From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f193.google.com (mail-pg1-f193.google.com [209.85.215.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 73180364BA for ; Sat, 10 Feb 2024 20:12:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.193 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707595979; cv=none; b=GZpmKWX4FcZSlzwvHus8tsHDUj0t6EMEjSVgn5l7BY6dL6ACeNHRHZqx/sJz0jY92uGOs5VeiKYqZlXTRlNEtA4tmTr88MKO7o4ym+Y9ts4GbtoMoP+1KnsRdL8DZKl90khb6OvIUSTpN1frtsdWDJaUTkE+3up8w9GxD8dWx+g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707595979; c=relaxed/simple; bh=hHbduaqkV3mcbYMpoL6PYWcddihCk71uUwgDtu+fzvw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=jSJITD12bQWewJmJjqE3TTTxT+bBKfuON82odj0RbSVuZJv2SAg/MGQH76zHzZ/ckmcHspLyYy5z9Jf7PcHUbiocByJ5kNVsSPYUMxo7elbVgoCYDjItBrjrTpU6WBx8Xr7ZWX41rS11orS9EY6elrbxdY7HtgwmDJ43wiy9VgE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=YcQjHV0b; arc=none smtp.client-ip=209.85.215.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="YcQjHV0b" Received: by mail-pg1-f193.google.com with SMTP id 41be03b00d2f7-5d3907ff128so1623441a12.3 for ; Sat, 10 Feb 2024 12:12:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1707595976; x=1708200776; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WeXRdFJH8rsWandURsi1IDZPVHlPbfmmKxcxSF2+0m4=; b=YcQjHV0b0+xe6Co14wA88+AK5o6REsaqABdSy0XFE10myU8WPfTByCkAL5o/8ctXuE S/m1B/Iz2X275pSqVrH7LPQLwCTybcm3Fxbqz+NEXVVvwxt4OyyAB7RWHj+/HHijLEcC OOvjzGbQaGHYsbyOUDpbZUMpvzQZLqvJ8QJQI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707595976; x=1708200776; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WeXRdFJH8rsWandURsi1IDZPVHlPbfmmKxcxSF2+0m4=; b=KrUWBk3qHu9a57O+STCBl/onBuNwrJw/IVUKsEaGH/aInKh2J3yQ1vOdnOs9A5a0Fn 8cAISTI/MlYuS2ixUWRtESDm9AmCaEb9+rkIF3/n60fOD0nxmK25NMc1hZagqxqYDarE fajlhvlOF7b87aG2SoL9AGMHsErOSB/1xqhKxvOmtp5QtHstoaL8GiB6V41qxNL+sowu 2ZXiXb3uHhtEg/2UpyCZu/Zmuc7ou+yKASF9z2cLpx7NbEVohZCNm/tIwvn0ilBd6gCZ uZ7JZk1Zg3NXXkNcz5UxCkmn36cZI6RVHy/KrA31DiGFTdBSUBCVql6BKxchoE1xMTrP LXkg== X-Gm-Message-State: AOJu0YwvL1RsN2wK3J1OEdCH2fasxJDIcQtYwunhwquq3ONtym5IdAEe m8GxmznPVGJmQXrR3NiT4jTbs+S3q5wya5NRwODa7p70xwzOS39xcUZz5B/KEkXF8YPPibXXsoy 3otUAnq0sueHSekdKWrqrZS0zc539ETkgbSu6FJEgAUuFF0hCAyiXUzghaq5ttiN+FFEPeIKT+T 0K52QrzK6b+mvp8EgaBAdUYHi8mu4rh2kFOZwLWyoo5Gdhc6oPTk7Eakhz3w== X-Google-Smtp-Source: AGHT+IGVq/rfM4m/RBF2H2LAcUqJWLXJ+5FsT8PG9ftiSVploxNOASabBc9JBclSBBMxo4WEpNpX/A== X-Received: by 2002:a05:6a20:9f05:b0:19c:9c2e:7860 with SMTP id mk5-20020a056a209f0500b0019c9c2e7860mr4154457pzb.13.1707595975921; Sat, 10 Feb 2024 12:12:55 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCXj8zPnLMcU7t2gIttQ8VnycuL/QdjF0QtuNpwaNcfwPNv2OSQYnX1Ppb4RV7tmF8wdV2vabyWjlYXFA8sjHu5wtAJ5KsQrTHQxybkTRmpJ1YzfBJcUuUQIwYxgtM5RAQy4WfOYHlQZ/3po1uo9Y7ATSwtFw6riFJq08qkrvlItoHdTDjANjTAnZrjjHq40aym68NiAcuY1Vbqfz6rh+1Wxbkzxcg9kNSw8vnqKOnHhbgoDgKkmBlPNyfISmWTnDa2yKeI= Received: from bguruswamy-virtual-machine.eng.vmware.com ([66.170.99.2]) by smtp.gmail.com with ESMTPSA id f6-20020a170902684600b001d8da07e447sm3503527pln.9.2024.02.10.12.12.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Feb 2024 12:12:55 -0800 (PST) From: Guruswamy Basavaiah To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: ajay.kaher@broadcom.com, tapas.kundu@broadcom.com, Guruswamy Basavaiah , Robert Morris , Paulo Alcantara , Steve French Subject: [PATCH 5.10.y 2/3] smb: client: fix potential OOBs in smb2_parse_contexts() Date: Sun, 11 Feb 2024 01:42:35 +0530 Message-Id: <20240210201237.3089385-2-guruswamy.basavaiah@broadcom.