From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A5DCEB64DC for ; Mon, 26 Jun 2023 18:27:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231681AbjFZS1d (ORCPT ); Mon, 26 Jun 2023 14:27:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231911AbjFZS1R (ORCPT ); Mon, 26 Jun 2023 14:27:17 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 010B526B3 for ; Mon, 26 Jun 2023 11:26:50 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 7469460E76 for ; Mon, 26 Jun 2023 18:26:50 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 85E09C433C0; Mon, 26 Jun 2023 18:26:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1687804009; bh=14opGvk+C9k5vMdT9tKTHa0Z85aOQZiJkcVm5DoU6jk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=h6kUCaXPf7g1YRoMKO6JdCUWUIQ6jHOfQ1BJyB4bF2Nb642waXkWrekyAoPoiu9uQ qrwAH6HsrJ5qL5tDHLY6WNiMe/8US9QwWlKF8GU2TwZeM3hwjf0LItQrRW14dyY4Zc vhH/qPyfI/SW4iJsbsPwmMYlc6Z0y5gtgJFOkfEU= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Namjae Jeon , Steve French , zdi-disclosures@trendmicro.com Subject: [PATCH 6.1 011/170] ksmbd: fix out-of-bound read in smb2_write Date: Mon, 26 Jun 2023 20:09:40 +0200 Message-ID: <20230626180801.040922988@linuxfoundation.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230626180800.476539630@linuxfoundation.org> References: <20230626180800.476539630@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Namjae Jeon commit 5fe7f7b78290638806211046a99f031ff26164e1 upstream. ksmbd_smb2_check_message doesn't validate hdr->NextCommand. If ->NextCommand is bigger than Offset + Length of smb2 write, It will allow oversized smb2 write length. It will cause OOB read in smb2_write. Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21164 Signed-off-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/ksmbd/smb2misc.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -351,10 +351,16 @@ int ksmbd_smb2_check_message(struct ksmb int command; __u32 clc_len; /* calculated length */ __u32 len = get_rfc1002_len(work->request_buf); - __u32 req_struct_size; + __u32 req_struct_size, next_cmd = le32_to_cpu(hdr->NextCommand); - if (le32_to_cpu(hdr->NextCommand) > 0) - len = le32_to_cpu(hdr->NextCommand); + if ((u64)work->next_smb2_rcv_hdr_off + next_cmd > len) { + pr_err("next command(%u) offset exceeds smb msg size\n", + next_cmd); + return 1; + } + + if (next_cmd > 0) + len = next_cmd; else if (work->next_smb2_rcv_hdr_off) len -= work->next_smb2_rcv_hdr_off;