korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-15 08:14:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
b57a55e220
linux/fs/cifs
History
ZhangXiaoxu b57a55e220 cifs: Fix lease buffer length error 
There is a KASAN slab-out-of-bounds:
BUG: KASAN: slab-out-of-bounds in _copy_from_iter_full+0x783/0xaa0
Read of size 80 at addr ffff88810c35e180 by task mount.cifs/539

CPU: 1 PID: 539 Comm: mount.cifs Not tainted 4.19 #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
            rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
Call Trace:
 dump_stack+0xdd/0x12a
 print_address_description+0xa7/0x540
 kasan_report+0x1ff/0x550
 check_memory_region+0x2f1/0x310
 memcpy+0x2f/0x80
 _copy_from_iter_full+0x783/0xaa0
 tcp_sendmsg_locked+0x1840/0x4140
 tcp_sendmsg+0x37/0x60
 inet_sendmsg+0x18c/0x490
 sock_sendmsg+0xae/0x130
 smb_send_kvec+0x29c/0x520
 __smb_send_rqst+0x3ef/0xc60
 smb_send_rqst+0x25a/0x2e0
 compound_send_recv+0x9e8/0x2af0
 cifs_send_recv+0x24/0x30
 SMB2_open+0x35e/0x1620
 open_shroot+0x27b/0x490
 smb2_open_op_close+0x4e1/0x590
 smb2_query_path_info+0x2ac/0x650
 cifs_get_inode_info+0x1058/0x28f0
 cifs_root_iget+0x3bb/0xf80
 cifs_smb3_do_mount+0xe00/0x14c0
 cifs_do_mount+0x15/0x20
 mount_fs+0x5e/0x290
 vfs_kern_mount+0x88/0x460
 do_mount+0x398/0x31e0
 ksys_mount+0xc6/0x150
 __x64_sys_mount+0xea/0x190
 do_syscall_64+0x122/0x590
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

It can be reproduced by the following step:
  1. samba configured with: server max protocol = SMB2_10
  2. mount -o vers=default

When parse the mount version parameter, the 'ops' and 'vals'
was setted to smb30,  if negotiate result is smb21, just
update the 'ops' to smb21, but the 'vals' is still smb30.
When add lease context, the iov_base is allocated with smb21
ops, but the iov_len is initiallited with the smb30. Because
the iov_len is longer than iov_base, when send the message,
copy array out of bounds.

we need to keep the 'ops' and 'vals' consistent.

Fixes: 9764c02fcb ("SMB3: Add support for multidialect negotiate (SMB2.1 and later)")
Fixes: d5c7076b77 ("smb3: add smb3.1.1 to default dialect list")

Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
2019-04-16 09:38:23 -05:00
..
asn1.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
cache.c cifs: use 64-bit timestamps for fscache 2018-08-07 14:15:41 -05:00
cifs_debug.c smb3: display volume serial number for shares in /proc/fs/cifs/DebugData 2019-03-14 19:32:35 -05:00
cifs_debug.h cifs: minor clarification in comments 2018-10-23 21:16:05 -05:00
cifs_dfs_ref.c cifs: use correct format characters 2019-03-05 18:10:28 -06:00
cifs_fs_sb.h smb3: make default i/o size for smb3 mounts larger 2019-03-04 20:05:35 -06:00
cifs_ioctl.h SMB3: passthru query info doesn't check for SMB3 FSCTL passthru 2019-03-14 19:32:36 -05:00
cifs_spnego.c smb3: on kerberos mount if server doesn't specify auth type use krb5 2018-11-02 14:09:41 -05:00
cifs_spnego.h [CIFS] Rename three structures to avoid camel case 2011-05-27 04:34:02 +00:00
cifs_unicode.c fs/cifs: don't translate SFM_SLASH (U+F026) to backslash 2018-09-02 23:21:42 -05:00
cifs_unicode.h [SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred 2017-07-08 18:57:07 -05:00
cifs_uniupr.h
cifsacl.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
cifsacl.h cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class 2018-06-04 19:19:24 -05:00
cifsencrypt.c cifs: remove coverity warning in calc_lanman_hash 2018-12-23 22:41:26 -06:00
cifsfs.c SMB3: Allow persistent handle timeout to be configurable on mount 2019-04-01 14:33:36 -05:00
cifsfs.h cifs: update internal module version number 2019-03-22 22:43:04 -05:00
cifsglob.h SMB3: Allow persistent handle timeout to be configurable on mount 2019-04-01 14:33:36 -05:00
cifspdu.h smb3: missing defines and structs for reparse point handling 2018-11-02 14:09:41 -05:00
cifsproto.h CIFS: Return error code when getting file handle for writeback 2019-03-05 18:10:04 -06:00
cifssmb.c CIFS: Return error code when getting file handle for writeback 2019-03-05 18:10:04 -06:00
connect.c SMB3: Allow persistent handle timeout to be configurable on mount 2019-04-01 14:33:36 -05:00
dfs_cache.c cifs: Fix a tiny potential memory leak 2019-01-10 14:32:30 -06:00
dfs_cache.h cifs: Add DFS cache routines 2018-12-28 10:05:58 -06:00
dir.c CIFS: make mknod() an smb_version_op 2019-03-14 19:32:36 -05:00
dns_resolve.c cifs: fix composing of mount options for DFS referrals 2013-05-24 13:08:31 -05:00
dns_resolve.h
export.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
file.c CIFS: Fix an issue with re-sending rdata when transport returning -EAGAIN 2019-03-22 22:36:54 -05:00
fscache.c cifs: use 64-bit timestamps for fscache 2018-08-07 14:15:41 -05:00
fscache.h cifs: use 64-bit timestamps for fscache 2018-08-07 14:15:41 -05:00
inode.c smb3: make default i/o size for smb3 mounts larger 2019-03-04 20:05:35 -06:00
ioctl.c cifs: add support for ioctl on directories 2018-10-23 21:16:05 -05:00
Kconfig fs: cifs: Kconfig: pedantic formatting 2019-03-06 21:55:12 -06:00
link.c cifs: replace snprintf with scnprintf 2019-03-04 20:05:34 -06:00
Makefile cifs: Add DFS cache routines 2018-12-28 10:05:58 -06:00
misc.c cifs: Add support for failover in smb2_reconnect() 2018-12-28 10:13:11 -06:00
netmisc.c cifs: use timespec64 internally 2018-08-07 14:15:41 -05:00
nterr.c CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
nterr.h CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
ntlmssp.h cifs: dynamic allocation of ntlmssp blob 2016-06-23 23:45:07 -05:00
readdir.c cifs: check ntwrk_buf_start for NULL before dereferencing it 2018-12-23 22:41:31 -06:00
rfc1002pdu.h
sess.c cifs: remove set but not used variable 'smb_buf' 2018-12-23 22:41:20 -06:00
smb1ops.c CIFS: make mknod() an smb_version_op 2019-03-14 19:32:36 -05:00
smb2file.c SMB3: Allow persistent handle timeout to be configurable on mount 2019-04-01 14:33:36 -05:00
smb2glob.h cifs: change SMB2_OP_RENAME and SMB2_OP_HARDLINK to use compounding 2018-10-23 21:16:04 -05:00
smb2inode.c smb3: Add dynamic trace points for various compounded smb3 ops 2019-03-14 19:32:35 -05:00
smb2maperror.c fix incorrect error code mapping for OBJECTID_NOT_FOUND 2019-03-22 22:36:54 -05:00
smb2misc.c CIFS: Do not reset lease state to NONE on lease break 2019-03-04 20:05:35 -06:00
smb2ops.c cifs: a smb2_validate_and_copy_iov failure does not mean the handle is invalid. 2019-04-01 14:33:38 -05:00
smb2pdu.c cifs: Fix lease buffer length error 2019-04-16 09:38:23 -05:00
smb2pdu.h cifs: fix smb3_zero_range so it can expand the file-size when required 2019-03-14 19:32:35 -05:00
smb2proto.h smb3: Fix enumerating snapshots to Azure 2019-04-01 14:33:34 -05:00
smb2status.h smb2: fix typo in definition of a few error flags 2019-03-14 19:32:36 -05:00
smb2transport.c CIFS: Only send SMB2_NEGOTIATE command on new TCP connections 2019-03-05 18:14:27 -06:00
smbdirect.c cifs: replace snprintf with scnprintf 2019-03-04 20:05:34 -06:00
smbdirect.h cifs: fix SMB1 breakage 2018-07-05 13:48:24 -05:00
smbencrypt.c CIFS: refactor crypto shash/sdesc allocation&free 2018-04-01 20:24:39 -05:00
smberr.h
smbfsctl.h [SMB3] Send durable handle v2 contexts when use of persistent handles required 2015-11-03 09:26:27 -06:00
trace.c smb3: Cleanup license mess 2019-01-24 09:37:33 -06:00
trace.h cifs: Fix slab-out-of-bounds when tracing SMB tcon 2019-03-22 22:36:54 -05:00
transport.c cifs: simplify how we handle credits in compound_send_recv() 2019-03-14 19:32:35 -05:00
winucase.c [CIFS] quiet sparse compile warning 2013-09-08 14:54:24 -05:00
xattr.c smb3: create smb3 equivalent alias for cifs pseudo-xattrs 2018-08-10 18:46:58 -05:00