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240210201237.3089385-1-guruswamy.basavaiah@broadcom.com> References: <20240210201237.3089385-1-guruswamy.basavaiah@broadcom.com> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Paulo Alcantara [ Upstream commit af1689a9b7701d9907dfc84d2a4b57c4bc907144 ] Validate offsets and lengths before dereferencing create contexts in smb2_parse_contexts(). This fixes following oops when accessing invalid create contexts from server: BUG: unable to handle page fault for address: ffff8881178d8cc3 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 4a01067 P4D 4a01067 PUD 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs] Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00 00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7 7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00 RSP: 0018:ffffc900007939e0 EFLAGS: 00010216 RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90 RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000 RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000 R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000 R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22 FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: ? __die+0x23/0x70 ? page_fault_oops+0x181/0x480 ? search_module_extables+0x19/0x60 ? srso_alias_return_thunk+0x5/0xfbef5 ? exc_page_fault+0x1b6/0x1c0 ? asm_exc_page_fault+0x26/0x30 ? smb2_parse_contexts+0xa0/0x3a0 [cifs] SMB2_open+0x38d/0x5f0 [cifs] ? smb2_is_path_accessible+0x138/0x260 [cifs] smb2_is_path_accessible+0x138/0x260 [cifs] cifs_is_path_remote+0x8d/0x230 [cifs] cifs_mount+0x7e/0x350 [cifs] cifs_smb3_do_mount+0x128/0x780 [cifs] smb3_get_tree+0xd9/0x290 [cifs] vfs_get_tree+0x2c/0x100 ? capable+0x37/0x70 path_mount+0x2d7/0xb80 ? srso_alias_return_thunk+0x5/0xfbef5 ? _raw_spin_unlock_irqrestore+0x44/0x60 __x64_sys_mount+0x11a/0x150 do_syscall_64+0x47/0xf0 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f8737657b1e Reported-by: Robert Morris Cc: stable@vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) Signed-off-by: Steve French [Guru: Removed changes to cached_dir.c and checking return value of smb2_parse_contexts in smb2ops.c] Signed-off-by: Guruswamy Basavaiah --- fs/cifs/smb2ops.c | 4 +- fs/cifs/smb2pdu.c | 93 +++++++++++++++++++++++++++------------------ fs/cifs/smb2proto.h | 12 +++--- 3 files changed, 66 insertions(+), 43 deletions(-) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 867b32b1393f..0930efc7ba37 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -908,10 +908,12 @@ int open_cached_dir(unsigned int xid, struct cifs_tcon *tcon, */ kref_get(&tcon->crfid.refcount); tcon->crfid.has_lease = true; - smb2_parse_contexts(server, o_rsp, + rc = smb2_parse_contexts(server, rsp_iov, &oparms.fid->epoch, oparms.fid->lease_key, &oplock, NULL, NULL); + if (rc) + goto oshr_exit; } else goto oshr_exit; diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 6714e9db0ee8..541f7d6aaf3d 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -2056,17 +2056,18 @@ parse_posix_ctxt(struct create_context *cc, struct smb2_file_all_info *info, posix->nlink, posix->mode, posix->reparse_tag); } -void -smb2_parse_contexts(struct TCP_Server_Info *server, - struct smb2_create_rsp *rsp, - unsigned int *epoch, char *lease_key, __u8 *oplock, - struct smb2_file_all_info *buf, - struct create_posix_rsp *posix) +int smb2_parse_contexts(struct TCP_Server_Info *server, + struct kvec *rsp_iov, + unsigned int *epoch, + char *lease_key, __u8 *oplock, + struct smb2_file_all_info *buf, + struct create_posix_rsp *posix) { - char *data_offset; + struct smb2_create_rsp *rsp = rsp_iov->iov_base; struct create_context *cc; - unsigned int next; - unsigned int remaining; + size_t rem, off, len; + size_t doff, dlen; + size_t noff, nlen; char *name; static const char smb3_create_tag_posix[] = { 0x93, 0xAD, 0x25, 0x50, 0x9C, @@ -2075,45 +2076,63 @@ smb2_parse_contexts(struct TCP_Server_Info *server, }; *oplock = 0; - data_offset = (char *)rsp + le32_to_cpu(rsp->CreateContextsOffset); - remaining = le32_to_cpu(rsp->CreateContextsLength); - cc = (struct create_context *)data_offset; + + off = le32_to_cpu(rsp->CreateContextsOffset); + rem = le32_to_cpu(rsp->CreateContextsLength); + if (check_add_overflow(off, rem, &len) || len > rsp_iov->iov_len) + return -EINVAL; + cc = (struct create_context *)((u8 *)rsp + off); /* Initialize inode number to 0 in case no valid data in qfid context */ if (buf) buf->IndexNumber = 0; - while (remaining >= sizeof(struct create_context)) { - name = le16_to_cpu(cc->NameOffset) + (char *)cc; - if (le16_to_cpu(cc->NameLength) == 4 && - strncmp(name, SMB2_CREATE_REQUEST_LEASE, 4) == 0) - *oplock = server->ops->parse_lease_buf(cc, epoch, - lease_key); - else if (buf && (le16_to_cpu(cc->NameLength) == 4) && - strncmp(name, SMB2_CREATE_QUERY_ON_DISK_ID, 4) == 0) - parse_query_id_ctxt(cc, buf); - else if ((le16_to_cpu(cc->NameLength) == 16)) { - if (posix && - memcmp(name, smb3_create_tag_posix, 16) == 0) + while (rem >= sizeof(*cc)) { + doff = le16_to_cpu(cc->DataOffset); + dlen = le32_to_cpu(cc->DataLength); + if (check_add_overflow(doff, dlen, &len) || len > rem) + return -EINVAL; + + noff = le16_to_cpu(cc->NameOffset); + nlen = le16_to_cpu(cc->NameLength); + if (noff + nlen >= doff) + return -EINVAL; + + name = (char *)cc + noff; + switch (nlen) { + case 4: + if (!strncmp(name, SMB2_CREATE_REQUEST_LEASE, 4)) { + *oplock = server->ops->parse_lease_buf(cc, epoch, + lease_key); + } else if (buf && + !strncmp(name, SMB2_CREATE_QUERY_ON_DISK_ID, 4)) { + parse_query_id_ctxt(cc, buf); + } + break; + case 16: + if (posix && !memcmp(name, smb3_create_tag_posix, 16)) parse_posix_ctxt(cc, buf, posix); + break; + default: + cifs_dbg(FYI, "%s: unhandled context (nlen=%zu dlen=%zu)\n", + __func__, nlen, dlen); + if (IS_ENABLED(CONFIG_CIFS_DEBUG2)) + cifs_dump_mem("context data: ", cc, dlen); + break; } - /* else { - cifs_dbg(FYI, "Context not matched with len %d\n", - le16_to_cpu(cc->NameLength)); - cifs_dump_mem("Cctxt name: ", name, 4); - } */ - - next = le32_to_cpu(cc->Next); - if (!next) + + off = le32_to_cpu(cc->Next); + if (!off) break; - remaining -= next; - cc = (struct create_context *)((char *)cc + next); + if (check_sub_overflow(rem, off, &rem)) + return -EINVAL; + cc = (struct create_context *)((u8 *)cc + off); } if (rsp->OplockLevel != SMB2_OPLOCK_LEVEL_LEASE) *oplock = rsp->OplockLevel; - return; + return 0; } static int @@ -2983,8 +3002,8 @@ SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms, __le16 *path, } - smb2_parse_contexts(server, rsp, &oparms->fid->epoch, - oparms->fid->lease_key, oplock, buf, posix); + rc = smb2_parse_contexts(server, &rsp_iov, &oparms->fid->epoch, + oparms->fid->lease_key, oplock, buf, posix); creat_exit: SMB2_open_free(&rqst); free_rsp_buf(resp_buftype, rsp); diff --git a/fs/cifs/smb2proto.h b/fs/cifs/smb2proto.h index 547945443fa7..6c5a4d44b248 100644 --- a/fs/cifs/smb2proto.h +++ b/fs/cifs/smb2proto.h @@ -259,11 +259,13 @@ extern int smb3_validate_negotiate(const unsigned int, struct cifs_tcon *); extern enum securityEnum smb2_select_sectype(struct TCP_Server_Info *, enum securityEnum); -extern void smb2_parse_contexts(struct TCP_Server_Info *server, - struct smb2_create_rsp *rsp, - unsigned int *epoch, char *lease_key, - __u8 *oplock, struct smb2_file_all_info *buf, - struct create_posix_rsp *posix); +int smb2_parse_contexts(struct TCP_Server_Info *server, + struct kvec *rsp_iov, + unsigned int *epoch, + char *lease_key, __u8 *oplock, + struct smb2_file_all_info *buf, + struct create_posix_rsp *posix); + extern int smb3_encryption_required(const struct cifs_tcon *tcon); extern int smb2_validate_iov(unsigned int offset, unsigned int buffer_length, struct kvec *iov, unsigned int min_buf_size); -- 2.25.1