linux/fs/cifs
Vladimir Zapolskiy 64b7f674c2 cifs: Fix incomplete memory allocation on setxattr path
On setxattr() syscall path due to an apprent typo the size of a dynamically
allocated memory chunk for storing struct smb2_file_full_ea_info object is
computed incorrectly, to be more precise the first addend is the size of
a pointer instead of the wanted object size. Coincidentally it makes no
difference on 64-bit platforms, however on 32-bit targets the following
memcpy() writes 4 bytes of data outside of the dynamically allocated memory.

  =============================================================================
  BUG kmalloc-16 (Not tainted): Redzone overwritten
  -----------------------------------------------------------------------------

  Disabling lock debugging due to kernel taint
  INFO: 0x79e69a6f-0x9e5cdecf @offset=368. First byte 0x73 instead of 0xcc
  INFO: Slab 0xd36d2454 objects=85 used=51 fp=0xf7d0fc7a flags=0x35000201
  INFO: Object 0x6f171df3 @offset=352 fp=0x00000000

  Redzone 5d4ff02d: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
  Object 6f171df3: 00 00 00 00 00 05 06 00 73 6e 72 75 62 00 66 69  ........snrub.fi
  Redzone 79e69a6f: 73 68 32 0a                                      sh2.
  Padding 56254d82: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
  CPU: 0 PID: 8196 Comm: attr Tainted: G    B             5.9.0-rc8+ #3
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
  Call Trace:
   dump_stack+0x54/0x6e
   print_trailer+0x12c/0x134
   check_bytes_and_report.cold+0x3e/0x69
   check_object+0x18c/0x250
   free_debug_processing+0xfe/0x230
   __slab_free+0x1c0/0x300
   kfree+0x1d3/0x220
   smb2_set_ea+0x27d/0x540
   cifs_xattr_set+0x57f/0x620
   __vfs_setxattr+0x4e/0x60
   __vfs_setxattr_noperm+0x4e/0x100
   __vfs_setxattr_locked+0xae/0xd0
   vfs_setxattr+0x4e/0xe0
   setxattr+0x12c/0x1a0
   path_setxattr+0xa4/0xc0
   __ia32_sys_lsetxattr+0x1d/0x20
   __do_fast_syscall_32+0x40/0x70
   do_fast_syscall_32+0x29/0x60
   do_SYSENTER_32+0x15/0x20
   entry_SYSENTER_32+0x9f/0xf2

Fixes: 5517554e43 ("cifs: Add support for writing attributes on SMB2+")
Signed-off-by: Vladimir Zapolskiy <vladimir@tuxera.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-10-10 15:52:54 -07:00
..
asn1.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cache.c smb3: extend fscache mount volume coherency check 2020-06-06 11:16:25 -05:00
cifs_debug.c cifs: Display local UID details for SMB sessions in DebugData 2020-07-01 19:38:19 -05:00
cifs_debug.h cifs: Standardize logging output 2020-06-01 00:10:18 -05:00
cifs_dfs_ref.c cifs: fix potential mismatch of UNC paths 2020-02-24 14:20:38 -06:00
cifs_fs_sb.h smb3: add mount option to allow RW caching of share accessed by only 1 client 2019-09-16 11:43:38 -05:00
cifs_ioctl.h cifs: add SMB3 change notification support 2020-02-06 09:14:28 -06:00
cifs_spnego.c cifs: switch servers depending on binding state 2019-11-25 01:16:30 -06:00
cifs_spnego.h
cifs_unicode.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifs_unicode.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifs_uniupr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifsacl.c Replace HTTP links with HTTPS ones: CIFS 2020-07-05 14:23:38 -06:00
cifsacl.h cifs: delete duplicated words in header files 2020-08-02 18:00:26 -05:00
cifsencrypt.c mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
cifsfs.c smb3: fix typo in mount options displayed in /proc/mounts 2020-06-10 12:05:15 -05:00
cifsfs.h cifs: update internal module version number 2020-07-09 10:07:09 -05:00
cifsglob.h cifs: fix check of tcon dfs in smb1 2020-08-28 12:27:33 -05:00
cifspdu.h cifs: cifspdu.h: Replace zero-length array with flexible-array member 2020-03-22 22:49:10 -05:00
cifsproto.h cifs: handle RESP_GET_DFS_REFERRAL.PathConsumed in reconnect 2020-08-02 18:00:26 -05:00
cifsroot.c cifs: Standardize logging output 2020-06-01 00:10:18 -05:00
cifssmb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
connect.c DFS SMB1 Fix 2020-08-30 11:38:21 -07:00
dfs_cache.c Merge branch 'akpm' (patches from Andrew) 2020-08-07 11:39:33 -07:00
dfs_cache.h cifs: handle RESP_GET_DFS_REFERRAL.PathConsumed in reconnect 2020-08-02 18:00:26 -05:00
dir.c smb311: add support for using info level for posix extensions query 2020-06-12 08:54:12 -05:00
dns_resolve.c keys: Pass the network namespace into request_key mechanism 2019-06-27 23:02:12 +01:00
dns_resolve.h
export.c docs: fs: convert docs without extension to ReST 2019-07-31 13:31:05 -06:00
file.c cifs: remove the retry in cifs_poxis_lock_set 2020-07-07 23:51:16 -05:00
fscache.c smb3: extend fscache mount volume coherency check 2020-06-06 11:16:25 -05:00
fscache.h smb3: extend fscache mount volume coherency check 2020-06-06 11:16:25 -05:00
inode.c cifs: fix DFS mount with cifsacl/modefromsid 2020-09-06 23:59:53 -05:00
ioctl.c cifs: fix reference leak for tlink 2020-07-09 10:06:52 -05:00
Kconfig smb3: smbdirect support can be configured by default 2020-04-07 13:39:00 -05:00
link.c smb311: add support for using info level for posix extensions query 2020-06-12 08:54:12 -05:00
Makefile cifs: Add support for root file systems 2019-09-16 11:43:38 -05:00
misc.c Merge branch 'akpm' (patches from Andrew) 2020-08-07 11:39:33 -07:00
netmisc.c cifs`: handle ERRBaduid for SMB1 2020-08-02 18:00:25 -05:00
nterr.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
nterr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
ntlmssp.h cifs: dynamic allocation of ntlmssp blob 2016-06-23 23:45:07 -05:00
readdir.c cifs: Standardize logging output 2020-06-01 00:10:18 -05:00
rfc1002pdu.h
sess.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
smb1ops.c cifs: smb1: Try failing back to SetFileInfo if SetPathInfo fails 2020-08-02 18:00:25 -05:00
smb2file.c cifs: allow unlock flock and OFD lock across fork 2020-03-22 22:49:09 -05:00
smb2glob.h SMB311: Add support for query info using posix extensions (level 100) 2020-06-12 06:20:38 -05:00
smb2inode.c SMB3: Fix mkdir when idsfromsid configured on mount 2020-08-13 19:41:01 -05:00
smb2maperror.c smb3: improve handling of share deleted (and share recreated) 2019-09-16 11:43:38 -05:00
smb2misc.c cifs: Fix leak when handling lease break for cached root fid 2020-08-02 18:00:25 -05:00
smb2ops.c cifs: Fix incomplete memory allocation on setxattr path 2020-10-10 15:52:54 -07:00
smb2pdu.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
smb2pdu.h cifs: delete duplicated words in header files 2020-08-02 18:00:26 -05:00
smb2proto.h smb311: Add support for SMB311 query info (non-compounded) 2020-06-12 06:21:06 -05:00
smb2status.h cifs: don't use __constant_cpu_to_le32() 2019-05-07 23:24:54 -05:00
smb2transport.c smb3: remove overly noisy debug line in signing errors 2020-04-16 12:23:40 -05:00
smbdirect.c cifs: Standardize logging output 2020-06-01 00:10:18 -05:00
smbdirect.h cifs: smbd: Do not schedule work to send immediate packet on every receive 2020-04-07 12:41:16 -05:00
smbencrypt.c fs: cifs: move from the crypto cipher API to the new DES library interface 2019-08-22 14:57:34 +10:00
smberr.h
smbfsctl.h smb3: Add missing reparse tags 2019-09-24 23:31:32 -05:00
trace.c smb3: Cleanup license mess 2019-01-24 09:37:33 -06:00
trace.h smb311: Add tracepoints for new compound posix query info 2020-06-12 08:55:18 -05:00
transport.c cifs`: handle ERRBaduid for SMB1 2020-08-02 18:00:25 -05:00
winucase.c Replace HTTP links with HTTPS ones: CIFS 2020-07-05 14:23:38 -06:00
xattr.c CIFS: Add support for setting owner info, dos attributes, and create time 2020-01-26 19:24:17 -06:00