From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Robert Morris <rtm@csail.mit.edu>,
"Paulo Alcantara (SUSE)" <pc@manguebit.com>,
Steve French <stfrench@microsoft.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 02/75] smb: client: fix OOB in smb2_query_reparse_point()
Date: Wed, 3 Jan 2024 17:54:43 +0100 [thread overview]
Message-ID: <20240103164843.363446095@linuxfoundation.org> (raw)
In-Reply-To: <20240103164842.953224409@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.com>
[ Upstream commit 3a42709fa909e22b0be4bb1e2795aa04ada732a3 ]
Validate @ioctl_rsp->OutputOffset and @ioctl_rsp->OutputCount so that
their sum does not wrap to a number that is smaller than @reparse_buf
and we end up with a wild pointer as follows:
BUG: unable to handle page fault for address: ffff88809c5cd45f
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 4a01067 P4D 4a01067 PUD 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 2 PID: 1260 Comm: mount.cifs Not tainted 6.7.0-rc4 #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
RIP: 0010:smb2_query_reparse_point+0x3e0/0x4c0 [cifs]
Code: ff ff e8 f3 51 fe ff 41 89 c6 58 5a 45 85 f6 0f 85 14 fe ff ff
49 8b 57 48 8b 42 60 44 8b 42 64 42 8d 0c 00 49 39 4f 50 72 40 <8b>
04 02 48 8b 9d f0 fe ff ff 49 8b 57 50 89 03 48 8b 9d e8 fe ff
RSP: 0018:ffffc90000347a90 EFLAGS: 00010212
RAX: 000000008000001f RBX: ffff88800ae11000 RCX: 00000000000000ec
RDX: ffff88801c5cd440 RSI: 0000000000000000 RDI: ffffffff82004aa4
RBP: ffffc90000347bb0 R08: 00000000800000cd R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000024 R12: ffff8880114d4100
R13: ffff8880114d4198 R14: 0000000000000000 R15: ffff8880114d4000
FS: 00007f02c07babc0(0000) GS:ffff88806ba00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88809c5cd45f CR3: 0000000011750000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die+0x23/0x70
? page_fault_oops+0x181/0x480
? search_module_extables+0x19/0x60
? srso_alias_return_thunk+0x5/0xfbef5
? exc_page_fault+0x1b6/0x1c0
? asm_exc_page_fault+0x26/0x30
? _raw_spin_unlock_irqrestore+0x44/0x60
? smb2_query_reparse_point+0x3e0/0x4c0 [cifs]
cifs_get_fattr+0x16e/0xa50 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
? lock_acquire+0xbf/0x2b0
cifs_root_iget+0x163/0x5f0 [cifs]
cifs_smb3_do_mount+0x5bd/0x780 [cifs]
smb3_get_tree+0xd9/0x290 [cifs]
vfs_get_tree+0x2c/0x100
? capable+0x37/0x70
path_mount+0x2d7/0xb80
? srso_alias_return_thunk+0x5/0xfbef5
? _raw_spin_unlock_irqrestore+0x44/0x60
__x64_sys_mount+0x11a/0x150
do_syscall_64+0x47/0xf0
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f02c08d5b1e
Fixes: 2e4564b31b64 ("smb3: add support for stat of WSL reparse points for special file types")
Cc: stable@vger.kernel.org
Reported-by: Robert Morris <rtm@csail.mit.edu>
Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/smb2ops.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index e58525a958270..26edaeb4245d8 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -3099,7 +3099,7 @@ smb2_query_reparse_tag(const unsigned int xid, struct cifs_tcon *tcon,
struct kvec close_iov[1];
struct smb2_ioctl_rsp *ioctl_rsp;
struct reparse_data_buffer *reparse_buf;
- u32 plen;
+ u32 off, count, len;
cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);
@@ -3178,16 +3178,22 @@ smb2_query_reparse_tag(const unsigned int xid, struct cifs_tcon *tcon,
*/
if (rc == 0) {
/* See MS-FSCC 2.3.23 */
+ off = le32_to_cpu(ioctl_rsp->OutputOffset);
+ count = le32_to_cpu(ioctl_rsp->OutputCount);
+ if (check_add_overflow(off, count, &len) ||
+ len > rsp_iov[1].iov_len) {
+ cifs_tcon_dbg(VFS, "%s: invalid ioctl: off=%d count=%d\n",
+ __func__, off, count);
+ rc = -EIO;
+ goto query_rp_exit;
+ }
- reparse_buf = (struct reparse_data_buffer *)
- ((char *)ioctl_rsp +
- le32_to_cpu(ioctl_rsp->OutputOffset));
- plen = le32_to_cpu(ioctl_rsp->OutputCount);
-
- if (plen + le32_to_cpu(ioctl_rsp->OutputOffset) >
- rsp_iov[1].iov_len) {
- cifs_tcon_dbg(FYI, "srv returned invalid ioctl len: %d\n",
- plen);
+ reparse_buf = (void *)((u8 *)ioctl_rsp + off);
+ len = sizeof(*reparse_buf);
+ if (count < len ||
+ count < le16_to_cpu(reparse_buf->ReparseDataLength) + len) {
+ cifs_tcon_dbg(VFS, "%s: invalid ioctl: off=%d count=%d\n",
+ __func__, off, count);
rc = -EIO;
goto query_rp_exit;
}
--
2.43.0
next prev parent reply other threads:[~2024-01-03 17:09 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-03 16:54 [PATCH 5.10 00/75] 5.10.206-rc1 review Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 01/75] ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE Greg Kroah-Hartman
2024-01-03 16:54 ` Greg Kroah-Hartman [this message]
2024-01-03 16:54 ` [PATCH 5.10 03/75] ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 04/75] reset: Fix crash when freeing non-existent optional resets Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 05/75] s390/vx: fix save/restore of fpu kernel context Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 06/75] wifi: mac80211: mesh_plink: fix matches_local logic Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 07/75] Revert "net/mlx5e: fix double free of encap_header" Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 08/75] net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 09/75] net/mlx5: Fix fw tracer first block check Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 10/75] net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 11/75] net: sched: ife: fix potential use-after-free Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 12/75] ethernet: atheros: fix a memleak in atl1e_setup_ring_resources Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 13/75] net/rose: fix races in rose_kill_by_device() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 14/75] net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 15/75] afs: Fix the dynamic roots d_delete to always delete unused dentries Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 16/75] afs: Fix dynamic root lookup DNS check Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 17/75] net: warn if gso_type isnt set for a GSO SKB Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 18/75] net: check dev->gso_max_size in gso_features_check() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 19/75] keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 20/75] afs: Fix overwriting of result of DNS query Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 21/75] i2c: aspeed: Handle the coalesced stop conditions with the start conditions Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 22/75] pinctrl: at91-pio4: use dedicated lock class for IRQ Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 23/75] ALSA: hda/hdmi: Add quirk to force pin connectivity on NUC10 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 24/75] ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 25/75] smb: client: fix NULL deref in asn1_ber_decoder() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 26/75] btrfs: do not allow non subvolume root targets for snapshot Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 27/75] interconnect: Treat xlate() returning NULL node as an error Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 28/75] iio: imu: inv_mpu6050: fix an error code problem in inv_mpu6050_read_raw Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 29/75] interconnect: qcom: sm8250: Enable sync_state Greg Kroah-Hartman
2024-01-03 17:29 ` Konrad Dybcio
2024-01-03 16:55 ` [PATCH 5.10 30/75] Input: ipaq-micro-keys - add error handling for devm_kmemdup Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 31/75] scsi: bnx2fc: Fix skb double free in bnx2fc_rcv() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 32/75] iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time table Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 33/75] iio: adc: ti_am335x_adc: Fix return value check of tiadc_request_dma() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 34/75] wifi: cfg80211: Add my certificate Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 35/75] wifi: cfg80211: fix certs build to not depend on file order Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 36/75] USB: serial: ftdi_sio: update Actisense PIDs constant names Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 37/75] USB: serial: option: add Quectel EG912Y module support Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 38/75] USB: serial: option: add Foxconn T99W265 with new baseline Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 39/75] USB: serial: option: add Quectel RM500Q R13 firmware support Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 40/75] Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 41/75] Bluetooth: L2CAP: Send reject on command corrupted request Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 42/75] Input: soc_button_array - add mapping for airplane mode button Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 43/75] net: 9p: avoid freeing uninit memory in p9pdu_vreadf Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 44/75] net: rfkill: gpio: set GPIO direction Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 45/75] net: ks8851: Fix TX stall caused by TX buffer overrun Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 46/75] dt-bindings: nvmem: mxs-ocotp: Document fsl,ocotp Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 47/75] tracing / synthetic: Disable events after testing in synth_event_gen_test_init() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 48/75] bus: ti-sysc: Flush posted write only after srst_udelay Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 49/75] lib/vsprintf: Fix %pfwf when current node refcount == 0 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 50/75] x86/alternatives: Sync core before enabling interrupts Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 51/75] 9p/net: fix possible memory leak in p9_check_errors() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 52/75] ARM: dts: Fix occasional boot hang for am3 usb Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 53/75] Bluetooth: SMP: Convert BT_ERR/BT_DBG to bt_dev_err/bt_dev_dbg Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 54/75] Bluetooth: use inclusive language in SMP Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 55/75] Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 56/75] usb: fotg210-hcd: delete an incorrect bounds test Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 57/75] smb: client: fix OOB in SMB2_query_info_init() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 58/75] smb: client: fix OOB in smbCalcSize() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 59/75] Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 60/75] spi: atmel: Switch to transfer_one transfer method Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 61/75] spi: atmel: Fix CS and initialization bug Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 62/75] scsi: core: Add scsi_prot_ref_tag() helper Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 63/75] scsi: core: Introduce scsi_get_sector() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 64/75] scsi: core: Make scsi_get_lba() return the LBA Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 65/75] scsi: core: Use scsi_cmd_to_rq() instead of scsi_cmnd.request Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 66/75] scsi: core: Use a structure member to track the SCSI command submitter Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 67/75] scsi: core: Always send batch on reset or error handling command Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 68/75] ring-buffer: Fix wake ups when buffer_percent is set to 100 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 69/75] tracing: Fix blocked reader of snapshot buffer Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 70/75] netfilter: nf_tables: skip set commit for deleted/destroyed sets Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 71/75] dm-integrity: dont modify bios immutable bio_vec in integrity_metadata() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 72/75] tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 73/75] Revert "MIPS: Loongson64: Enable DMA noncoherent support" Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 74/75] Bluetooth: SMP: Fix crash when receiving new connection when debug is enabled Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 75/75] spi: atmel: Fix PDC transfer setup bug Greg Kroah-Hartman
2024-01-03 19:15 ` [PATCH 5.10 00/75] 5.10.206-rc1 review Florian Fainelli
2024-01-04 0:40 ` Dominique Martinet
2024-01-04 9:16 ` Daniel Díaz
2024-01-04 9:25 ` Greg Kroah-Hartman
2024-01-08 17:47 ` Francis Laniel
2024-01-04 12:11 ` Jon Hunter
2024-01-04 12:15 ` Pavel Machek
2024-01-05 1:03 ` Guenter Roeck
2024-01-05 11:12 ` Shreeya Patel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240103164843.363446095@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=patches@lists.linux.dev \
--cc=pc@manguebit.com \
--cc=rtm@csail.mit.edu \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox