UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/fs/cifs
History
Paulo Alcantara f8b08ae2ff smb: client: fix OOBs when building SMB2_IOCTL request 
[ Upstream commit 1ab60323c5201bef25f2a3dc0ccc404d9aca77f1 ]

Fix CVE: CVE-2024-50151

When using encryption, either enforced by the server or when using
'seal' mount option, the client will squash all compound request buffers
down for encryption into a single iov in smb2_set_next_command().

SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the
SMB2_IOCTL request in the first iov, and if the user passes an input
buffer that is greater than 328 bytes, smb2_set_next_command() will
end up writing off the end of @rqst->iov[0].iov_base as shown below:

  mount.cifs //srv/share /mnt -o ...,seal
  ln -s $(perl -e "print('a')for 1..1024") /mnt/link

  BUG: KASAN: slab-out-of-bounds in
  smb2_set_next_command.cold+0x1d6/0x24c [cifs]
  Write of size 4116 at addr ffff8881148fcab8 by task ln/859

  CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
  1.16.3-2.fc40 04/01/2014
  Call Trace:
   <TASK>
   dump_stack_lvl+0x5d/0x80
   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
   print_report+0x156/0x4d9
   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
   ? __virt_addr_valid+0x145/0x310
   ? __phys_addr+0x46/0x90
   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
   kasan_report+0xda/0x110
   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
   kasan_check_range+0x10f/0x1f0
   __asan_memcpy+0x3c/0x60
   smb2_set_next_command.cold+0x1d6/0x24c [cifs]
   smb2_compound_op+0x238c/0x3840 [cifs]
   ? kasan_save_track+0x14/0x30
   ? kasan_save_free_info+0x3b/0x70
   ? vfs_symlink+0x1a1/0x2c0
   ? do_symlinkat+0x108/0x1c0
   ? __pfx_smb2_compound_op+0x10/0x10 [cifs]
   ? kmem_cache_free+0x118/0x3e0
   ? cifs_get_writable_path+0xeb/0x1a0 [cifs]
   smb2_get_reparse_inode+0x423/0x540 [cifs]
   ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs]
   ? rcu_is_watching+0x20/0x50
   ? __kmalloc_noprof+0x37c/0x480
   ? smb2_create_reparse_symlink+0x257/0x490 [cifs]
   ? smb2_create_reparse_symlink+0x38f/0x490 [cifs]
   smb2_create_reparse_symlink+0x38f/0x490 [cifs]
   ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs]
   ? find_held_lock+0x8a/0xa0
   ? hlock_class+0x32/0xb0
   ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs]
   cifs_symlink+0x24f/0x960 [cifs]
   ? __pfx_make_vfsuid+0x10/0x10
   ? __pfx_cifs_symlink+0x10/0x10 [cifs]
   ? make_vfsgid+0x6b/0xc0
   ? generic_permission+0x96/0x2d0
   vfs_symlink+0x1a1/0x2c0
   do_symlinkat+0x108/0x1c0
   ? __pfx_do_symlinkat+0x10/0x10
   ? strncpy_from_user+0xaa/0x160
   __x64_sys_symlinkat+0xb9/0xf0
   do_syscall_64+0xbb/0x1d0
   entry_SYSCALL_64_after_hwframe+0x77/0x7f
  RIP: 0033:0x7f08d75c13bb

Reported-by: David Howells <dhowells@redhat.com>
Fixes: e77fe73c7e ("cifs: we can not use small padding iovs together with encryption")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Haisu Wang <haisuwang@tencent.com>
Signed-off-by: Jianping Liu <frankjpliu@tencent.com>
 		2024-12-31 16:32:32 +08:00
..
Kconfig various cifs/smb3 fixes (including for share deleted cases) and features including improved encrypted read performance, and various debugging improvements 2019-09-19 10:32:16 -07:00
Makefile cifs: Add support for root file systems 2019-09-16 11:43:38 -05:00
asn1.c ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
cache.c cifs: use 64-bit timestamps for fscache 2018-08-07 14:15:41 -05:00
cifs_debug.c tkernel: add base tlinux kernel interfaces 2024-06-11 20:09:33 +08:00
cifs_debug.h cifs: add a debug macro that prints \\server\share for errors 2019-09-16 11:43:38 -05:00
cifs_dfs_ref.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
cifs_fs_sb.h smb3: add mount option to allow RW caching of share accessed by only 1 client 2019-09-16 11:43:38 -05:00
cifs_ioctl.h smb3: allow decryption keys to be dumped by admin for debugging 2019-09-21 06:02:26 -05:00
cifs_spnego.c Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs" 2019-07-10 18:43:43 -07:00
cifs_spnego.h [CIFS] Rename three structures to avoid camel case 2011-05-27 04:34:02 +00:00
cifs_unicode.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
cifs_unicode.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifs_uniupr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifsacl.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
cifsacl.h smb3: missing ACL related flags 2019-09-26 16:37:43 -05:00
cifsencrypt.c fs: cifs: switch to RC4 library interface 2019-06-20 14:19:55 +08:00
cifsfs.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
cifsfs.h tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
cifsglob.h tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
cifspdu.h smb3: missing defines and structs for reparse point handling 2018-11-02 14:09:41 -05:00
cifsproto.h tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
cifsroot.c cifs: cifsroot: add more err checking 2019-09-16 11:43:39 -05:00
cifssmb.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
connect.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
dfs_cache.c tkernel: add base tlinux kernel interfaces 2024-06-11 20:09:33 +08:00
dfs_cache.h cifs: Fix DFS cache refresher for DFS links 2019-05-07 23:24:54 -05:00
dir.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
dns_resolve.c keys: Pass the network namespace into request_key mechanism 2019-06-27 23:02:12 +01:00
dns_resolve.h DNS: Separate out CIFS DNS Resolver code 2010-08-05 17:17:51 +00:00
export.c docs: fs: convert docs without extension to ReST 2019-07-31 13:31:05 -06:00
file.c cifs: Fix use-after-free in rdata->read_into_pages() 2024-11-28 21:43:45 +08:00
fscache.c cifs: use 64-bit timestamps for fscache 2018-08-07 14:15:41 -05:00
fscache.h cifs: use 64-bit timestamps for fscache 2018-08-07 14:15:41 -05:00
inode.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
ioctl.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
link.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
misc.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
netmisc.c fs: cifs: mute -Wunused-const-variable message 2019-10-06 22:04:35 -05:00
nterr.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
nterr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
ntlmssp.h cifs: dynamic allocation of ntlmssp blob 2016-06-23 23:45:07 -05:00
readdir.c cifs: check ntwrk_buf_start for NULL before dereferencing it 2018-12-23 22:41:31 -06:00
rfc1002pdu.h
sess.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
smb1ops.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
smb2file.c tkernel: add base tlinux kernel interfaces 2024-06-11 20:09:33 +08:00
smb2glob.h cifs: change SMB2_OP_RENAME and SMB2_OP_HARDLINK to use compounding 2018-10-23 21:16:04 -05:00
smb2inode.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
smb2maperror.c smb3: improve handling of share deleted (and share recreated) 2019-09-16 11:43:38 -05:00
smb2misc.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
smb2ops.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
smb2pdu.c smb: client: fix OOBs when building SMB2_IOCTL request 2024-12-31 16:32:32 +08:00
smb2pdu.h ock: sync codes to ock 5.4.119-20.0009.21 2024-06-11 20:27:38 +08:00
smb2proto.h tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
smb2status.h cifs: don't use __constant_cpu_to_le32() 2019-05-07 23:24:54 -05:00
smb2transport.c tkernel: add base tlinux kernel interfaces 2024-06-11 20:09:33 +08:00
smbdirect.c tkernel: sync code to the same with tk4 pub/lts/0017-kabi 2024-06-12 13:13:20 +08:00
smbdirect.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
smbencrypt.c fs: cifs: move from the crypto cipher API to the new DES library interface 2019-08-22 14:57:34 +10:00
smberr.h cifs: map NT_STATUS_ERROR_WRITE_PROTECTED to -EROFS 2010-08-02 12:40:40 +00:00
smbfsctl.h smb3: Add missing reparse tags 2019-09-24 23:31:32 -05:00
trace.c smb3: Cleanup license mess 2019-01-24 09:37:33 -06:00
trace.h smb3: add missing worker function for SMB3 change notify 2019-09-16 11:43:39 -05:00
transport.c smb3: fix lock ordering potential deadlock in cifs_sync_mid_result 2024-11-28 21:43:43 +08:00
winucase.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
xattr.c CIFS: fix max ea value size 2019-09-23 23:28:59 -05:00