From: Namjae Jeon <linkinjeon@kernel.org>
To: stable@vger.kernel.org
Cc: gregkh@linuxfoundation.org, stfrench@microsoft.com,
smfrench@gmail.com, Namjae Jeon <linkinjeon@kernel.org>,
zdi-disclosures@trendmicro.com
Subject: [5.15.y PATCH 3/4] ksmbd: fix out-of-bound read in smb2_write
Date: Thu, 20 Jul 2023 22:23:30 +0900 [thread overview]
Message-ID: <20230720132336.7614-4-linkinjeon@kernel.org> (raw)
In-Reply-To: <20230720132336.7614-1-linkinjeon@kernel.org>
commit 5fe7f7b78290638806211046a99f031ff26164e1 upstream.
ksmbd_smb2_check_message doesn't validate hdr->NextCommand. If
->NextCommand is bigger than Offset + Length of smb2 write, It will
allow oversized smb2 write length. It will cause OOB read in smb2_write.
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21164
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
fs/ksmbd/smb2misc.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c
index ad805b37b81d..c24674fc1904 100644
--- a/fs/ksmbd/smb2misc.c
+++ b/fs/ksmbd/smb2misc.c
@@ -352,10 +352,16 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work)
int command;
__u32 clc_len; /* calculated length */
__u32 len = get_rfc1002_len(work->request_buf);
- __u32 req_struct_size;
+ __u32 req_struct_size, next_cmd = le32_to_cpu(hdr->NextCommand);
- if (le32_to_cpu(hdr->NextCommand) > 0)
- len = le32_to_cpu(hdr->NextCommand);
+ if ((u64)work->next_smb2_rcv_hdr_off + next_cmd > len) {
+ pr_err("next command(%u) offset exceeds smb msg size\n",
+ next_cmd);
+ return 1;
+ }
+
+ if (next_cmd > 0)
+ len = next_cmd;
else if (work->next_smb2_rcv_hdr_off)
len -= work->next_smb2_rcv_hdr_off;
--
2.25.1
next prev parent reply other threads:[~2023-07-20 13:25 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-20 13:23 [5.15.y PATCH 0/4] ksmbd: ZDI Vulnerability patches for 5.15.y Namjae Jeon
2023-07-20 13:23 ` [5.15.y PATCH 1/4] ksmbd: use ksmbd_req_buf_next() in ksmbd_smb2_check_message() Namjae Jeon
2023-07-20 13:23 ` [5.15.y PATCH 2/4] ksmbd: validate command payload size Namjae Jeon
2023-07-20 13:23 ` Namjae Jeon [this message]
2023-07-20 13:23 ` [5.15.y PATCH 4/4] ksmbd: validate session id and tree id in the compound request Namjae Jeon
2023-07-20 13:23 ` [5.15.y PATCH 0/4] ksmbd: ZDI Vulnerability patches for 5.15.y Namjae Jeon
2023-07-20 13:43 ` Namjae Jeon
2023-07-20 13:23 ` [5.15.y PATCH 1/4] ksmbd: use ksmbd_req_buf_next() in ksmbd_smb2_check_message() Namjae Jeon
2023-07-20 13:44 ` Namjae Jeon
2023-07-20 17:54 ` [5.15.y PATCH 0/4] ksmbd: ZDI Vulnerability patches for 5.15.y Greg KH
2023-07-20 23:22 ` Namjae Jeon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230720132336.7614-4-linkinjeon@kernel.org \
--to=linkinjeon@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=smfrench@gmail.com \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
--cc=zdi-disclosures@trendmicro.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox