From: "zhangxiaoxu (A)" <zhangxiaoxu5@huawei.com>
To: Tom Talpey <tom@talpey.com>, <linux-cifs@vger.kernel.org>,
<sfrench@samba.org>, <pc@cjr.nz>, <lsahlber@redhat.com>,
<sprasad@microsoft.com>, <rohiths@microsoft.com>,
<smfrench@gmail.com>, <linkinjeon@kernel.org>,
<hyc.lee@gmail.com>
Subject: Re: [PATCH v4 2/5] ksmbd: Remove the wrong message length check of FSCTL_VALIDATE_NEGOTIATE_INFO
Date: Tue, 13 Sep 2022 17:32:34 +0800 [thread overview]
Message-ID: <bf0f8145-9070-028d-544b-42b172c6e419@huawei.com> (raw)
In-Reply-To: <6cf00762-f446-490c-5e88-79382962e985@talpey.com>
在 2022/9/2 21:28, Tom Talpey 写道:
> On 9/1/2022 10:24 AM, Zhang Xiaoxu wrote:
>> The struct validate_negotiate_info_req change from variable-length array
>> to reguler array, but the message length check is unchanged.
>>
>> The fsctl_validate_negotiate_info() already check the message length, so
>> remove it from smb2_ioctl().
>>
>> Fixes: c7803b05f74b ("smb3: fix ksmbd bigendian bug in oplock break, and move its struct to smbfs_common")
>> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
>> Cc: <stable@vger.kernel.org>
>> ---
>> fs/ksmbd/smb2pdu.c | 3 ---
>> 1 file changed, 3 deletions(-)
>>
>> diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
>> index c49f65146ab3..c9f400bbb814 100644
>> --- a/fs/ksmbd/smb2pdu.c
>> +++ b/fs/ksmbd/smb2pdu.c
>> @@ -7640,9 +7640,6 @@ int smb2_ioctl(struct ksmbd_work *work)
>> goto out;
>> }
>> - if (in_buf_len < sizeof(struct validate_negotiate_info_req))
>> - return -EINVAL;
>> -
>
> This actually fixes a different bug, which the comment needs to mention.
> The structure size includes 4 dialect slots, but the protocol does not
> require the client to send all 4. So this allows the negotiation to not
> fail. Which is good.
>
> But there are two other issues now.
>
> 1) The code no longer checks that a complete validate negotiate header
> is present before dereferencing neg_req->DialectCount. This code will
> fetch the DialectCount potentially beyond the end of an invalid short
> packet:
Yes, if no judgement the length before dereferencing 'DialectCount',
OOB read will occur.>
> fsctl_validate_negotiate_info():
>
> if (in_buf_len < offsetof(struct validate_negotiate_info_req, Dialects) +
> le16_to_cpu(neg_req->DialectCount) * sizeof(__le16))
> return -EINVAL;
>
> dialect = ksmbd_lookup_dialect_by_id(neg_req->Dialects,
> neg_req->DialectCount);
>
> 2) The DialectCount is an le16, which can be negative. A small invalid
After precompile the smb2pdu.c:
typedef unsigned short __u16; # include/uapi/asm-generic/int-ll64.h
typedef __u16 __le16; # include/uapi/linux/types.h
struct validate_negotiate_info_req {
__le32 Capabilities;
__u8 Guid[16];
__le16 SecurityMode;
__le16 DialectCount;
__le16 Dialects[];
} __attribute__((__packed__));
The DialectCount is unsigned, can't be negative.
Even the 'DialectCount' is big enough to USHRT_MAX(65535), according
integer promotions, it also can't be overflow to negative since the
sizeof(__le16) is only 2.
So, I think the expression is correct now.
> negative value may pass this test and proceed to process the array,
> which would be bad. This is an existing issue, but should be fixed
> since you now need to correct the test anyway.
>
> Tom.
>
>
>> if (out_buf_len < sizeof(struct validate_negotiate_info_rsp))
>> return -EINVAL; >
next prev parent reply other threads:[~2022-09-13 9:32 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-01 14:24 [PATCH v4 0/5] Fix some bug in FSCTL_VALIDATE_NEGOTIATE_INFO handler Zhang Xiaoxu
2022-09-01 14:24 ` [PATCH v4 1/5] cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message Zhang Xiaoxu
2022-09-02 12:52 ` Tom Talpey
2022-09-01 14:24 ` [PATCH v4 2/5] ksmbd: Remove the wrong message length check of FSCTL_VALIDATE_NEGOTIATE_INFO Zhang Xiaoxu
2022-09-02 13:28 ` Tom Talpey
2022-09-02 14:47 ` Namjae Jeon
2022-09-05 2:19 ` huaweicloud
2022-09-05 2:29 ` zhangxiaoxu (A)
2022-09-06 23:50 ` Namjae Jeon
2022-09-13 9:32 ` zhangxiaoxu (A) [this message]
2022-09-01 14:24 ` [PATCH v4 3/5] ksmbd: Fix wrong return value in smb2_ioctl() when wrong out_buf_len Zhang Xiaoxu
2022-09-02 13:29 ` Tom Talpey
2022-09-02 14:35 ` Namjae Jeon
2022-09-01 14:24 ` [PATCH v4 4/5] cifs: Add neg dialects info to smb version values Zhang Xiaoxu
2022-09-02 13:31 ` Tom Talpey
2022-09-01 14:24 ` [PATCH v4 5/5] cifs: Refactor dialects in validate_negotiate_info_req to variable array Zhang Xiaoxu
2022-09-02 13:34 ` Tom Talpey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bf0f8145-9070-028d-544b-42b172c6e419@huawei.com \
--to=zhangxiaoxu5@huawei.com \
--cc=hyc.lee@gmail.com \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=lsahlber@redhat.com \
--cc=pc@cjr.nz \
--cc=rohiths@microsoft.com \
--cc=sfrench@samba.org \
--cc=smfrench@gmail.com \
--cc=sprasad@microsoft.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox