* Re: [PATCH v2 6.1] cifs: Fix buffer overflow when parsing NFS reparse points
2024-11-25 8:48 [PATCH v2 6.1] cifs: Fix buffer overflow when parsing NFS reparse points Mahmoud Adam
@ 2024-11-25 15:20 ` Sasha Levin
0 siblings, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2024-11-25 15:20 UTC (permalink / raw)
To: stable; +Cc: Mahmoud Adam, Sasha Levin
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: e2a8910af01653c1c268984855629d71fb81f404
WARNING: Author mismatch between patch and upstream commit:
Backport author: Mahmoud Adam <mngyadam@amazon.com>
Commit author: Pali Rohár <pali@kernel.org>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.11.y | Present (different SHA1: c173d47b69f0)
6.6.y | Present (different SHA1: c6db81c550ce)
6.1.y | Present (different SHA1: 08461ff8be1c)
Note: The patch differs from the upstream commit:
---
--- - 2024-11-25 08:29:51.938406404 -0500
+++ /tmp/tmp.ZDtVEXXRHN 2024-11-25 08:29:51.928317283 -0500
@@ -1,3 +1,5 @@
+commit e2a8910af01653c1c268984855629d71fb81f404 upstream.
+
ReparseDataLength is sum of the InodeType size and DataBuffer size.
So to get DataBuffer size it is needed to subtract InodeType's size from
ReparseDataLength.
@@ -18,48 +20,32 @@
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
+[use variable name symlink_buf, the other buf->InodeType accesses are
+not used in current version so skip]
+Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
---
- fs/smb/client/reparse.c | 15 ++++++++++++++-
- 1 file changed, 14 insertions(+), 1 deletion(-)
+v2: fix upstream format.
+https://lore.kernel.org/stable/Z0Pd9slDKJNM0n3T@ca93ea81d97d/T/#m8cdb746a2527f2c27c95c9b2b25b5cc8f20ce74a
+ fs/smb/client/smb2ops.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
-diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
-index 3b48a093cfb1f..8ea7a848aa393 100644
---- a/fs/smb/client/reparse.c
-+++ b/fs/smb/client/reparse.c
-@@ -320,9 +320,16 @@ static int parse_reparse_posix(struct reparse_posix_data *buf,
- unsigned int len;
- u64 type;
+diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
+index d1e5ff9a3cd39..fcfbc096924a8 100644
+--- a/fs/smb/client/smb2ops.c
++++ b/fs/smb/client/smb2ops.c
+@@ -2897,6 +2897,12 @@ parse_reparse_posix(struct reparse_posix_data *symlink_buf,
-+ len = le16_to_cpu(buf->ReparseDataLength);
-+ if (len < sizeof(buf->InodeType)) {
+ /* See MS-FSCC 2.1.2.6 for the 'NFS' style reparse tags */
+ len = le16_to_cpu(symlink_buf->ReparseDataLength);
++ if (len < sizeof(symlink_buf->InodeType)) {
+ cifs_dbg(VFS, "srv returned malformed nfs buffer\n");
+ return -EIO;
+ }
+
-+ len -= sizeof(buf->InodeType);
-+
- switch ((type = le64_to_cpu(buf->InodeType))) {
- case NFS_SPECFILE_LNK:
-- len = le16_to_cpu(buf->ReparseDataLength);
- data->symlink_target = cifs_strndup_from_utf16(buf->DataBuffer,
- len, true,
- cifs_sb->local_nls);
-@@ -482,12 +489,18 @@ bool cifs_reparse_point_to_fattr(struct cifs_sb_info *cifs_sb,
- u32 tag = data->reparse.tag;
++ len -= sizeof(symlink_buf->InodeType);
- if (tag == IO_REPARSE_TAG_NFS && buf) {
-+ if (le16_to_cpu(buf->ReparseDataLength) < sizeof(buf->InodeType))
-+ return false;
- switch (le64_to_cpu(buf->InodeType)) {
- case NFS_SPECFILE_CHR:
-+ if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8)
-+ return false;
- fattr->cf_mode |= S_IFCHR;
- fattr->cf_rdev = reparse_mkdev(buf->DataBuffer);
- break;
- case NFS_SPECFILE_BLK:
-+ if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8)
-+ return false;
- fattr->cf_mode |= S_IFBLK;
- fattr->cf_rdev = reparse_mkdev(buf->DataBuffer);
- break;
+ if (le64_to_cpu(symlink_buf->InodeType) != NFS_SPECFILE_LNK) {
+ cifs_dbg(VFS, "%lld not a supported symlink type\n",
+--
+2.40.1
+
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
^ permalink raw reply [flat|nested] 2+ messages in thread