korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-12 05:48:39 +08:00
Code Issues Packages Projects Releases Wiki Activity
f46ecbd97f
linux/fs/cifs
History
Stefano Brivio f46ecbd97f cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting 
A "small" CIFS buffer is not big enough in general to hold a
setacl request for SMB2, and we end up overflowing the buffer in
send_set_info(). For instance:

 # mount.cifs //127.0.0.1/test /mnt/test -o username=test,password=test,nounix,cifsacl
 # touch /mnt/test/acltest
 # getcifsacl /mnt/test/acltest
 REVISION:0x1
 CONTROL:0x9004
 OWNER:S-1-5-21-2926364953-924364008-418108241-1000
 GROUP:S-1-22-2-1001
 ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
 ACL:S-1-22-2-1001:ALLOWED/0x0/R
 ACL:S-1-22-2-1001:ALLOWED/0x0/R
 ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
 ACL:S-1-1-0:ALLOWED/0x0/R
 # setcifsacl -a "ACL:S-1-22-2-1004:ALLOWED/0x0/R" /mnt/test/acltest

this setacl will cause the following KASAN splat:

[  330.777927] BUG: KASAN: slab-out-of-bounds in send_set_info+0x4dd/0xc20 [cifs]
[  330.779696] Write of size 696 at addr ffff88010d5e2860 by task setcifsacl/1012

[  330.781882] CPU: 1 PID: 1012 Comm: setcifsacl Not tainted 4.18.0-rc2+ #2
[  330.783140] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[  330.784395] Call Trace:
[  330.784789]  dump_stack+0xc2/0x16b
[  330.786777]  print_address_description+0x6a/0x270
[  330.787520]  kasan_report+0x258/0x380
[  330.788845]  memcpy+0x34/0x50
[  330.789369]  send_set_info+0x4dd/0xc20 [cifs]
[  330.799511]  SMB2_set_acl+0x76/0xa0 [cifs]
[  330.801395]  set_smb2_acl+0x7ac/0xf30 [cifs]
[  330.830888]  cifs_xattr_set+0x963/0xe40 [cifs]
[  330.840367]  __vfs_setxattr+0x84/0xb0
[  330.842060]  __vfs_setxattr_noperm+0xe6/0x370
[  330.843848]  vfs_setxattr+0xc2/0xd0
[  330.845519]  setxattr+0x258/0x320
[  330.859211]  path_setxattr+0x15b/0x1b0
[  330.864392]  __x64_sys_setxattr+0xc0/0x160
[  330.866133]  do_syscall_64+0x14e/0x4b0
[  330.876631]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  330.878503] RIP: 0033:0x7ff2e507db0a
[  330.880151] Code: 48 8b 0d 89 93 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 56 93 2c 00 f7 d8 64 89 01 48
[  330.885358] RSP: 002b:00007ffdc4903c18 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
[  330.887733] RAX: ffffffffffffffda RBX: 000055d1170de140 RCX: 00007ff2e507db0a
[  330.890067] RDX: 000055d1170de7d0 RSI: 000055d115b39184 RDI: 00007ffdc4904818
[  330.892410] RBP: 0000000000000001 R08: 0000000000000000 R09: 000055d1170de7e4
[  330.894785] R10: 00000000000002b8 R11: 0000000000000246 R12: 0000000000000007
[  330.897148] R13: 000055d1170de0c0 R14: 0000000000000008 R15: 000055d1170de550

[  330.901057] Allocated by task 1012:
[  330.902888]  kasan_kmalloc+0xa0/0xd0
[  330.904714]  kmem_cache_alloc+0xc8/0x1d0
[  330.906615]  mempool_alloc+0x11e/0x380
[  330.908496]  cifs_small_buf_get+0x35/0x60 [cifs]
[  330.910510]  smb2_plain_req_init+0x4a/0xd60 [cifs]
[  330.912551]  send_set_info+0x198/0xc20 [cifs]
[  330.914535]  SMB2_set_acl+0x76/0xa0 [cifs]
[  330.916465]  set_smb2_acl+0x7ac/0xf30 [cifs]
[  330.918453]  cifs_xattr_set+0x963/0xe40 [cifs]
[  330.920426]  __vfs_setxattr+0x84/0xb0
[  330.922284]  __vfs_setxattr_noperm+0xe6/0x370
[  330.924213]  vfs_setxattr+0xc2/0xd0
[  330.926008]  setxattr+0x258/0x320
[  330.927762]  path_setxattr+0x15b/0x1b0
[  330.929592]  __x64_sys_setxattr+0xc0/0x160
[  330.931459]  do_syscall_64+0x14e/0x4b0
[  330.933314]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[  330.936843] Freed by task 0:
[  330.938588] (stack is not available)

[  330.941886] The buggy address belongs to the object at ffff88010d5e2800
 which belongs to the cache cifs_small_rq of size 448
[  330.946362] The buggy address is located 96 bytes inside of
 448-byte region [ffff88010d5e2800, ffff88010d5e29c0)
[  330.950722] The buggy address belongs to the page:
[  330.952789] page:ffffea0004357880 count:1 mapcount:0 mapping:ffff880108fdca80 index:0x0 compound_mapcount: 0
[  330.955665] flags: 0x17ffffc0008100(slab|head)
[  330.957760] raw: 0017ffffc0008100 dead000000000100 dead000000000200 ffff880108fdca80
[  330.960356] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[  330.963005] page dumped because: kasan: bad access detected

[  330.967039] Memory state around the buggy address:
[  330.969255]  ffff88010d5e2880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  330.971833]  ffff88010d5e2900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  330.974397] >ffff88010d5e2980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  330.976956]                                            ^
[  330.979226]  ffff88010d5e2a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  330.981755]  ffff88010d5e2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  330.984225] ==================================================================

Fix this by allocating a regular CIFS buffer in
smb2_plain_req_init() if the request command is SMB2_SET_INFO.

Reported-by: Jianhong Yin <jiyin@redhat.com>
Fixes: 366ed846df ("cifs: Use smb 2 - 3 and cifsacl mount options setacl function")
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-and-tested-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
2018-07-05 13:48:25 -05:00
..
asn1.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
cache.c vfs: change inode times to use struct timespec64 2018-06-05 16:57:31 -07:00
cifs_debug.c smb3: do not display empty interface list 2018-06-15 02:38:08 -05:00
cifs_debug.h cifs: add server argument to the dump_detail method 2018-05-27 17:56:35 -05:00
cifs_dfs_ref.c CIFS: add build_path_from_dentry_optional_prefix() 2017-03-01 22:26:10 -06:00
cifs_fs_sb.h smb3: fix redundant opens on root 2018-05-27 17:56:35 -05:00
cifs_ioctl.h Enable previous version support 2016-10-13 19:48:11 -05:00
cifs_spnego.c cifs: Create dedicated keyring for spnego operations 2016-05-19 21:56:30 -05:00
cifs_spnego.h [CIFS] Rename three structures to avoid camel case 2011-05-27 04:34:02 +00:00
cifs_unicode.c [SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred 2017-07-08 18:57:07 -05:00
cifs_unicode.h [SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred 2017-07-08 18:57:07 -05:00
cifs_uniupr.h cifs: correction of unicode header files 2010-08-20 00:46:42 +00:00
cifsacl.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
cifsacl.h cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class 2018-06-04 19:19:24 -05:00
cifsencrypt.c cifs: Fix invalid check in __cifs_calc_signature() 2018-06-15 19:17:40 -05:00
cifsfs.c smb3: do not allow insecure cifs mounts when using smb3 2018-06-07 08:36:39 -05:00
cifsfs.h cifs: update internal module version number for cifs.ko to 2.12 2018-05-27 17:56:35 -05:00
cifsglob.h cifs: Fix use after free of a mid_q_entry 2018-07-05 13:48:24 -05:00
cifspdu.h CIFS: move DFS response parsing out of SMB1 code 2017-03-01 22:26:10 -06:00
cifsproto.h cifs: Fix use after free of a mid_q_entry 2018-07-05 13:48:24 -05:00
cifssmb.c cifs: add lease tracking to the cached root fid 2018-06-15 02:38:07 -05:00
connect.c cifs: Fix use after free of a mid_q_entry 2018-07-05 13:48:24 -05:00
dir.c some smb3 fixes for stable, as well as addition of ftrace hooks for cifs.ko, and improvements in compounding and smbdirect (RDMA) 2018-06-04 14:42:46 -07:00
dns_resolve.c cifs: fix composing of mount options for DFS referrals 2013-05-24 13:08:31 -05:00
dns_resolve.h
export.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
file.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
fscache.c vfs: change inode times to use struct timespec64 2018-06-05 16:57:31 -07:00
fscache.h fscache: Attach the index key and aux data to the cookie 2018-04-04 13:41:28 +01:00
inode.c smb3: Fix mode on mkdir on smb311 mounts 2018-06-15 02:38:08 -05:00
ioctl.c [SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred 2017-07-08 18:57:07 -05:00
Kconfig IB: remove redundant INFINIBAND kconfig dependencies 2018-05-09 08:51:03 -04:00
link.c cifs: fix a buffer leak in smb2_query_symlink 2018-06-07 23:39:41 -05:00
Makefile smb3: Add ftrace tracepoints for improved SMB3 debugging 2018-05-27 17:56:35 -05:00
misc.c CIFS: add iface info to struct cifs_ses 2018-06-15 02:38:08 -05:00
netmisc.c cifs: update calc_size to take a server argument 2018-05-27 17:56:35 -05:00
nterr.c CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
nterr.h CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
ntlmssp.h cifs: dynamic allocation of ntlmssp blob 2016-06-23 23:45:07 -05:00
readdir.c cifs: update calc_size to take a server argument 2018-05-27 17:56:35 -05:00
rfc1002pdu.h
sess.c smb2: Enforce sec= mount option 2017-03-02 23:13:37 -06:00
smb1ops.c cifs: Fix use after free of a mid_q_entry 2018-07-05 13:48:24 -05:00
smb2file.c cifs: fix a buffer leak in smb2_query_symlink 2018-06-07 23:39:41 -05:00
smb2glob.h cifs: remove struct smb2_hdr 2018-06-01 09:14:30 -05:00
smb2inode.c cifs: fix a buffer leak in smb2_query_symlink 2018-06-07 23:39:41 -05:00
smb2maperror.c cifs: remove struct smb2_hdr 2018-06-01 09:14:30 -05:00
smb2misc.c smb3: fix corrupt path in subdirs on smb311 with posix 2018-06-15 02:38:08 -05:00
smb2ops.c cifs: Fix memory leak in smb2_set_ea() 2018-07-05 13:48:24 -05:00
smb2pdu.c cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting 2018-07-05 13:48:25 -05:00
smb2pdu.h CIFS: complete PDU definitions for interface queries 2018-06-15 02:38:08 -05:00
smb2proto.h cifs: fix SMB1 breakage 2018-07-05 13:48:24 -05:00
smb2status.h CIFS: Add SMB2 status codes 2012-07-24 10:25:13 -05:00
smb2transport.c cifs: Fix validation of signed data in smb2 2018-07-05 13:48:24 -05:00
smbdirect.c cifs: fix SMB1 breakage 2018-07-05 13:48:24 -05:00
smbdirect.h cifs: fix SMB1 breakage 2018-07-05 13:48:24 -05:00
smbencrypt.c CIFS: refactor crypto shash/sdesc allocation&free 2018-04-01 20:24:39 -05:00
smberr.h
smbfsctl.h [SMB3] Send durable handle v2 contexts when use of persistent handles required 2015-11-03 09:26:27 -06:00
trace.c smb3: Add ftrace tracepoints for improved SMB3 debugging 2018-05-27 17:56:35 -05:00
trace.h smb3: Fix mode on mkdir on smb311 mounts 2018-06-15 02:38:08 -05:00
transport.c cifs: fix SMB1 breakage 2018-07-05 13:48:24 -05:00
winucase.c [CIFS] quiet sparse compile warning 2013-09-08 14:54:24 -05:00
xattr.c Rename superblock flags (MS_xyz -> SB_xyz) 2017-11-27 13:05:09 -08:00