* [PATCH] cifs: fix buffer overrun in parse_DFS_referrals
@ 2008-12-16 15:04 Jeff Layton
2008-12-17 3:34 ` Steve French
0 siblings, 1 reply; 5+ messages in thread
From: Jeff Layton @ 2008-12-16 15:04 UTC (permalink / raw)
To: smfrench, niallain
Cc: linux-fsdevel, linux-cifs-client, linux-kernel, smfrench
While testing a kernel with memory poisoning enabled, I saw some warnings
about the redzone getting clobbered when chasing DFS referrals. The
buffer allocation for the unicode converted version of the searchName is
too small and needs to take null termination into account.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
---
fs/cifs/cifssmb.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 9395928..824df14 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -3992,7 +3992,8 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr,
node->flags = le16_to_cpu(pSMBr->DFSFlags);
if (is_unicode) {
- __le16 *tmp = kmalloc(strlen(searchName)*2, GFP_KERNEL);
+ __le16 *tmp = kmalloc(strlen(searchName)*2 + 2,
+ GFP_KERNEL);
cifsConvertToUCS((__le16 *) tmp, searchName,
PATH_MAX, nls_codepage, remap);
node->path_consumed = hostlen_fromUCS(tmp,
--
1.5.5.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] cifs: fix buffer overrun in parse_DFS_referrals
2008-12-16 15:04 [PATCH] cifs: fix buffer overrun in parse_DFS_referrals Jeff Layton
@ 2008-12-17 3:34 ` Steve French
0 siblings, 0 replies; 5+ messages in thread
From: Steve French @ 2008-12-17 3:34 UTC (permalink / raw)
To: Jeff Layton
Cc: niallain, smfrench, linux-cifs-client, linux-fsdevel,
linux-kernel, Linus Torvalds
Jeff.
Would you add my ack, and the cc: for stable and send to Linus? I
think this should go in.
On Tue, Dec 16, 2008 at 9:04 AM, Jeff Layton <jlayton@redhat.com> wrote:
> While testing a kernel with memory poisoning enabled, I saw some warnings
> about the redzone getting clobbered when chasing DFS referrals. The
> buffer allocation for the unicode converted version of the searchName is
> too small and needs to take null termination into account.
>
> Signed-off-by: Jeff Layton <jlayton@redhat.com>
> ---
> fs/cifs/cifssmb.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
> index 9395928..824df14 100644
> --- a/fs/cifs/cifssmb.c
> +++ b/fs/cifs/cifssmb.c
> @@ -3992,7 +3992,8 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr,
>
> node->flags = le16_to_cpu(pSMBr->DFSFlags);
> if (is_unicode) {
> - __le16 *tmp = kmalloc(strlen(searchName)*2, GFP_KERNEL);
> + __le16 *tmp = kmalloc(strlen(searchName)*2 + 2,
> + GFP_KERNEL);
> cifsConvertToUCS((__le16 *) tmp, searchName,
> PATH_MAX, nls_codepage, remap);
> node->path_consumed = hostlen_fromUCS(tmp,
> --
> 1.5.5.1
>
>
--
Thanks,
Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] cifs: fix buffer overrun in parse_DFS_referrals
@ 2008-12-17 11:31 Jeff Layton
2008-12-17 15:40 ` Renato S. Yamane
0 siblings, 1 reply; 5+ messages in thread
From: Jeff Layton @ 2008-12-17 11:31 UTC (permalink / raw)
To: torvalds, sfrench; +Cc: linux-kernel, stable, linux-cifs-client, linux-fsdevel
While testing a kernel with memory poisoning enabled, I saw some warnings
about the redzone getting clobbered when chasing DFS referrals. The
buffer allocation for the unicode converted version of the searchName is
too small and needs to take null termination into account.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <sfrench@us.ibm.com>
---
fs/cifs/cifssmb.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 9395928..824df14 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -3992,7 +3992,8 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr,
node->flags = le16_to_cpu(pSMBr->DFSFlags);
if (is_unicode) {
- __le16 *tmp = kmalloc(strlen(searchName)*2, GFP_KERNEL);
+ __le16 *tmp = kmalloc(strlen(searchName)*2 + 2,
+ GFP_KERNEL);
cifsConvertToUCS((__le16 *) tmp, searchName,
PATH_MAX, nls_codepage, remap);
node->path_consumed = hostlen_fromUCS(tmp,
--
1.5.5.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] cifs: fix buffer overrun in parse_DFS_referrals
2008-12-17 11:31 Jeff Layton
@ 2008-12-17 15:40 ` Renato S. Yamane
2008-12-17 15:49 ` Jeff Layton
0 siblings, 1 reply; 5+ messages in thread
From: Renato S. Yamane @ 2008-12-17 15:40 UTC (permalink / raw)
To: Jeff Layton
Cc: torvalds, sfrench, linux-kernel, stable, linux-cifs-client,
linux-fsdevel
Jeff Layton wrote:
> ---
> fs/cifs/cifssmb.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
> index 9395928..824df14 100644
> --- a/fs/cifs/cifssmb.c
> +++ b/fs/cifs/cifssmb.c
> @@ -3992,7 +3992,8 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr,
>
> node->flags = le16_to_cpu(pSMBr->DFSFlags);
> if (is_unicode) {
> - __le16 *tmp = kmalloc(strlen(searchName)*2, GFP_KERNEL);
> + __le16 *tmp = kmalloc(strlen(searchName)*2 + 2,
> + GFP_KERNEL);
> cifsConvertToUCS((__le16 *) tmp, searchName,
> PATH_MAX, nls_codepage, remap);
> node->path_consumed = hostlen_fromUCS(tmp,
This patch can't be applied in -stable release:
yamane@mandachuva:~/kernel/linux-2.6.27.9$ patch -p1 < cifs.patch
patching file fs/cifs/cifssmb.c
patch unexpectedly ends in middle of line
Hunk #1 FAILED at 3992.
1 out of 1 hunk FAILED -- saving rejects to file fs/cifs/cifssmb.c.rej
Best regards,
Renato
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] cifs: fix buffer overrun in parse_DFS_referrals
2008-12-17 15:40 ` Renato S. Yamane
@ 2008-12-17 15:49 ` Jeff Layton
0 siblings, 0 replies; 5+ messages in thread
From: Jeff Layton @ 2008-12-17 15:49 UTC (permalink / raw)
To: Renato S. Yamane
Cc: sfrench, linux-fsdevel, torvalds, linux-cifs-client, stable,
linux-kernel
On Wed, 17 Dec 2008 13:40:56 -0200
"Renato S. Yamane" <yamane@diamondcut.com.br> wrote:
> Jeff Layton wrote:
> > ---
> > fs/cifs/cifssmb.c | 3 ++-
> > 1 files changed, 2 insertions(+), 1 deletions(-)
> >
> > diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
> > index 9395928..824df14 100644
> > --- a/fs/cifs/cifssmb.c
> > +++ b/fs/cifs/cifssmb.c
> > @@ -3992,7 +3992,8 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr,
> >
> > node->flags = le16_to_cpu(pSMBr->DFSFlags);
> > if (is_unicode) {
> > - __le16 *tmp = kmalloc(strlen(searchName)*2, GFP_KERNEL);
> > + __le16 *tmp = kmalloc(strlen(searchName)*2 + 2,
> > + GFP_KERNEL);
> > cifsConvertToUCS((__le16 *) tmp, searchName,
> > PATH_MAX, nls_codepage, remap);
> > node->path_consumed = hostlen_fromUCS(tmp,
>
> This patch can't be applied in -stable release:
>
> yamane@mandachuva:~/kernel/linux-2.6.27.9$ patch -p1 < cifs.patch
> patching file fs/cifs/cifssmb.c
> patch unexpectedly ends in middle of line
> Hunk #1 FAILED at 3992.
> 1 out of 1 hunk FAILED -- saving rejects to file fs/cifs/cifssmb.c.rej
>
My apologies. The patch that introduced this problem isn't in stable
releases. You can drop this patch from stable queue. Sorry for false alarm.
It would be good for 2.6.28 kernels though since it's a regression and
possible memory corruptor.
Thanks,
--
Jeff Layton <jlayton@redhat.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-12-17 15:49 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-12-16 15:04 [PATCH] cifs: fix buffer overrun in parse_DFS_referrals Jeff Layton
2008-12-17 3:34 ` Steve French
-- strict thread matches above, loose matches on Subject: below --
2008-12-17 11:31 Jeff Layton
2008-12-17 15:40 ` Renato S. Yamane
2008-12-17 15:49 ` Jeff Layton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).