From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Justin Maggard <jmaggard@netgear.com>,
Steve French <smfrench@gmail.com>
Subject: [PATCH 4.4 13/74] cifs: fix out-of-bounds access in lease parsing
Date: Mon, 7 Mar 2016 16:02:38 -0800 [thread overview]
Message-ID: <20160308000315.712589111@linuxfoundation.org> (raw)
In-Reply-To: <20160308000315.294406921@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Maggard <jmaggard10@gmail.com>
commit deb7deff2f00bdbbcb3d560dad2a89ef37df837d upstream.
When opening a file, SMB2_open() attempts to parse the lease state from the
SMB2 CREATE Response. However, the parsing code was not careful to ensure
that the create contexts are not empty or invalid, which can lead to out-
of-bounds memory access. This can be seen easily by trying
to read a file from a OSX 10.11 SMB3 server. Here is sample crash output:
BUG: unable to handle kernel paging request at ffff8800a1a77cc6
IP: [<ffffffff8828a734>] SMB2_open+0x804/0x960
PGD 8f77067 PUD 0
Oops: 0000 [#1] SMP
Modules linked in:
CPU: 3 PID: 2876 Comm: cp Not tainted 4.5.0-rc3.x86_64.1+ #14
Hardware name: NETGEAR ReadyNAS 314 /ReadyNAS 314 , BIOS 4.6.5 10/11/2012
task: ffff880073cdc080 ti: ffff88005b31c000 task.ti: ffff88005b31c000
RIP: 0010:[<ffffffff8828a734>] [<ffffffff8828a734>] SMB2_open+0x804/0x960
RSP: 0018:ffff88005b31fa08 EFLAGS: 00010282
RAX: 0000000000000015 RBX: 0000000000000000 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff88007eb8c8b0
RBP: ffff88005b31fad8 R08: 666666203d206363 R09: 6131613030383866
R10: 3030383866666666 R11: 00000000000002b0 R12: ffff8800660fd800
R13: ffff8800a1a77cc2 R14: 00000000424d53fe R15: ffff88005f5a28c0
FS: 00007f7c8a2897c0(0000) GS:ffff88007eb80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffff8800a1a77cc6 CR3: 000000005b281000 CR4: 00000000000006e0
Stack:
ffff88005b31fa70 ffffffff88278789 00000000000001d3 ffff88005f5a2a80
ffffffff00000003 ffff88005d029d00 ffff88006fde05a0 0000000000000000
ffff88005b31fc78 ffff88006fde0780 ffff88005b31fb2f 0000000100000fe0
Call Trace:
[<ffffffff88278789>] ? cifsConvertToUTF16+0x159/0x2d0
[<ffffffff8828cf68>] smb2_open_file+0x98/0x210
[<ffffffff8811e80c>] ? __kmalloc+0x1c/0xe0
[<ffffffff882685f4>] cifs_open+0x2a4/0x720
[<ffffffff88122cef>] do_dentry_open+0x1ff/0x310
[<ffffffff88268350>] ? cifsFileInfo_get+0x30/0x30
[<ffffffff88123d92>] vfs_open+0x52/0x60
[<ffffffff88131dd0>] path_openat+0x170/0xf70
[<ffffffff88097d48>] ? remove_wait_queue+0x48/0x50
[<ffffffff88133a29>] do_filp_open+0x79/0xd0
[<ffffffff8813f2ca>] ? __alloc_fd+0x3a/0x170
[<ffffffff881240c4>] do_sys_open+0x114/0x1e0
[<ffffffff881241a9>] SyS_open+0x19/0x20
[<ffffffff8896e257>] entry_SYSCALL_64_fastpath+0x12/0x6a
Code: 4d 8d 6c 07 04 31 c0 4c 89 ee e8 47 6f e5 ff 31 c9 41 89 ce 44 89 f1 48 c7 c7 28 b1 bd 88 31 c0 49 01 cd 4c 89 ee e8 2b 6f e5 ff <45> 0f b7 75 04 48 c7 c7 31 b1 bd 88 31 c0 4d 01 ee 4c 89 f6 e8
RIP [<ffffffff8828a734>] SMB2_open+0x804/0x960
RSP <ffff88005b31fa08>
CR2: ffff8800a1a77cc6
---[ end trace d9f69ba64feee469 ]---
Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/smb2pdu.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1109,21 +1109,25 @@ parse_lease_state(struct TCP_Server_Info
{
char *data_offset;
struct create_context *cc;
- unsigned int next = 0;
+ unsigned int next;
+ unsigned int remaining;
char *name;
data_offset = (char *)rsp + 4 + le32_to_cpu(rsp->CreateContextsOffset);
+ remaining = le32_to_cpu(rsp->CreateContextsLength);
cc = (struct create_context *)data_offset;
- do {
- cc = (struct create_context *)((char *)cc + next);
+ while (remaining >= sizeof(struct create_context)) {
name = le16_to_cpu(cc->NameOffset) + (char *)cc;
- if (le16_to_cpu(cc->NameLength) != 4 ||
- strncmp(name, "RqLs", 4)) {
- next = le32_to_cpu(cc->Next);
- continue;
- }
- return server->ops->parse_lease_buf(cc, epoch);
- } while (next != 0);
+ if (le16_to_cpu(cc->NameLength) == 4 &&
+ strncmp(name, "RqLs", 4) == 0)
+ return server->ops->parse_lease_buf(cc, epoch);
+
+ next = le32_to_cpu(cc->Next);
+ if (!next)
+ break;
+ remaining -= next;
+ cc = (struct create_context *)((char *)cc + next);
+ }
return 0;
}
next prev parent reply other threads:[~2016-03-08 0:02 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-08 0:02 [PATCH 4.4 00/74] 4.4.5-stable review Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 01/74] use ->d_seq to get coherency between ->d_inode and ->d_flags Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 02/74] drivers: sh: Restore legacy clock domain on SuperH platforms Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 03/74] Btrfs: fix deadlock running delayed iputs at transaction commit time Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 04/74] btrfs: Fix no_space in write and rm loop Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 05/74] btrfs: async-thread: Fix a use-after-free error for trace Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 07/74] block: Initialize max_dev_sectors to 0 Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 08/74] PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 09/74] parisc: Fix ptrace syscall number and return value modification Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 10/74] mips/kvm: fix ioctl error handling Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 11/74] kvm: x86: Update tsc multiplier on change Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 12/74] fbcon: set a default value to blink interval Greg Kroah-Hartman
2016-03-08 0:02 ` Greg Kroah-Hartman [this message]
2016-03-09 3:47 ` [PATCH 4.4 13/74] cifs: fix out-of-bounds access in lease parsing Ben Hutchings
2016-03-09 4:23 ` Steve French
2016-03-09 16:17 ` Ben Hutchings
2016-03-08 0:02 ` [PATCH 4.4 14/74] CIFS: Fix SMB2+ interim response processing for read requests Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 15/74] Fix cifs_uniqueid_to_ino_t() function for s390x Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 16/74] vfio: fix ioctl error handling Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 17/74] KVM: x86: fix root cause for missed hardware breakpoints Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 18/74] arm/arm64: KVM: Fix ioctl error handling Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 19/74] iommu/amd: Apply workaround for ATS write permission check Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 20/74] iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 21/74] iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 22/74] target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 23/74] drm/ast: Fix incorrect register check for DRAM width Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 28/74] drm/amdgpu: return from atombios_dp_get_dpcd only when error Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 29/74] libata: fix HDIO_GET_32BIT ioctl Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 30/74] libata: Align ata_devices id on a cacheline Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 31/74] block: bio: introduce helpers to get the 1st and last bvec Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 32/74] writeback: flush inode cgroup wb switches instead of pinning super_block Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 33/74] Adding Intel Lewisburg device IDs for SATA Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 34/74] arm64: vmemmap: use virtual projection of linear region Greg Kroah-Hartman
2016-03-08 10:40 ` Ard Biesheuvel
2016-03-08 13:44 ` Greg Kroah-Hartman
2016-03-08 13:45 ` Ard Biesheuvel
2016-03-12 1:51 ` Ard Biesheuvel
2016-03-12 5:50 ` Greg Kroah-Hartman
2016-03-12 5:55 ` Ard Biesheuvel
2016-03-12 6:05 ` Greg Kroah-Hartman
2016-03-12 8:14 ` Ard Biesheuvel
2016-03-08 0:03 ` [PATCH 4.4 35/74] PM / sleep / x86: Fix crash on graph trace through x86 suspend Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 36/74] ata: ahci: dont mark HotPlugCapable Ports as external/removable Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 37/74] tracing: Do not have comm filter override event comm field Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 38/74] pata-rb532-cf: get rid of the irq_to_gpio() call Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 39/74] Btrfs: fix loading of orphan roots leading to BUG_ON Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 40/74] Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin" Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 43/74] dmaengine: pxa_dma: fix cyclic transfers Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 44/74] [media] adv7604: fix tx 5v detect regression Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 45/74] ALSA: usb-audio: Add a quirk for Plantronics DA45 Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 46/74] ALSA: ctl: Fix ioctls for X32 ABI Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 47/74] ALSA: hda - Fix mic issues on Acer Aspire E1-472 Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 48/74] ALSA: rawmidi: Fix ioctls X32 ABI Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 49/74] ALSA: timer: Fix ioctls for " Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 50/74] ALSA: pcm: " Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 51/74] ALSA: seq: oss: Dont drain at closing a client Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 52/74] ALSA: hdspm: Fix wrong boolean ctl value accesses Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 53/74] ALSA: hdsp: " Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 54/74] ALSA: hdspm: Fix zero-division Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 55/74] ALSA: timer: Fix broken compat timer user status ioctl Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 56/74] usb: chipidea: otg: change workqueue ci_otg as freezable Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 57/74] USB: cp210x: Add ID for Parrot NMEA GPS Flight Recorder Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 60/74] USB: serial: option: add support for Telit LE922 PID 0x1045 Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 61/74] USB: serial: option: add support for Quectel UC20 Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 62/74] MIPS: scache: Fix scache init with invalid line size Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 63/74] MIPS: traps: Fix SIGFPE information leak from `do_ov and `do_trap_or_bp Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 64/74] cxl: Fix PSL timebase synchronization detection Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 65/74] ubi: Fix out of bounds write in volume update code Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 66/74] i2c: brcmstb: allocate correct amount of memory for regmap Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 67/74] thermal: cpu_cooling: fix out of bounds access in time_in_idle Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 69/74] block: check virt boundary in bio_will_gap() Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 70/74] block: get the 1st and last bvec via helpers Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 71/74] drm/i915: more virtual south bridge detection Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 73/74] modules: fix longstanding /proc/kallsyms vs module insertion race Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 74/74] drm/amdgpu: fix topaz/tonga gmc assignment in 4.4 stable Greg Kroah-Hartman
2016-03-08 11:45 ` [PATCH 4.4 00/74] 4.4.5-stable review Guenter Roeck
2016-03-08 14:19 ` Greg Kroah-Hartman
[not found] ` <56dea53c.a3f6c20a.71577.ffff9660@mx.google.com>
2016-03-08 14:34 ` Greg Kroah-Hartman
2016-03-09 5:32 ` Kevin Hilman
2016-03-08 16:24 ` Shuah Khan
2016-03-09 2:07 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160308000315.712589111@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jmaggard@netgear.com \
--cc=linux-kernel@vger.kernel.org \
--cc=smfrench@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).