Skip to content

Commit 3f71685

Browse files
torvaldstorvalds
committed
Merge tag '6.7-rc5-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6
Pull smb client fixes from Steve French: "Address OOBs and NULL dereference found by Dr. Morris's recent analysis and fuzzing. All marked for stable as well" * tag '6.7-rc5-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: smb: client: fix OOB in smb2_query_reparse_point() smb: client: fix NULL deref in asn1_ber_decoder() smb: client: fix potential OOBs in smb2_parse_contexts() smb: client: fix OOB in receive_encrypted_standard()
2 parents 976600c + 3a42709 commit 3f71685

5 files changed

Lines changed: 109 additions & 79 deletions

File tree

fs/smb/client/cached_dir.c

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -291,16 +291,23 @@ int open_cached_dir(unsigned int xid, struct cifs_tcon *tcon,
291291
oparms.fid->mid = le64_to_cpu(o_rsp->hdr.MessageId);
292292
#endif /* CIFS_DEBUG2 */
293293

294-
rc = -EINVAL;
294+
295295
if (o_rsp->OplockLevel != SMB2_OPLOCK_LEVEL_LEASE) {
296+
spin_unlock(&cfids->cfid_list_lock);
297+
rc = -EINVAL;
298+
goto oshr_free;
299+
}
300+
301+
rc = smb2_parse_contexts(server, rsp_iov,
302+
&oparms.fid->epoch,
303+
oparms.fid->lease_key,
304+
&oplock, NULL, NULL);
305+
if (rc) {
296306
spin_unlock(&cfids->cfid_list_lock);
297307
goto oshr_free;
298308
}
299309

300-
smb2_parse_contexts(server, o_rsp,
301-
&oparms.fid->epoch,
302-
oparms.fid->lease_key, &oplock,
303-
NULL, NULL);
310+
rc = -EINVAL;
304311
if (!(oplock & SMB2_LEASE_READ_CACHING_HE)) {
305312
spin_unlock(&cfids->cfid_list_lock);
306313
goto oshr_free;

fs/smb/client/smb2misc.c

Lines changed: 10 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -313,6 +313,9 @@ static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = {
313313
char *
314314
smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *shdr)
315315
{
316+
const int max_off = 4096;
317+
const int max_len = 128 * 1024;
318+
316319
*off = 0;
317320
*len = 0;
318321

@@ -384,29 +387,20 @@ smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *shdr)
384387
* Invalid length or offset probably means data area is invalid, but
385388
* we have little choice but to ignore the data area in this case.
386389
*/
387-
if (*off > 4096) {
388-
cifs_dbg(VFS, "offset %d too large, data area ignored\n", *off);
389-
*len = 0;
390-
*off = 0;
391-
} else if (*off < 0) {
392-
cifs_dbg(VFS, "negative offset %d to data invalid ignore data area\n",
393-
*off);
390+
if (unlikely(*off < 0 || *off > max_off ||
391+
*len < 0 || *len > max_len)) {
392+
cifs_dbg(VFS, "%s: invalid data area (off=%d len=%d)\n",
393+
__func__, *off, *len);
394394
*off = 0;
395395
*len = 0;
396-
} else if (*len < 0) {
397-
cifs_dbg(VFS, "negative data length %d invalid, data area ignored\n",
398-
*len);
399-
*len = 0;
400-
} else if (*len > 128 * 1024) {
401-
cifs_dbg(VFS, "data area larger than 128K: %d\n", *len);
396+
} else if (*off == 0) {
402397
*len = 0;
403398
}
404399

405400
/* return pointer to beginning of data area, ie offset from SMB start */
406-
if ((*off != 0) && (*len != 0))
401+
if (*off > 0 && *len > 0)
407402
return (char *)shdr + *off;
408-
else
409-
return NULL;
403+
return NULL;
410404
}
411405

412406
/*

fs/smb/client/smb2ops.c

Lines changed: 24 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -3003,7 +3003,7 @@ static int smb2_query_reparse_point(const unsigned int xid,
30033003
struct kvec *rsp_iov;
30043004
struct smb2_ioctl_rsp *ioctl_rsp;
30053005
struct reparse_data_buffer *reparse_buf;
3006-
u32 plen;
3006+
u32 off, count, len;
30073007

30083008
cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);
30093009

@@ -3084,16 +3084,22 @@ static int smb2_query_reparse_point(const unsigned int xid,
30843084
*/
30853085
if (rc == 0) {
30863086
/* See MS-FSCC 2.3.23 */
3087+
off = le32_to_cpu(ioctl_rsp->OutputOffset);
3088+
count = le32_to_cpu(ioctl_rsp->OutputCount);
3089+
if (check_add_overflow(off, count, &len) ||
3090+
len > rsp_iov[1].iov_len) {
3091+
cifs_tcon_dbg(VFS, "%s: invalid ioctl: off=%d count=%d\n",
3092+
__func__, off, count);
3093+
rc = -EIO;
3094+
goto query_rp_exit;
3095+
}
30873096

3088-
reparse_buf = (struct reparse_data_buffer *)
3089-
((char *)ioctl_rsp +
3090-
le32_to_cpu(ioctl_rsp->OutputOffset));
3091-
plen = le32_to_cpu(ioctl_rsp->OutputCount);
3092-
3093-
if (plen + le32_to_cpu(ioctl_rsp->OutputOffset) >
3094-
rsp_iov[1].iov_len) {
3095-
cifs_tcon_dbg(FYI, "srv returned invalid ioctl len: %d\n",
3096-
plen);
3097+
reparse_buf = (void *)((u8 *)ioctl_rsp + off);
3098+
len = sizeof(*reparse_buf);
3099+
if (count < len ||
3100+
count < le16_to_cpu(reparse_buf->ReparseDataLength) + len) {
3101+
cifs_tcon_dbg(VFS, "%s: invalid ioctl: off=%d count=%d\n",
3102+
__func__, off, count);
30973103
rc = -EIO;
30983104
goto query_rp_exit;
30993105
}
@@ -4943,6 +4949,7 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
49434949
struct smb2_hdr *shdr;
49444950
unsigned int pdu_length = server->pdu_size;
49454951
unsigned int buf_size;
4952+
unsigned int next_cmd;
49464953
struct mid_q_entry *mid_entry;
49474954
int next_is_large;
49484955
char *next_buffer = NULL;
@@ -4971,14 +4978,15 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
49714978
next_is_large = server->large_buf;
49724979
one_more:
49734980
shdr = (struct smb2_hdr *)buf;
4974-
if (shdr->NextCommand) {
4981+
next_cmd = le32_to_cpu(shdr->NextCommand);
4982+
if (next_cmd) {
4983+
if (WARN_ON_ONCE(next_cmd > pdu_length))
4984+
return -1;
49754985
if (next_is_large)
49764986
next_buffer = (char *)cifs_buf_get();
49774987
else
49784988
next_buffer = (char *)cifs_small_buf_get();
4979-
memcpy(next_buffer,
4980-
buf + le32_to_cpu(shdr->NextCommand),
4981-
pdu_length - le32_to_cpu(shdr->NextCommand));
4989+
memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd);
49824990
}
49834991

49844992
mid_entry = smb2_find_mid(server, buf);
@@ -5002,8 +5010,8 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
50025010
else
50035011
ret = cifs_handle_standard(server, mid_entry);
50045012

5005-
if (ret == 0 && shdr->NextCommand) {
5006-
pdu_length -= le32_to_cpu(shdr->NextCommand);
5013+
if (ret == 0 && next_cmd) {
5014+
pdu_length -= next_cmd;
50075015
server->large_buf = next_is_large;
50085016
if (next_is_large)
50095017
server->bigbuf = buf = next_buffer;

fs/smb/client/smb2pdu.c

Lines changed: 56 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -2236,17 +2236,18 @@ parse_posix_ctxt(struct create_context *cc, struct smb2_file_all_info *info,
22362236
posix->nlink, posix->mode, posix->reparse_tag);
22372237
}
22382238

2239-
void
2240-
smb2_parse_contexts(struct TCP_Server_Info *server,
2241-
struct smb2_create_rsp *rsp,
2242-
unsigned int *epoch, char *lease_key, __u8 *oplock,
2243-
struct smb2_file_all_info *buf,
2244-
struct create_posix_rsp *posix)
2239+
int smb2_parse_contexts(struct TCP_Server_Info *server,
2240+
struct kvec *rsp_iov,
2241+
unsigned int *epoch,
2242+
char *lease_key, __u8 *oplock,
2243+
struct smb2_file_all_info *buf,
2244+
struct create_posix_rsp *posix)
22452245
{
2246-
char *data_offset;
2246+
struct smb2_create_rsp *rsp = rsp_iov->iov_base;
22472247
struct create_context *cc;
2248-
unsigned int next;
2249-
unsigned int remaining;
2248+
size_t rem, off, len;
2249+
size_t doff, dlen;
2250+
size_t noff, nlen;
22502251
char *name;
22512252
static const char smb3_create_tag_posix[] = {
22522253
0x93, 0xAD, 0x25, 0x50, 0x9C,
@@ -2255,45 +2256,63 @@ smb2_parse_contexts(struct TCP_Server_Info *server,
22552256
};
22562257

22572258
*oplock = 0;
2258-
data_offset = (char *)rsp + le32_to_cpu(rsp->CreateContextsOffset);
2259-
remaining = le32_to_cpu(rsp->CreateContextsLength);
2260-
cc = (struct create_context *)data_offset;
2259+
2260+
off = le32_to_cpu(rsp->CreateContextsOffset);
2261+
rem = le32_to_cpu(rsp->CreateContextsLength);
2262+
if (check_add_overflow(off, rem, &len) || len > rsp_iov->iov_len)
2263+
return -EINVAL;
2264+
cc = (struct create_context *)((u8 *)rsp + off);
22612265

22622266
/* Initialize inode number to 0 in case no valid data in qfid context */
22632267
if (buf)
22642268
buf->IndexNumber = 0;
22652269

2266-
while (remaining >= sizeof(struct create_context)) {
2267-
name = le16_to_cpu(cc->NameOffset) + (char *)cc;
2268-
if (le16_to_cpu(cc->NameLength) == 4 &&
2269-
strncmp(name, SMB2_CREATE_REQUEST_LEASE, 4) == 0)
2270-
*oplock = server->ops->parse_lease_buf(cc, epoch,
2271-
lease_key);
2272-
else if (buf && (le16_to_cpu(cc->NameLength) == 4) &&
2273-
strncmp(name, SMB2_CREATE_QUERY_ON_DISK_ID, 4) == 0)
2274-
parse_query_id_ctxt(cc, buf);
2275-
else if ((le16_to_cpu(cc->NameLength) == 16)) {
2276-
if (posix &&
2277-
memcmp(name, smb3_create_tag_posix, 16) == 0)
2270+
while (rem >= sizeof(*cc)) {
2271+
doff = le16_to_cpu(cc->DataOffset);
2272+
dlen = le32_to_cpu(cc->DataLength);
2273+
if (check_add_overflow(doff, dlen, &len) || len > rem)
2274+
return -EINVAL;
2275+
2276+
noff = le16_to_cpu(cc->NameOffset);
2277+
nlen = le16_to_cpu(cc->NameLength);
2278+
if (noff + nlen >= doff)
2279+
return -EINVAL;
2280+
2281+
name = (char *)cc + noff;
2282+
switch (nlen) {
2283+
case 4:
2284+
if (!strncmp(name, SMB2_CREATE_REQUEST_LEASE, 4)) {
2285+
*oplock = server->ops->parse_lease_buf(cc, epoch,
2286+
lease_key);
2287+
} else if (buf &&
2288+
!strncmp(name, SMB2_CREATE_QUERY_ON_DISK_ID, 4)) {
2289+
parse_query_id_ctxt(cc, buf);
2290+
}
2291+
break;
2292+
case 16:
2293+
if (posix && !memcmp(name, smb3_create_tag_posix, 16))
22782294
parse_posix_ctxt(cc, buf, posix);
2295+
break;
2296+
default:
2297+
cifs_dbg(FYI, "%s: unhandled context (nlen=%zu dlen=%zu)\n",
2298+
__func__, nlen, dlen);
2299+
if (IS_ENABLED(CONFIG_CIFS_DEBUG2))
2300+
cifs_dump_mem("context data: ", cc, dlen);
2301+
break;
22792302
}
2280-
/* else {
2281-
cifs_dbg(FYI, "Context not matched with len %d\n",
2282-
le16_to_cpu(cc->NameLength));
2283-
cifs_dump_mem("Cctxt name: ", name, 4);
2284-
} */
2285-
2286-
next = le32_to_cpu(cc->Next);
2287-
if (!next)
2303+
2304+
off = le32_to_cpu(cc->Next);
2305+
if (!off)
22882306
break;
2289-
remaining -= next;
2290-
cc = (struct create_context *)((char *)cc + next);
2307+
if (check_sub_overflow(rem, off, &rem))
2308+
return -EINVAL;
2309+
cc = (struct create_context *)((u8 *)cc + off);
22912310
}
22922311

22932312
if (rsp->OplockLevel != SMB2_OPLOCK_LEVEL_LEASE)
22942313
*oplock = rsp->OplockLevel;
22952314

2296-
return;
2315+
return 0;
22972316
}
22982317

22992318
static int
@@ -3124,8 +3143,8 @@ SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms, __le16 *path,
31243143
}
31253144

31263145

3127-
smb2_parse_contexts(server, rsp, &oparms->fid->epoch,
3128-
oparms->fid->lease_key, oplock, buf, posix);
3146+
rc = smb2_parse_contexts(server, &rsp_iov, &oparms->fid->epoch,
3147+
oparms->fid->lease_key, oplock, buf, posix);
31293148
creat_exit:
31303149
SMB2_open_free(&rqst);
31313150
free_rsp_buf(resp_buftype, rsp);

fs/smb/client/smb2proto.h

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -251,11 +251,13 @@ extern int smb3_validate_negotiate(const unsigned int, struct cifs_tcon *);
251251

252252
extern enum securityEnum smb2_select_sectype(struct TCP_Server_Info *,
253253
enum securityEnum);
254-
extern void smb2_parse_contexts(struct TCP_Server_Info *server,
255-
struct smb2_create_rsp *rsp,
256-
unsigned int *epoch, char *lease_key,
257-
__u8 *oplock, struct smb2_file_all_info *buf,
258-
struct create_posix_rsp *posix);
254+
int smb2_parse_contexts(struct TCP_Server_Info *server,
255+
struct kvec *rsp_iov,
256+
unsigned int *epoch,
257+
char *lease_key, __u8 *oplock,
258+
struct smb2_file_all_info *buf,
259+
struct create_posix_rsp *posix);
260+
259261
extern int smb3_encryption_required(const struct cifs_tcon *tcon);
260262
extern int smb2_validate_iov(unsigned int offset, unsigned int buffer_length,
261263
struct kvec *iov, unsigned int min_buf_size);

0 commit comments

Comments
 (0)