From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, j51569436@gmail.com,
"Paulo Alcantara (SUSE)" <pc@manguebit.com>,
Steve French <stfrench@microsoft.com>
Subject: [PATCH 6.1 085/112] smb: client: fix OOB in smbCalcSize()
Date: Sat, 30 Dec 2023 11:59:58 +0000 [thread overview]
Message-ID: <20231230115809.510607448@linuxfoundation.org> (raw)
In-Reply-To: <20231230115806.714618407@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.com>
commit b35858b3786ddbb56e1c35138ba25d6adf8d0bef upstream.
Validate @smb->WordCount to avoid reading off the end of @smb and thus
causing the following KASAN splat:
BUG: KASAN: slab-out-of-bounds in smbCalcSize+0x32/0x40 [cifs]
Read of size 2 at addr ffff88801c024ec5 by task cifsd/1328
CPU: 1 PID: 1328 Comm: cifsd Not tainted 6.7.0-rc5 #9
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x4a/0x80
print_report+0xcf/0x650
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? __phys_addr+0x46/0x90
kasan_report+0xd8/0x110
? smbCalcSize+0x32/0x40 [cifs]
? smbCalcSize+0x32/0x40 [cifs]
kasan_check_range+0x105/0x1b0
smbCalcSize+0x32/0x40 [cifs]
checkSMB+0x162/0x370 [cifs]
? __pfx_checkSMB+0x10/0x10 [cifs]
cifs_handle_standard+0xbc/0x2f0 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
cifs_demultiplex_thread+0xed1/0x1360 [cifs]
? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
? lockdep_hardirqs_on_prepare+0x136/0x210
? __pfx_lock_release+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
? mark_held_locks+0x1a/0x90
? lockdep_hardirqs_on_prepare+0x136/0x210
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? __kthread_parkme+0xce/0xf0
? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
kthread+0x18d/0x1d0
? kthread+0xdb/0x1d0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x34/0x60
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
This fixes CVE-2023-6606.
Reported-by: j51569436@gmail.com
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218218
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/misc.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/smb/client/misc.c
+++ b/fs/smb/client/misc.c
@@ -350,6 +350,10 @@ checkSMB(char *buf, unsigned int total_r
cifs_dbg(VFS, "Length less than smb header size\n");
}
return -EIO;
+ } else if (total_read < sizeof(*smb) + 2 * smb->WordCount) {
+ cifs_dbg(VFS, "%s: can't read BCC due to invalid WordCount(%u)\n",
+ __func__, smb->WordCount);
+ return -EIO;
}
/* otherwise, there is enough to get to the BCC */
next prev parent reply other threads:[~2023-12-30 12:10 UTC|newest]
Thread overview: 121+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-30 11:58 [PATCH 6.1 000/112] 6.1.70-rc1 review Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 001/112] kasan: disable kasan_non_canonical_hook() for HW tags Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 002/112] bpf: Fix prog_array_map_poke_run map poke update Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 003/112] HID: i2c-hid: acpi: Unify ACPI ID tables format Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 004/112] HID: i2c-hid: Add IDEA5002 to i2c_hid_acpi_blacklist[] Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 005/112] drm/amd/display: fix hw rotated modes when PSR-SU is enabled Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 006/112] ARM: dts: dra7: Fix DRA7 L3 NoC node register size Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 007/112] ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 008/112] reset: Fix crash when freeing non-existent optional resets Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 009/112] s390/vx: fix save/restore of fpu kernel context Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 010/112] wifi: iwlwifi: pcie: add another missing bh-disable for rxq->lock Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 011/112] wifi: mac80211: check if the existing link config remains unchanged Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 012/112] wifi: mac80211: mesh: check element parsing succeeded Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 013/112] wifi: mac80211: mesh_plink: fix matches_local logic Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 014/112] Revert "net/mlx5e: fix double free of encap_header in update funcs" Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 015/112] Revert "net/mlx5e: fix double free of encap_header" Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 016/112] net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 017/112] net/mlx5: Introduce and use opcode getter in command interface Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 018/112] net/mlx5: Prevent high-rate FW commands from populating all slots Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 019/112] net/mlx5: Re-organize mlx5_cmd struct Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 020/112] net/mlx5e: Fix a race in command alloc flow Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 021/112] net/mlx5e: fix a potential double-free in fs_udp_create_groups Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 022/112] net/mlx5: Fix fw tracer first block check Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 023/112] net/mlx5e: Correct snprintf truncation handling for fw_version buffer Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 024/112] net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 025/112] net: mscc: ocelot: fix eMAC TX RMON stats for bucket 256-511 and above Greg Kroah-Hartman
