FAILED: patch "[PATCH] cifs: integer overflow in in SMB2_ioctl()" failed to apply to 4.14-stable tree

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* FAILED: patch "[PATCH] cifs: integer overflow in in SMB2_ioctl()" failed to apply to 4.14-stable tree
@ 2018-09-23 19:28 gregkh
  2018-12-20 21:10 ` Sudip Mukherjee
  0 siblings, 1 reply; 4+ messages in thread
From: gregkh @ 2018-09-23 19:28 UTC (permalink / raw)
  To: dan.carpenter, aaptel, stable, stfrench; +Cc: stable


The patch below does not apply to the 4.14-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

>From 2d204ee9d671327915260071c19350d84344e096 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon, 10 Sep 2018 14:12:07 +0300
Subject: [PATCH] cifs: integer overflow in in SMB2_ioctl()

The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
wrap around to a smaller value which looks like it would lead to an
information leak.

Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
CC: Stable <stable@vger.kernel.org>

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 6f0e6b42599c..f54d07bda067 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2459,14 +2459,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
 	/* We check for obvious errors in the output buffer length and offset */
 	if (*plen == 0)
 		goto ioctl_exit; /* server returned no data */
-	else if (*plen > 0xFF00) {
+	else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
 		cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
 		*plen = 0;
 		rc = -EIO;
 		goto ioctl_exit;
 	}
 
-	if (rsp_iov.iov_len < le32_to_cpu(rsp->OutputOffset) + *plen) {
+	if (rsp_iov.iov_len - *plen < le32_to_cpu(rsp->OutputOffset)) {
 		cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
 			le32_to_cpu(rsp->OutputOffset));
 		*plen = 0;

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: FAILED: patch "[PATCH] cifs: integer overflow in in SMB2_ioctl()" failed to apply to 4.14-stable tree
  2018-09-23 19:28 FAILED: patch "[PATCH] cifs: integer overflow in in SMB2_ioctl()" failed to apply to 4.14-stable tree gregkh
@ 2018-12-20 21:10 ` Sudip Mukherjee
  2018-12-22  0:40   ` Sasha Levin
  0 siblings, 1 reply; 4+ messages in thread
From: Sudip Mukherjee @ 2018-12-20 21:10 UTC (permalink / raw)
  To: gregkh; +Cc: dan.carpenter, aaptel, stable, stfrench

[-- Attachment #1: Type: text/plain, Size: 408 bytes --]

Hi Greg,

On Sun, Sep 23, 2018 at 09:28:03PM +0200, gregkh@linuxfoundation.org wrote:
> 
> The patch below does not apply to the 4.14-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@vger.kernel.org>.

The attached backported patch will apply to 4.14-stable tree.

--
Regards
Sudip

[-- Attachment #2: 0001-cifs-integer-overflow-in-in-SMB2_ioctl.patch --]
[-- Type: text/x-diff, Size: 1698 bytes --]

>From 1a302acd2676a5ee24287dcc435a61b8ff38de7e Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon, 10 Sep 2018 14:12:07 +0300
Subject: [PATCH] cifs: integer overflow in in SMB2_ioctl()

commit 2d204ee9d671327915260071c19350d84344e096 upstream

The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
wrap around to a smaller value which looks like it would lead to an
information leak.

Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
---
 fs/cifs/smb2pdu.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 69309538ffb8..87297323d50b 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2020,14 +2020,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
 	/* We check for obvious errors in the output buffer length and offset */
 	if (*plen == 0)
 		goto ioctl_exit; /* server returned no data */
-	else if (*plen > 0xFF00) {
+	else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
 		cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
 		*plen = 0;
 		rc = -EIO;
 		goto ioctl_exit;
 	}
 
-	if (get_rfc1002_length(rsp) < le32_to_cpu(rsp->OutputOffset) + *plen) {
+	if (get_rfc1002_length(rsp) - *plen < le32_to_cpu(rsp->OutputOffset)) {
 		cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
 			le32_to_cpu(rsp->OutputOffset));
 		*plen = 0;
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: FAILED: patch "[PATCH] cifs: integer overflow in in SMB2_ioctl()" failed to apply to 4.14-stable tree
  2018-12-20 21:10 ` Sudip Mukherjee
@ 2018-12-22  0:40   ` Sasha Levin
  2018-12-23 11:08     ` Greg KH
  0 siblings, 1 reply; 4+ messages in thread
From: Sasha Levin @ 2018-12-22  0:40 UTC (permalink / raw)
  To: Sudip Mukherjee; +Cc: gregkh, dan.carpenter, aaptel, stable, stfrench

On Thu, Dec 20, 2018 at 09:10:20PM +0000, Sudip Mukherjee wrote:
>Hi Greg,
>
>On Sun, Sep 23, 2018 at 09:28:03PM +0200, gregkh@linuxfoundation.org wrote:
>>
>> The patch below does not apply to the 4.14-stable tree.
>> If someone wants it applied there, or to any other stable or longterm
>> tree, then please email the backport, including the original git commit
>> id to <stable@vger.kernel.org>.
>
>The attached backported patch will apply to 4.14-stable tree.

Queued for all <=4.14, thank you.

--
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: FAILED: patch "[PATCH] cifs: integer overflow in in SMB2_ioctl()" failed to apply to 4.14-stable tree
  2018-12-22  0:40   ` Sasha Levin
@ 2018-12-23 11:08     ` Greg KH
  0 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2018-12-23 11:08 UTC (permalink / raw)
  To: Sasha Levin; +Cc: Sudip Mukherjee, dan.carpenter, aaptel, stable, stfrench

On Fri, Dec 21, 2018 at 07:40:12PM -0500, Sasha Levin wrote:
> On Thu, Dec 20, 2018 at 09:10:20PM +0000, Sudip Mukherjee wrote:
> > Hi Greg,
> > 
> > On Sun, Sep 23, 2018 at 09:28:03PM +0200, gregkh@linuxfoundation.org wrote:
> > > 
> > > The patch below does not apply to the 4.14-stable tree.
> > > If someone wants it applied there, or to any other stable or longterm
> > > tree, then please email the backport, including the original git commit
> > > id to <stable@vger.kernel.org>.
> > 
> > The attached backported patch will apply to 4.14-stable tree.
> 
> Queued for all <=4.14, thank you.

It breaks the build on < 4.14 so I'm dropping it from those...

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-12-23 11:08 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-09-23 19:28 FAILED: patch "[PATCH] cifs: integer overflow in in SMB2_ioctl()" failed to apply to 4.14-stable tree gregkh
2018-12-20 21:10 ` Sudip Mukherjee
2018-12-22  0:40   ` Sasha Levin
2018-12-23 11:08     ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).