[PATCH] cifs: fix smb3-encryption crashes with CONFIG_DEBUG_SG

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



When CONFIG_DEBUG_SG is set, sg_set_buf() will verify that the passed buffer
is a valid virtual address (and not for example a stack address).

This means that we are not allowed to pass buffers allocated from the stack
into sg_set_buf() (when this configuration option is set).

Go through and fix all the places (I could find) where we were passing
a stack address into this function.

Signed-off-by: Ronnie Sahlberg <lsahlber@xxxxxxxxxx>
---
 fs/cifs/smb2file.c |  19 +++++---
 fs/cifs/smb2ops.c  | 127 +++++++++++++++++++++++++++++++++++++----------------
 fs/cifs/smb2pdu.c  |  74 ++++++++++++++++++++-----------
 3 files changed, 151 insertions(+), 69 deletions(-)

diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c
index 12af5dba742b..5f9d1171f41d 100644
--- a/fs/cifs/smb2file.c
+++ b/fs/cifs/smb2file.c
@@ -43,7 +43,7 @@ smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms,
 	struct smb2_file_all_info *smb2_data = NULL;
 	__u8 smb2_oplock[17];
 	struct cifs_fid *fid = oparms->fid;
-	struct network_resiliency_req nr_ioctl_req;
+	struct network_resiliency_req *nr_ioctl_req;
 
 	smb2_path = cifs_convert_path_to_utf16(oparms->path, oparms->cifs_sb);
 	if (smb2_path == NULL) {
@@ -69,14 +69,23 @@ smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms,
 		goto out;
 
 
-	 if (oparms->tcon->use_resilient) {
-		nr_ioctl_req.Timeout = 0; /* use server default (120 seconds) */
-		nr_ioctl_req.Reserved = 0;
+	if (oparms->tcon->use_resilient) {
+		nr_ioctl_req = kzalloc(sizeof(struct network_resiliency_req),
+				       GFP_KERNEL);
+		if (!nr_ioctl_req) {
+			cifs_dbg(VFS, "failed to allocate nr_ioctl_req\n");
+			rc = -ENOMEM;
+			goto out;
+		}
+		nr_ioctl_req->Timeout = 0; /* use server default (120 seconds) */
+		nr_ioctl_req->Reserved = 0;
 		rc = SMB2_ioctl(xid, oparms->tcon, fid->persistent_fid,
 			fid->volatile_fid, FSCTL_LMR_REQUEST_RESILIENCY,
 			true /* is_fsctl */,
-			(char *)&nr_ioctl_req, sizeof(nr_ioctl_req),
+			(char *)nr_ioctl_req,
+			sizeof(struct network_resiliency_req),
 			NULL, NULL /* no return info */);
+		kfree(nr_ioctl_req);
 		if (rc == -EOPNOTSUPP) {
 			cifs_dbg(VFS,
 			     "resiliency not supported by server, disabling\n");
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index eb68e2fcc500..b73fc16928c5 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -991,6 +991,7 @@ static bool smb2_set_sparse(const unsigned int xid, struct cifs_tcon *tcon,
 		struct cifsFileInfo *cfile, struct inode *inode, __u8 setsparse)
 {
 	struct cifsInodeInfo *cifsi;
+	__u8 *buf;
 	int rc;
 
 	cifsi = CIFS_I(inode);
@@ -1015,10 +1016,18 @@ static bool smb2_set_sparse(const unsigned int xid, struct cifs_tcon *tcon,
 	if (tcon->broken_sparse_sup)
 		return false;
 
+	buf = kzalloc(1, GFP_KERNEL);
+	if (!buf) {
+		cifs_dbg(VFS, "failed to allocate buf for set_sparse\n");
+		return -ENOMEM;
+	}
+
+	*buf = setsparse;
 	rc = SMB2_ioctl(xid, tcon, cfile->fid.persistent_fid,
 			cfile->fid.volatile_fid, FSCTL_SET_SPARSE,
 			true /* is_fctl */,
-			&setsparse, 1, NULL, NULL);
+			buf, 1, NULL, NULL);
+	kfree(buf);
 	if (rc) {
 		tcon->broken_sparse_sup = true;
 		cifs_dbg(FYI, "set sparse rc = %d\n", rc);
@@ -1046,12 +1055,9 @@ smb2_set_file_size(const unsigned int xid, struct cifs_tcon *tcon,
 	 */
 	inode = d_inode(cfile->dentry);
 
-	if (!set_alloc && (size > inode->i_size + 8192)) {
-		__u8 set_sparse = 1;
-
-		/* whether set sparse succeeds or not, extend the file */
-		smb2_set_sparse(xid, tcon, cfile, inode, set_sparse);
-	}
+	/* whether set sparse succeeds or not, extend the file */
+	if (!set_alloc && (size > inode->i_size + 8192))
+		smb2_set_sparse(xid, tcon, cfile, inode, 1);
 
 	return SMB2_set_eof(xid, tcon, cfile->fid.persistent_fid,
 			    cfile->fid.volatile_fid, cfile->pid, &eof, false);
@@ -1065,7 +1071,7 @@ smb2_duplicate_extents(const unsigned int xid,
 {
 	int rc;
 	unsigned int ret_data_len;
-	struct duplicate_extents_to_file dup_ext_buf;
+	struct duplicate_extents_to_file *dup_ext_buf;
 	struct cifs_tcon *tcon = tlink_tcon(trgtfile->tlink);
 