2023-12-30 11:58 ` [PATCH 6.1 026/112] octeontx2-pf: Fix graceful exit during PFC configuration failure Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 027/112] net: Return error from sk_stream_wait_connect() if sk_wait_event() fails Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 028/112] net: sched: ife: fix potential use-after-free Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 029/112] ethernet: atheros: fix a memleak in atl1e_setup_ring_resources Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 030/112] net/rose: fix races in rose_kill_by_device() Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 031/112] Bluetooth: Fix deadlock in vhci_send_frame Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 032/112] Bluetooth: hci_event: shut up a false-positive warning Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 033/112] net: mana: select PAGE_POOL Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 034/112] net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 035/112] afs: Fix the dynamic roots d_delete to always delete unused dentries Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 036/112] afs: Fix dynamic root lookup DNS check Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 037/112] net: check dev->gso_max_size in gso_features_check() Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 038/112] keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 039/112] afs: Fix overwriting of result of DNS query Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 040/112] afs: Fix use-after-free due to get/remove race in volume tree Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 041/112] ASoC: hdmi-codec: fix missing report for jack initial status Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 042/112] ASoC: fsl_sai: Fix channel swap issue on i.MX8MP Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 043/112] i2c: aspeed: Handle the coalesced stop conditions with the start conditions Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 044/112] x86/xen: add CPU dependencies for 32-bit build Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 045/112] pinctrl: at91-pio4: use dedicated lock class for IRQ Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 046/112] gpiolib: cdev: add gpio_device locking wrapper around gpio_ioctl() Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 047/112] nvme-pci: fix sleeping function called from interrupt context Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 048/112] drm/i915/mtl: limit second scaler vertical scaling in ver >= 14 Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 049/112] drm/i915: Relocate intel_atomic_setup_scalers() Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 050/112] drm/i915: Fix intel_atomic_setup_scalers() plane_state handling Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 051/112] drm/i915/dpt: Only do the POT stride remap when using DPT Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 052/112] drm/i915/mtl: Add MTL for remapping CCS FBs Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 053/112] drm/i915: Fix ADL+ tiled plane stride when the POT stride is smaller than the original Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 054/112] interconnect: Treat xlate() returning NULL node as an error Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 055/112] iio: imu: inv_mpu6050: fix an error code problem in inv_mpu6050_read_raw Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 056/112] interconnect: qcom: sm8250: Enable sync_state Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 057/112] Input: ipaq-micro-keys - add error handling for devm_kmemdup Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 058/112] scsi: bnx2fc: Fix skb double free in bnx2fc_rcv() Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 059/112] iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time table Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 060/112] iio: adc: ti_am335x_adc: Fix return value check of tiadc_request_dma() Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 061/112] iio: triggered-buffer: prevent possible freeing of wrong buffer Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 062/112] ALSA: usb-audio: Increase delay in MOTU M quirk Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 063/112] usb-storage: Add quirk for incorrect WP on Kingston DT Ultimate 3.0 G3 Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 064/112] wifi: cfg80211: Add my certificate Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 065/112] wifi: cfg80211: fix certs build to not depend on file order Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 066/112] USB: serial: ftdi_sio: update Actisense PIDs constant names Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 067/112] USB: serial: option: add Quectel EG912Y module support Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 068/112] USB: serial: option: add Foxconn T99W265 with new baseline Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 069/112] USB: serial: option: add Quectel RM500Q R13 firmware support Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 070/112] ALSA: hda/realtek: Add quirk for ASUS ROG GV302XA Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 071/112] Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 072/112] Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 073/112] Bluetooth: L2CAP: Send reject on command corrupted request Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 074/112] Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 075/112] Bluetooth: Add more enc key size check Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 076/112] net: usb: ax88179_178a: avoid failed operations when device is disconnected Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 077/112] Input: soc_button_array - add mapping for airplane mode button Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 078/112] net: 9p: avoid freeing uninit memory in p9pdu_vreadf Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 079/112] net: rfkill: gpio: set GPIO direction Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 080/112] net: ks8851: Fix TX stall caused by TX buffer overrun Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 081/112] dt-bindings: nvmem: mxs-ocotp: Document fsl,ocotp Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 082/112] smb: client: fix OOB in cifsd when receiving compounded resps Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 083/112] smb: client: fix potential OOB in cifs_dump_detail() Greg Kroah-Hartman
2023-12-30 11:59 ` [PATCH 6.1 084/112] smb: client: fix OOB in SMB2_query_info_init() Greg Kroah-Hartman
2023-12-30 11:59 ` Greg Kroah-Hartman [this message]
2023-12-30 11:59 ` [PATCH 6.1 086/112] drm/i915: Reject async flips with bigjoiner Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 087/112] 9p: prevent read overrun in protocol dump tracepoint Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 088/112] RISC-V: Fix do_notify_resume / do_work_pending prototype Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 089/112] loop: do not enforce max_loop hard limit by (new) default Greg Kroah-Hartman
2023-12-31 15:49 ` Sven Joachim
2024-01-01 12:16 ` Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 090/112] dm thin metadata: Fix ABBA deadlock by resetting dm_bufio_client Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 091/112] Revert "drm/amd/display: Do not set DRR on pipe commit" Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 092/112] btrfs: zoned: no longer count fresh BG region as zone unusable Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 093/112] ubifs: fix possible dereference after free Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 094/112] ublk: move ublk_cancel_dev() out of ub->mutex Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 095/112] selftests: mptcp: join: fix subflow_send_ack lookup Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 096/112] Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ affinity" Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 097/112] scsi: core: Always send batch on reset or error handling command Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 098/112] tracing / synthetic: Disable events after testing in synth_event_gen_test_init() Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 099/112] dm-integrity: dont modify bios immutable bio_vec in integrity_metadata() Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 100/112] pinctrl: starfive: jh7100: ignore disabled device tree nodes Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 101/112] bus: ti-sysc: Flush posted write only after srst_udelay Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 102/112] gpio: dwapb: mask/unmask IRQ when disable/enale it Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 103/112] lib/vsprintf: Fix %pfwf when current node refcount == 0 Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 104/112] thunderbolt: Fix memory leak in margining_port_remove() Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 105/112] KVM: arm64: vgic: Simplify kvm_vgic_destroy() Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 106/112] KVM: arm64: vgic: Add a non-locking primitive for kvm_vgic_vcpu_destroy() Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 107/112] KVM: arm64: vgic: Force vcpu vgic teardown on vcpu destroy Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 108/112] x86/alternatives: Sync core before enabling interrupts Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 109/112] mm/damon/core: make damon_start() waits until kdamond_fn() starts Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 110/112] fuse: share lookup state between submount and its parent Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 111/112] wifi: cfg80211: fix CQM for non-range use Greg Kroah-Hartman
2023-12-30 12:00 ` [PATCH 6.1 112/112] wifi: nl80211: fix deadlock in nl80211_set_cqm_rssi (6.6.x) Greg Kroah-Hartman
2023-12-30 16:29 ` [PATCH 6.1 000/112] 6.1.70-rc1 review Florian Fainelli
2023-12-30 18:14 ` SeongJae Park
2023-12-31 9:49 ` Naresh Kamboju
2023-12-31 12:04 ` Ron Economos
2023-12-31 16:33 ` Guenter Roeck
2024-01-01 9:26 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231230115809.510607448@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=j51569436@gmail.com \
--cc=patches@lists.linux.dev \
--cc=pc@manguebit.com \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox