korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-04 04:44:37 +08:00
Code Issues Packages Projects Releases Wiki Activity
df3a4518ae
linux/fs/ksmbd
History
Namjae Jeon df3a4518ae ksmbd: check the validation of pdu_size in ksmbd_conn_handler_loop 
[ Upstream commit 368ba06881 ]

The length field of netbios header must be greater than the SMB header
sizes(smb1 or smb2 header), otherwise the packet is an invalid SMB packet.

If `pdu_size` is 0, ksmbd allocates a 4 bytes chunk to `conn->request_buf`.
In the function `get_smb2_cmd_val` ksmbd will read cmd from
`rcv_hdr->Command`, which is `conn->request_buf + 12`, causing the KASAN
detector to print the following error message:

[    7.205018] BUG: KASAN: slab-out-of-bounds in get_smb2_cmd_val+0x45/0x60
[    7.205423] Read of size 2 at addr ffff8880062d8b50 by task ksmbd:42632/248
...
[    7.207125]  <TASK>
[    7.209191]  get_smb2_cmd_val+0x45/0x60
[    7.209426]  ksmbd_conn_enqueue_request+0x3a/0x100
[    7.209712]  ksmbd_server_process_request+0x72/0x160
[    7.210295]  ksmbd_conn_handler_loop+0x30c/0x550
[    7.212280]  kthread+0x160/0x190
[    7.212762]  ret_from_fork+0x1f/0x30
[    7.212981]  </TASK>

Cc: stable@vger.kernel.org
Reported-by: Chih-Yen Chang <cc85nod@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-12-23 10:41:56 +01:00
..
mgmt ksmbd: fix racy issue under cocurrent smb2 tree disconnect 2023-12-23 10:41:55 +01:00
asn1.c ksmbd: Remove duplicated codes 2023-12-23 10:41:54 +01:00
asn1.h
auth.c ksmbd: fix wrong signingkey creation when encryption is AES256 2023-12-23 10:41:54 +01:00
auth.h ksmbd: fix encryption failure issue for session logoff response 2023-12-23 10:41:53 +01:00
connection.c ksmbd: check the validation of pdu_size in ksmbd_conn_handler_loop 2023-12-23 10:41:56 +01:00
connection.h ksmbd: fix racy issue from smb2 close and logoff with multichannel 2023-12-23 10:41:55 +01:00
crypto_ctx.c ksmbd: remove NTLMv1 authentication 2021-09-29 16:17:34 -05:00
crypto_ctx.h ksmbd: remove NTLMv1 authentication 2021-09-29 16:17:34 -05:00
glob.h ksmbd: fix version mismatch with out of tree 2021-10-07 10:18:34 -05:00
Kconfig ksmbd: update Kconfig to note Kerberos support and fix indentation 2023-12-23 10:41:54 +01:00
ksmbd_netlink.h ksmbd: set SMB2_SESSION_FLAG_ENCRYPT_DATA when enforcing data encryption for this share 2023-12-23 10:41:53 +01:00
ksmbd_spnego_negtokeninit.asn1
ksmbd_spnego_negtokentarg.asn1
ksmbd_work.c ksmbd: Remove redundant 'flush_workqueue()' calls 2023-12-23 10:41:49 +01:00
ksmbd_work.h ksmbd: delete asynchronous work from list 2023-12-23 10:41:54 +01:00
Makefile
misc.c ksmbd: validate share name from share config response 2023-12-23 10:41:53 +01:00
misc.h ksmbd: validate share name from share config response 2023-12-23 10:41:53 +01:00
ndr.c ksmbd: downgrade ndr version error message to debug 2023-02-01 08:27:24 +01:00
ndr.h ksmbd: add user namespace support 2021-07-02 16:27:10 +09:00
nterr.h
ntlmssp.h
oplock.c ksmbd: fix out-of-bound read in parse_lease_state() 2023-12-23 10:41:56 +01:00
oplock.h ksmbd: remove filename in ksmbd_file 2023-12-23 10:41:51 +01:00
server.c ksmbd: fix racy issue from session setup and logoff 2023-12-23 10:41:55 +01:00
server.h ksmbd: add max connections parameter 2023-02-01 08:27:24 +01:00
smb2misc.c ksmbd: validate command request size 2023-08-16 18:21:57 +02:00
smb2ops.c ksmbd: set SMB2_SESSION_FLAG_ENCRYPT_DATA when enforcing data encryption for this share 2023-12-23 10:41:53 +01:00
smb2pdu.c ksmbd: fix out-of-bound read in deassemble_neg_contexts() 2023-12-23 10:41:56 +01:00
smb2pdu.h ksmbd: destroy expired sessions 2023-12-23 10:41:55 +01:00
smb_common.c ksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr 2023-12-23 10:41:54 +01:00
smb_common.h ksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr 2023-12-23 10:41:54 +01:00
smbacl.c ksmbd: fix posix_acls and acls dereferencing possible ERR_PTR() 2023-12-23 10:41:56 +01:00
smbacl.h ksmbd: constify struct path 2023-12-23 10:41:52 +01:00
smbfsctl.h
smbstatus.h
transport_ipc.c ksmbd: add max connections parameter 2023-02-01 08:27:24 +01:00
transport_ipc.h ksmbd: throttle session setup failures to avoid dictionary attacks 2021-10-20 00:07:10 -05:00
transport_rdma.c ksmbd: call ib_drain_qp when disconnected 2023-12-23 10:41:53 +01:00
transport_rdma.h ksmbd: fix wrong smbd max read/write size check 2023-12-23 10:41:51 +01:00
transport_tcp.c ksmbd: fix racy issue from session setup and logoff 2023-12-23 10:41:55 +01:00
transport_tcp.h
unicode.c ksmbd: remove unused is_char_allowed function 2023-12-23 10:41:54 +01:00
unicode.h ksmbd: casefold utf-8 share names and fix ascii lowercase conversion 2023-12-23 10:41:52 +01:00
uniupr.h
vfs_cache.c ksmbd: fix racy issue from using ->d_parent and ->d_name 2023-12-23 10:41:55 +01:00
vfs_cache.h ksmbd: remove filename in ksmbd_file 2023-12-23 10:41:51 +01:00
vfs.c ksmbd: fix posix_acls and acls dereferencing possible ERR_PTR() 2023-12-23 10:41:56 +01:00
vfs.h ksmbd: fix racy issue from using ->d_parent and ->d_name 2023-12-23 10:41:55 +01:00
xattr.h ksmbd: reorder and document on-disk and netlink structures in headers 2021-06-30 14:47:24 +09:00