korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-17 17:24:17 +08:00
Code Issues Packages Projects Releases Wiki Activity
deb7deff2f
linux/fs/cifs
History
Justin Maggard deb7deff2f cifs: fix out-of-bounds access in lease parsing 
When opening a file, SMB2_open() attempts to parse the lease state from the
SMB2 CREATE Response.  However, the parsing code was not careful to ensure
that the create contexts are not empty or invalid, which can lead to out-
of-bounds memory access.  This can be seen easily by trying
to read a file from a OSX 10.11 SMB3 server.  Here is sample crash output:

BUG: unable to handle kernel paging request at ffff8800a1a77cc6
IP: [<ffffffff8828a734>] SMB2_open+0x804/0x960
PGD 8f77067 PUD 0
Oops: 0000 [#1] SMP
Modules linked in:
CPU: 3 PID: 2876 Comm: cp Not tainted 4.5.0-rc3.x86_64.1+ #14
Hardware name: NETGEAR ReadyNAS 314          /ReadyNAS 314          , BIOS 4.6.5 10/11/2012
task: ffff880073cdc080 ti: ffff88005b31c000 task.ti: ffff88005b31c000
RIP: 0010:[<ffffffff8828a734>]  [<ffffffff8828a734>] SMB2_open+0x804/0x960
RSP: 0018:ffff88005b31fa08  EFLAGS: 00010282
RAX: 0000000000000015 RBX: 0000000000000000 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff88007eb8c8b0
RBP: ffff88005b31fad8 R08: 666666203d206363 R09: 6131613030383866
R10: 3030383866666666 R11: 00000000000002b0 R12: ffff8800660fd800
R13: ffff8800a1a77cc2 R14: 00000000424d53fe R15: ffff88005f5a28c0
FS:  00007f7c8a2897c0(0000) GS:ffff88007eb80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffff8800a1a77cc6 CR3: 000000005b281000 CR4: 00000000000006e0
Stack:
 ffff88005b31fa70 ffffffff88278789 00000000000001d3 ffff88005f5a2a80
 ffffffff00000003 ffff88005d029d00 ffff88006fde05a0 0000000000000000
 ffff88005b31fc78 ffff88006fde0780 ffff88005b31fb2f 0000000100000fe0
Call Trace:
 [<ffffffff88278789>] ? cifsConvertToUTF16+0x159/0x2d0
 [<ffffffff8828cf68>] smb2_open_file+0x98/0x210
 [<ffffffff8811e80c>] ? __kmalloc+0x1c/0xe0
 [<ffffffff882685f4>] cifs_open+0x2a4/0x720
 [<ffffffff88122cef>] do_dentry_open+0x1ff/0x310
 [<ffffffff88268350>] ? cifsFileInfo_get+0x30/0x30
 [<ffffffff88123d92>] vfs_open+0x52/0x60
 [<ffffffff88131dd0>] path_openat+0x170/0xf70
 [<ffffffff88097d48>] ? remove_wait_queue+0x48/0x50
 [<ffffffff88133a29>] do_filp_open+0x79/0xd0
 [<ffffffff8813f2ca>] ? __alloc_fd+0x3a/0x170
 [<ffffffff881240c4>] do_sys_open+0x114/0x1e0
 [<ffffffff881241a9>] SyS_open+0x19/0x20
 [<ffffffff8896e257>] entry_SYSCALL_64_fastpath+0x12/0x6a
Code: 4d 8d 6c 07 04 31 c0 4c 89 ee e8 47 6f e5 ff 31 c9 41 89 ce 44 89 f1 48 c7 c7 28 b1 bd 88 31 c0 49 01 cd 4c 89 ee e8 2b 6f e5 ff <45> 0f b7 75 04 48 c7 c7 31 b1 bd 88 31 c0 4d 01 ee 4c 89 f6 e8
RIP  [<ffffffff8828a734>] SMB2_open+0x804/0x960
 RSP <ffff88005b31fa08>
CR2: ffff8800a1a77cc6
---[ end trace d9f69ba64feee469 ]---

Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Signed-off-by: Steve French <smfrench@gmail.com>
CC: Stable <stable@vger.kernel.org>
2016-02-29 00:21:31 -06:00
..
asn1.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
cache.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
cifs_debug.c cifs: Ratelimit kernel log messages 2016-01-14 13:39:02 -06:00
cifs_debug.h cifs: Ratelimit kernel log messages 2016-01-14 13:39:02 -06:00
cifs_dfs_ref.c cifs: fix potential overflow in cifs_compose_mount_options 2016-02-10 18:04:56 -06:00
cifs_fs_sb.h Allow conversion of characters in Mac remap range. Part 1 2014-10-16 15:20:20 -05:00
cifs_ioctl.h Add way to query server fs info for smb3 2015-08-20 10:19:25 -05:00
cifs_spnego.c KEYS: Merge the type-specific data with the payload data 2015-10-21 15:18:36 +01:00
cifs_spnego.h
cifs_unicode.c Fix to convert SURROGATE PAIR 2015-05-20 13:12:51 -05:00
cifs_unicode.h Remap reserved posix characters by default (part 3/3) 2014-10-16 15:20:20 -05:00
cifs_uniupr.h
cifsacl.c KEYS: Merge the type-specific data with the payload data 2015-10-21 15:18:36 +01:00
cifsacl.h cifs: fix SID binary to string conversion 2012-12-11 11:48:49 -06:00
cifsencrypt.c cifs: fix erroneous return value 2016-02-10 18:23:31 -06:00
cifsfs.c Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6 2016-01-24 12:31:12 -08:00
cifsfs.h Merge branch 'work.copy_file_range' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-12 16:30:34 -08:00
cifsglob.h Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
cifspdu.h Add way to query server fs info for smb3 2015-08-20 10:19:25 -05:00
cifsproto.h Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
cifssmb.c cifs: Fix use-after-free on mid_q_entry 2015-08-20 10:19:25 -05:00
connect.c cifs: remove redundant check for null string pointer 2016-02-10 18:04:53 -06:00
dir.c Fix that several functions handle incorrect value of mapchars 2015-05-10 19:56:35 -05:00
dns_resolve.c cifs: fix composing of mount options for DFS referrals 2013-05-24 13:08:31 -05:00
dns_resolve.h
export.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
file.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
fscache.c NFS client updates for Linux 3.13 2013-11-08 05:57:46 +09:00
fscache.h CIFS: FS-Cache: Uncache unread pages in cifs_readpages() before freeing them 2013-09-18 10:17:03 -05:00
inode.c cifs: Check uniqueid for SMB2+ and return -ESTALE if necessary 2016-01-14 13:39:11 -06:00
ioctl.c vfs: pull btrfs clone API to vfs layer 2015-12-07 23:11:33 -05:00
Kconfig Allow parsing vers=3.11 on cifs mount 2015-06-27 20:23:32 -07:00
link.c switch ->get_link() to delayed_call, kill ->put_link() 2015-12-30 13:01:03 -05:00
Makefile cifs: add new case-insensitive conversion routines that are based on wchar_t's 2013-09-08 14:38:05 -05:00
misc.c Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
netmisc.c Fix signed/unsigned pointer warning 2014-12-14 14:55:57 -06:00
nterr.c CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
nterr.h CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
ntlmssp.h CIFS: Add session setup/logoff capability for SMB2 2012-07-24 21:54:57 +04:00
readdir.c cifs_dbg() outputs an uninitialized buffer in cifs_readdir() 2016-01-14 14:45:49 -06:00
rfc1002pdu.h
sess.c KEYS: Merge the type-specific data with the payload data 2015-10-21 15:18:36 +01:00
smb1ops.c Fix that several functions handle incorrect value of mapchars 2015-05-10 19:56:35 -05:00
smb2file.c Add resilienthandles mount parm 2015-11-03 10:10:36 -06:00
smb2glob.h CIFS: Fix too big maxBuf size for SMB3 mounts 2014-02-14 16:50:47 -06:00
smb2inode.c CIFS: Fix wrong filename length for SMB2 2014-08-25 16:45:17 -05:00
smb2maperror.c Fix problem recognizing symlinks 2014-10-02 14:10:04 -05:00
smb2misc.c Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
smb2ops.c Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
smb2pdu.c cifs: fix out-of-bounds access in lease parsing 2016-02-29 00:21:31 -06:00
smb2pdu.h Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
smb2proto.h Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
smb2status.h CIFS: Add SMB2 status codes 2012-07-24 10:25:13 -05:00
smb2transport.c Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
smbencrypt.c cifs: use memzero_explicit to clear stack buffer 2015-01-19 15:32:13 -06:00
smberr.h
smbfsctl.h [SMB3] Send durable handle v2 contexts when use of persistent handles required 2015-11-03 09:26:27 -06:00
transport.c cifs: fix race between call_async() and reconnect() 2016-01-14 14:35:58 -06:00
winucase.c [CIFS] quiet sparse compile warning 2013-09-08 14:54:24 -05:00
xattr.c posix acls: Remove duplicate xattr name definitions 2015-12-06 21:25:17 -05:00