140                 return 0;
    5141         }
    5142 
    5143         if (work->next_smb2_rcv_hdr_off) {
    5144                 if (!has_file_id(req->VolatileFileId)) {
    5145                         ksmbd_debug(SMB, "Compound request set FID = %llu\n",
    5146                                     work->compound_fid);
    5147                         id = work->compound_fid;
    5148                         pid = work->compound_pfid;
    5149                 }
    5150         }
    5151 
    5152         if (!has_file_id(id)) {
    5153                 id = req->VolatileFileId;
    5154                 pid = req->PersistentFileId;
    5155         }
    5156 
    5157         fp = ksmbd_lookup_fd_slow(work, id, pid);
    5158         if (!fp)
    5159                 return -ENOENT;
    5160 
    5161         user_ns = file_mnt_user_ns(fp->filp);
    5162         inode = file_inode(fp->filp);
    5163         ksmbd_acls_fattr(&fattr, user_ns, inode);
    5164 
    5165         if (test_share_config_flag(work->tcon->share_conf,
    5166                                    KSMBD_SHARE_FLAG_ACL_XATTR))
    5167                 ppntsd_size = ksmbd_vfs_get_sd_xattr(work->conn, user_ns,
    5168                                                      fp->filp->f_path.dentry,
    5169                                                      &ppntsd);
    5170 
    5171         /* Check if sd buffer size exceeds response buffer size */
    5172         if (smb2_resp_buf_len(work, 8) > ppntsd_size)
    5173                 rc = build_sec_desc(user_ns, pntsd, ppntsd, ppntsd_size,
    5174                                     addition_info, &secdesclen, &fattr);

"secdesclen" is not initialized on else path.

    5175         posix_acl_release(fattr.cf_acls);
    5176         posix_acl_release(fattr.cf_dacls);
    5177         kfree(ppntsd);
    5178         ksmbd_fd_put(work, fp);
    5179         if (rc)
    5180                 return rc;
    5181 
--> 5182         rsp->OutputBufferLength = cpu_to_le32(secdesclen);
    5183         inc_rfc1001_len(work->response_buf, secdesclen);
    5184         return 0;
    5185 }

regards,
dan carpenter

next             reply	other threads:[~2022-08-04 14:33 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-04 14:33 Dan Carpenter [this message]
2022-08-04 23:03 ` [bug report] ksmbd: fix heap-based overflow in set_ntacl_dacl() Namjae Jeon
2022-08-05 11:42   ` Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YuvYoM5nknSDxJFj@kili \
    --to=dan.carpenter@oracle.com \
    --cc=linkinjeon@kernel.org \
    --cc=linux-cifs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox