From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Robert Morris <rtm@csail.mit.edu>,
Paulo Alcantara <pc@manguebit.com>,
Steve French <stfrench@microsoft.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 57/75] smb: client: fix OOB in SMB2_query_info_init()
Date: Wed, 3 Jan 2024 17:55:38 +0100 [thread overview]
Message-ID: <20240103164851.728113794@linuxfoundation.org> (raw)
In-Reply-To: <20240103164842.953224409@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.com>
[ Upstream commit 33eae65c6f49770fec7a662935d4eb4a6406d24b ]
A small CIFS buffer (448 bytes) isn't big enough to hold
SMB2_QUERY_INFO request along with user's input data from
CIFS_QUERY_INFO ioctl. That is, if the user passed an input buffer >
344 bytes, the client will memcpy() off the end of @req->Buffer in
SMB2_query_info_init() thus causing the following KASAN splat:
BUG: KASAN: slab-out-of-bounds in SMB2_query_info_init+0x242/0x250 [cifs]
Write of size 1023 at addr ffff88801308c5a8 by task a.out/1240
CPU: 1 PID: 1240 Comm: a.out Not tainted 6.7.0-rc4 #5
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x4a/0x80
print_report+0xcf/0x650
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? __phys_addr+0x46/0x90
kasan_report+0xd8/0x110
? SMB2_query_info_init+0x242/0x250 [cifs]
? SMB2_query_info_init+0x242/0x250 [cifs]
kasan_check_range+0x105/0x1b0
__asan_memcpy+0x3c/0x60
SMB2_query_info_init+0x242/0x250 [cifs]
? __pfx_SMB2_query_info_init+0x10/0x10 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
? smb_rqst_len+0xa6/0xc0 [cifs]
smb2_ioctl_query_info+0x4f4/0x9a0 [cifs]
? __pfx_smb2_ioctl_query_info+0x10/0x10 [cifs]
? __pfx_cifsConvertToUTF16+0x10/0x10 [cifs]
? kasan_set_track+0x25/0x30
? srso_alias_return_thunk+0x5/0xfbef5
? __kasan_kmalloc+0x8f/0xa0
? srso_alias_return_thunk+0x5/0xfbef5
? cifs_strndup_to_utf16+0x12d/0x1a0 [cifs]
? __build_path_from_dentry_optional_prefix+0x19d/0x2d0 [cifs]
? __pfx_smb2_ioctl_query_info+0x10/0x10 [cifs]
cifs_ioctl+0x11c7/0x1de0 [cifs]
? __pfx_cifs_ioctl+0x10/0x10 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
? rcu_is_watching+0x23/0x50
? srso_alias_return_thunk+0x5/0xfbef5
? __rseq_handle_notify_resume+0x6cd/0x850
? __pfx___schedule+0x10/0x10
? blkcg_iostat_update+0x250/0x290
? srso_alias_return_thunk+0x5/0xfbef5
? ksys_write+0xe9/0x170
__x64_sys_ioctl+0xc9/0x100
do_syscall_64+0x47/0xf0
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f893dde49cf
Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48
89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89>
c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00
RSP: 002b:00007ffc03ff4160 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffc03ff4378 RCX: 00007f893dde49cf
RDX: 00007ffc03ff41d0 RSI: 00000000c018cf07 RDI: 0000000000000003
RBP: 00007ffc03ff4260 R08: 0000000000000410 R09: 0000000000000001
R10: 00007f893dce7300 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc03ff4388 R14: 00007f893df15000 R15: 0000000000406de0
</TASK>
Fix this by increasing size of SMB2_QUERY_INFO request buffers and
validating input length to prevent other callers from overflowing @req
in SMB2_query_info_init() as well.
Fixes: f5b05d622a3e ("cifs: add IOCTL for QUERY_INFO passthrough to userspace")
Cc: stable@vger.kernel.org
Reported-by: Robert Morris <rtm@csail.mit.edu>
Signed-off-by: Paulo Alcantara <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/smb2pdu.c | 29 ++++++++++++++++++++++-------
1 file changed, 22 insertions(+), 7 deletions(-)
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 9a80047bc9b7b..76679dc4e6328 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -373,10 +373,15 @@ static int __smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon,
void **request_buf, unsigned int *total_len)
{
/* BB eventually switch this to SMB2 specific small buf size */
- if (smb2_command == SMB2_SET_INFO)
+ switch (smb2_command) {
+ case SMB2_SET_INFO:
+ case SMB2_QUERY_INFO:
*request_buf = cifs_buf_get();
- else
+ break;
+ default:
*request_buf = cifs_small_buf_get();
+ break;
+ }
if (*request_buf == NULL) {
/* BB should we add a retry in here if not a writepage? */
return -ENOMEM;
@@ -3346,8 +3351,13 @@ SMB2_query_info_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server,
struct smb2_query_info_req *req;
struct kvec *iov = rqst->rq_iov;
unsigned int total_len;
+ size_t len;
int rc;
+ if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) ||
+ len > CIFSMaxBufSize))
+ return -EINVAL;
+
rc = smb2_plain_req_init(SMB2_QUERY_INFO, tcon, server,
(void **) &req, &total_len);
if (rc)
@@ -3369,7 +3379,7 @@ SMB2_query_info_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server,
iov[0].iov_base = (char *)req;
/* 1 for Buffer */
- iov[0].iov_len = total_len - 1 + input_len;
+ iov[0].iov_len = len;
return 0;
}
@@ -3377,7 +3387,7 @@ void
SMB2_query_info_free(struct smb_rqst *rqst)
{
if (rqst && rqst->rq_iov)
- cifs_small_buf_release(rqst->rq_iov[0].iov_base); /* request */
+ cifs_buf_release(rqst->rq_iov[0].iov_base); /* request */
}
static int
@@ -5104,6 +5114,11 @@ build_qfs_info_req(struct kvec *iov, struct cifs_tcon *tcon,
return 0;
}
+static inline void free_qfs_info_req(struct kvec *iov)
+{
+ cifs_buf_release(iov->iov_base);
+}
+
int
SMB311_posix_qfs_info(const unsigned int xid, struct cifs_tcon *tcon,
u64 persistent_fid, u64 volatile_fid, struct kstatfs *fsdata)
@@ -5135,7 +5150,7 @@ SMB311_posix_qfs_info(const unsigned int xid, struct cifs_tcon *tcon,
rc = cifs_send_recv(xid, ses, server,
&rqst, &resp_buftype, flags, &rsp_iov);
- cifs_small_buf_release(iov.iov_base);
+ free_qfs_info_req(&iov);
if (rc) {
cifs_stats_fail_inc(tcon, SMB2_QUERY_INFO_HE);
goto posix_qfsinf_exit;
@@ -5186,7 +5201,7 @@ SMB2_QFS_info(const unsigned int xid, struct cifs_tcon *tcon,
rc = cifs_send_recv(xid, ses, server,
&rqst, &resp_buftype, flags, &rsp_iov);
- cifs_small_buf_release(iov.iov_base);
+ free_qfs_info_req(&iov);
if (rc) {
cifs_stats_fail_inc(tcon, SMB2_QUERY_INFO_HE);
goto qfsinf_exit;
@@ -5253,7 +5268,7 @@ SMB2_QFS_attr(const unsigned int xid, struct cifs_tcon *tcon,
rc = cifs_send_recv(xid, ses, server,
&rqst, &resp_buftype, flags, &rsp_iov);
- cifs_small_buf_release(iov.iov_base);
+ free_qfs_info_req(&iov);
if (rc) {
cifs_stats_fail_inc(tcon, SMB2_QUERY_INFO_HE);
goto qfsattr_exit;
--
2.43.0
next prev parent reply other threads:[~2024-01-03 17:12 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-03 16:54 [PATCH 5.10 00/75] 5.10.206-rc1 review Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 01/75] ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 02/75] smb: client: fix OOB in smb2_query_reparse_point() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 03/75] ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 04/75] reset: Fix crash when freeing non-existent optional resets Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 05/75] s390/vx: fix save/restore of fpu kernel context Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 06/75] wifi: mac80211: mesh_plink: fix matches_local logic Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 07/75] Revert "net/mlx5e: fix double free of encap_header" Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 08/75] net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 09/75] net/mlx5: Fix fw tracer first block check Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 10/75] net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 11/75] net: sched: ife: fix potential use-after-free Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 12/75] ethernet: atheros: fix a memleak in atl1e_setup_ring_resources Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 13/75] net/rose: fix races in rose_kill_by_device() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 14/75] net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 15/75] afs: Fix the dynamic roots d_delete to always delete unused dentries Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 16/75] afs: Fix dynamic root lookup DNS check Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 17/75] net: warn if gso_type isnt set for a GSO SKB Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.10 18/75] net: check dev->gso_max_size in gso_features_check() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 19/75] keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 20/75] afs: Fix overwriting of result of DNS query Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 21/75] i2c: aspeed: Handle the coalesced stop conditions with the start conditions Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 22/75] pinctrl: at91-pio4: use dedicated lock class for IRQ Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 23/75] ALSA: hda/hdmi: Add quirk to force pin connectivity on NUC10 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 24/75] ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 25/75] smb: client: fix NULL deref in asn1_ber_decoder() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 26/75] btrfs: do not allow non subvolume root targets for snapshot Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 27/75] interconnect: Treat xlate() returning NULL node as an error Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 28/75] iio: imu: inv_mpu6050: fix an error code problem in inv_mpu6050_read_raw Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 29/75] interconnect: qcom: sm8250: Enable sync_state Greg Kroah-Hartman
2024-01-03 17:29 ` Konrad Dybcio
2024-01-03 16:55 ` [PATCH 5.10 30/75] Input: ipaq-micro-keys - add error handling for devm_kmemdup Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 31/75] scsi: bnx2fc: Fix skb double free in bnx2fc_rcv() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 32/75] iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time table Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 33/75] iio: adc: ti_am335x_adc: Fix return value check of tiadc_request_dma() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 34/75] wifi: cfg80211: Add my certificate Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 35/75] wifi: cfg80211: fix certs build to not depend on file order Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 36/75] USB: serial: ftdi_sio: update Actisense PIDs constant names Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 37/75] USB: serial: option: add Quectel EG912Y module support Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 38/75] USB: serial: option: add Foxconn T99W265 with new baseline Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 39/75] USB: serial: option: add Quectel RM500Q R13 firmware support Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 40/75] Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 41/75] Bluetooth: L2CAP: Send reject on command corrupted request Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 42/75] Input: soc_button_array - add mapping for airplane mode button Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 43/75] net: 9p: avoid freeing uninit memory in p9pdu_vreadf Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 44/75] net: rfkill: gpio: set GPIO direction Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 45/75] net: ks8851: Fix TX stall caused by TX buffer overrun Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 46/75] dt-bindings: nvmem: mxs-ocotp: Document fsl,ocotp Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 47/75] tracing / synthetic: Disable events after testing in synth_event_gen_test_init() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 48/75] bus: ti-sysc: Flush posted write only after srst_udelay Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 49/75] lib/vsprintf: Fix %pfwf when current node refcount == 0 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 50/75] x86/alternatives: Sync core before enabling interrupts Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 51/75] 9p/net: fix possible memory leak in p9_check_errors() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 52/75] ARM: dts: Fix occasional boot hang for am3 usb Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 53/75] Bluetooth: SMP: Convert BT_ERR/BT_DBG to bt_dev_err/bt_dev_dbg Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 54/75] Bluetooth: use inclusive language in SMP Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 55/75] Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 56/75] usb: fotg210-hcd: delete an incorrect bounds test Greg Kroah-Hartman
2024-01-03 16:55 ` Greg Kroah-Hartman [this message]
2024-01-03 16:55 ` [PATCH 5.10 58/75] smb: client: fix OOB in smbCalcSize() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 59/75] Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 60/75] spi: atmel: Switch to transfer_one transfer method Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 61/75] spi: atmel: Fix CS and initialization bug Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 62/75] scsi: core: Add scsi_prot_ref_tag() helper Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 63/75] scsi: core: Introduce scsi_get_sector() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 64/75] scsi: core: Make scsi_get_lba() return the LBA Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 65/75] scsi: core: Use scsi_cmd_to_rq() instead of scsi_cmnd.request Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 66/75] scsi: core: Use a structure member to track the SCSI command submitter Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 67/75] scsi: core: Always send batch on reset or error handling command Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 68/75] ring-buffer: Fix wake ups when buffer_percent is set to 100 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 69/75] tracing: Fix blocked reader of snapshot buffer Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 70/75] netfilter: nf_tables: skip set commit for deleted/destroyed sets Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 71/75] dm-integrity: dont modify bios immutable bio_vec in integrity_metadata() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 72/75] tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 73/75] Revert "MIPS: Loongson64: Enable DMA noncoherent support" Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 74/75] Bluetooth: SMP: Fix crash when receiving new connection when debug is enabled Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.10 75/75] spi: atmel: Fix PDC transfer setup bug Greg Kroah-Hartman
2024-01-03 19:15 ` [PATCH 5.10 00/75] 5.10.206-rc1 review Florian Fainelli
2024-01-04 0:40 ` Dominique Martinet
2024-01-04 9:16 ` Daniel Díaz
2024-01-04 9:25 ` Greg Kroah-Hartman
2024-01-08 17:47 ` Francis Laniel
2024-01-04 12:11 ` Jon Hunter
2024-01-04 12:15 ` Pavel Machek
2024-01-05 1:03 ` Guenter Roeck
2024-01-05 11:12 ` Shreeya Patel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240103164851.728113794@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=patches@lists.linux.dev \
--cc=pc@manguebit.com \
--cc=rtm@csail.mit.edu \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox