* [PATCH 5.15.y ] ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()
@ 2024-01-03 0:29 Namjae Jeon
2024-01-03 10:07 ` Greg KH
0 siblings, 1 reply; 2+ messages in thread
From: Namjae Jeon @ 2024-01-03 0:29 UTC (permalink / raw)
To: gregkh; +Cc: lometsj, stfrench, stable
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit d10c77873ba1e9e6b91905018e29e196fd5f863d ]
If ->NameOffset/Length is bigger than ->CreateContextsOffset/Length,
ksmbd_check_message doesn't validate request buffer it correctly.
So slab-out-of-bounds warning from calling smb_strndup_from_utf16()
in smb2_open() could happen. If ->NameLength is non-zero, Set the larger
of the two sums (Name and CreateContext size) as the offset and length of
the data area.
Reported-by: Yang Chaoming <lometsj@live.com>
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
fs/ksmbd/smb2misc.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c
index 39e523f115d2..4d1211bde190 100644
--- a/fs/ksmbd/smb2misc.c
+++ b/fs/ksmbd/smb2misc.c
@@ -107,16 +107,25 @@ static int smb2_get_data_area_len(unsigned int
*off, unsigned int *len,
break;
case SMB2_CREATE:
{
+ unsigned short int name_off =
+ le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset);
+ unsigned short int name_len =
+ le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength);
+
if (((struct smb2_create_req *)hdr)->CreateContextsLength) {
*off = le32_to_cpu(((struct smb2_create_req *)
hdr)->CreateContextsOffset);
*len = le32_to_cpu(((struct smb2_create_req *)
hdr)->CreateContextsLength);
- break;
+ if (!name_len)
+ break;
+
+ if (name_off + name_len < (u64)*off + *len)
+ break;
}
- *off = le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset);
- *len = le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength);
+ *off = name_off;
+ *len = name_len;
break;
}
case SMB2_QUERY_INFO:
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH 5.15.y ] ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()
2024-01-03 0:29 [PATCH 5.15.y ] ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() Namjae Jeon
@ 2024-01-03 10:07 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2024-01-03 10:07 UTC (permalink / raw)
To: Namjae Jeon; +Cc: lometsj, stfrench, stable
On Wed, Jan 03, 2024 at 09:29:16AM +0900, Namjae Jeon wrote:
> From: Namjae Jeon <linkinjeon@kernel.org>
>
> [ Upstream commit d10c77873ba1e9e6b91905018e29e196fd5f863d ]
>
> If ->NameOffset/Length is bigger than ->CreateContextsOffset/Length,
> ksmbd_check_message doesn't validate request buffer it correctly.
> So slab-out-of-bounds warning from calling smb_strndup_from_utf16()
> in smb2_open() could happen. If ->NameLength is non-zero, Set the larger
> of the two sums (Name and CreateContext size) as the offset and length of
> the data area.
>
> Reported-by: Yang Chaoming <lometsj@live.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
> Signed-off-by: Steve French <stfrench@microsoft.com>
> ---
> fs/ksmbd/smb2misc.c | 15 ++++++++++++---
> 1 file changed, 12 insertions(+), 3 deletions(-)
Now queued up, thanks.
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-01-03 10:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-03 0:29 [PATCH 5.15.y ] ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() Namjae Jeon
2024-01-03 10:07 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox