From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:52764 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753663AbcCIQRU (ORCPT ); Wed, 9 Mar 2016 11:17:20 -0500 Message-ID: <1457540228.3001.12.camel@decadent.org.uk> Subject: Re: [PATCH 4.4 13/74] cifs: fix out-of-bounds access in lease parsing From: Ben Hutchings To: Steve French Cc: Justin Maggard , Stable , Greg Kroah-Hartman , LKML Date: Wed, 09 Mar 2016 16:17:08 +0000 In-Reply-To: References: <20160308000315.294406921@linuxfoundation.org> <20160308000315.712589111@linuxfoundation.org> <1457495231.27389.33.camel@decadent.org.uk> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-aYgsb3OI/yUDwJP46Xm3" Mime-Version: 1.0 Sender: stable-owner@vger.kernel.org List-ID: --=-aYgsb3OI/yUDwJP46Xm3 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2016-03-08 at 22:23 -0600, Steve French wrote: > On Tue, Mar 8, 2016 at 9:47 PM, Ben Hutchings wrote= : > >=20 > > On Mon, 2016-03-07 at 16:02 -0800, Greg Kroah-Hartman wrote: > > >=20 > > > 4.4-stable review patch.=C2=A0=C2=A0If anyone has any objections, ple= ase let me know. > > >=20 > > > ------------------ > > >=20 > > > From: Justin Maggard > > >=20 > > > commit deb7deff2f00bdbbcb3d560dad2a89ef37df837d upstream. > > >=20 > > > When opening a file, SMB2_open() attempts to parse the lease state fr= om the > > > SMB2 CREATE Response.=C2=A0=C2=A0However, the parsing code was not ca= reful to ensure > > > that the create contexts are not empty or invalid, which can lead to = out- > > > of-bounds memory access.=C2=A0=C2=A0This can be seen easily by trying > > > to read a file from a OSX 10.11 SMB3 server.=C2=A0=C2=A0Here is sampl= e crash output: [...] > > > --- a/fs/cifs/smb2pdu.c > > > +++ b/fs/cifs/smb2pdu.c > > > @@ -1109,21 +1109,25 @@ parse_lease_state(struct TCP_Server_Info > > > =C2=A0{ > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0char *data_offset; > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0struct create_context *cc; > > > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0unsigned int next =3D 0; > > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0unsigned int next; > > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0unsigned int remaining; > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0char *name; > > >=20 > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0data_offset =3D (char *)rsp + 4 += le32_to_cpu(rsp->CreateContextsOffset); > > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0remaining =3D le32_to_cpu(rsp->CreateC= ontextsLength); > > What if remaining is > the response length? > Do you want to do the followon patch to check for that, or do you want me > to write up a small patch for that? [...] I'm not likely to find time to dig into cifs, so please do work on the complete fix. Ben. --=20 Ben Hutchings When in doubt, use brute force. - Ken Thompson --=-aYgsb3OI/yUDwJP46Xm3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCgAGBQJW4EyEAAoJEOe/yOyVhhEJInYP/3KoW1lgbiFZyfCcYp/CmGQ1 8oKb44jybUhSdeElbyosAqf8ZywS3Wz1LSrkE2mcXG02UCJ9MIUQoaitm4Y6n6/3 DYL9U2Up4yLxnQf9L7waWSUwbXUraQmawqjvo6OPDcMffg1ON1MVRml/Ugmc5xxC MefNkfVw8DIQjam52TPvh7Tk6twj70+u8L48fmQswBVXe7/QNxCDQrtMwn8UShnz zybn2iWu1f2h0IjSkqHJi3bmCsLYg03Wm5TF3/G/Js/iP1BNqnGSeTg/7LTiyqF+ X34NAZG5SJC/t/XoNPfKgLYnr3/I2bixECwtfSAPU6KOBXOIZ9X7ishmwTMvE/M4 3Cbj1h42I0Jc8A1TpEfCdJe+HOWw+wTUObpU+eAMfZE5Cu5bXxSZa7ae/zbY/qbB izp3lZHGvGKU9hkkfuiDE86bynK0NWv5Beao+OGLJ2VEoBcqifVe/FtVMvQnALXw tbp0bkSZG+obidR2PfSIqSxW7VpZOU0Jaa/oZbqD8wizEgtvDfLehkC3OT5+niIC JczFmvKswfJBUQLh78ETqLYHhEf6k4QVzMWom1VujCxjJWN9ZMG0VadK+OfMbWDy rguWzm7LoDVA3Zl3GX6UIUNrSWQZebnHuyeEdokSrmj3diuEBDhFGn7nQByovXVu xz1Hjvx/K+FsMDIkCYpd =tmpz -----END PGP SIGNATURE----- --=-aYgsb3OI/yUDwJP46Xm3--