 	/* server fileays advertise duplicate extent support with this flag */
@@ -1073,11 +1079,17 @@ smb2_duplicate_extents(const unsigned int xid,
 	     FILE_SUPPORTS_BLOCK_REFCOUNTING) == 0)
 		return -EOPNOTSUPP;
 
-	dup_ext_buf.VolatileFileHandle = srcfile->fid.volatile_fid;
-	dup_ext_buf.PersistentFileHandle = srcfile->fid.persistent_fid;
-	dup_ext_buf.SourceFileOffset = cpu_to_le64(src_off);
-	dup_ext_buf.TargetFileOffset = cpu_to_le64(dest_off);
-	dup_ext_buf.ByteCount = cpu_to_le64(len);
+	dup_ext_buf = kzalloc(sizeof(struct duplicate_extents_to_file),
+			      GFP_KERNEL);
+	if (!dup_ext_buf) {
+		cifs_dbg(VFS, "failed to allocate duplicate_extents_to_file\n");
+		return -ENOMEM;
+	}
+	dup_ext_buf->VolatileFileHandle = srcfile->fid.volatile_fid;
+	dup_ext_buf->PersistentFileHandle = srcfile->fid.persistent_fid;
+	dup_ext_buf->SourceFileOffset = cpu_to_le64(src_off);
+	dup_ext_buf->TargetFileOffset = cpu_to_le64(dest_off);
+	dup_ext_buf->ByteCount = cpu_to_le64(len);
 	cifs_dbg(FYI, "duplicate extents: src off %lld dst off %lld len %lld",
 		src_off, dest_off, len);
 
@@ -1089,7 +1101,7 @@ smb2_duplicate_extents(const unsigned int xid,
 			trgtfile->fid.volatile_fid,
 			FSCTL_DUPLICATE_EXTENTS_TO_FILE,
 			true /* is_fsctl */,
-			(char *)&dup_ext_buf,
+			(char *)dup_ext_buf,
 			sizeof(struct duplicate_extents_to_file),
 			NULL,
 			&ret_data_len);
@@ -1098,6 +1110,7 @@ smb2_duplicate_extents(const unsigned int xid,
 		cifs_dbg(FYI, "non-zero response length in duplicate extents");
 
 duplicate_extents_out:
+	kfree(dup_ext_buf);
 	return rc;
 }
 
@@ -1113,22 +1126,30 @@ static int
 smb3_set_integrity(const unsigned int xid, struct cifs_tcon *tcon,
 		   struct cifsFileInfo *cfile)
 {
-	struct fsctl_set_integrity_information_req integr_info;
+	struct fsctl_set_integrity_information_req *integr_info;
 	unsigned int ret_data_len;
+	int rc;
 
-	integr_info.ChecksumAlgorithm = cpu_to_le16(CHECKSUM_TYPE_UNCHANGED);
-	integr_info.Flags = 0;
-	integr_info.Reserved = 0;
+	integr_info = kzalloc(sizeof(struct fsctl_set_integrity_information_req),
+			      GFP_KERNEL);
+	if (!integr_info) {
+		cifs_dbg(VFS, "failed to allocate integr_info\n");
+		return -ENOMEM;
+	}
+	integr_info->ChecksumAlgorithm = cpu_to_le16(CHECKSUM_TYPE_UNCHANGED);
+	integr_info->Flags = 0;
+	integr_info->Reserved = 0;
 
-	return SMB2_ioctl(xid, tcon, cfile->fid.persistent_fid,
+	rc = SMB2_ioctl(xid, tcon, cfile->fid.persistent_fid,
 			cfile->fid.volatile_fid,
 			FSCTL_SET_INTEGRITY_INFORMATION,
 			true /* is_fsctl */,
-			(char *)&integr_info,
+			(char *)integr_info,
 			sizeof(struct fsctl_set_integrity_information_req),
 			NULL,
 			&ret_data_len);
-
+	kfree(integr_info);
+	return rc;
 }
 
 static int
@@ -1682,7 +1703,7 @@ static long smb3_zero_range(struct file *file, struct cifs_tcon *tcon,
 	struct inode *inode;
 	struct cifsInodeInfo *cifsi;
 	struct cifsFileInfo *cfile = file->private_data;
-	struct file_zero_data_information fsctl_buf;
+	struct file_zero_data_information *fsctl_buf;
 	long rc;
 	unsigned int xid;
 
@@ -1710,18 +1731,29 @@ static long smb3_zero_range(struct file *file, struct cifs_tcon *tcon,
 	 * which for a non sparse file would zero the newly extended range
 	 */
 	if (keep_size == false)
-		if (i_size_read(inode) < offset + len)
-			return -EOPNOTSUPP;
+		if (i_size_read(inode) < offset + len) {
+			rc = -EOPNOTSUPP;
+			goto out;
+		}
 
 	cifs_dbg(FYI, "offset %lld len %lld", offset, len);
 
-	fsctl_buf.FileOffset = cpu_to_le64(offset);
-	fsctl_buf.BeyondFinalZero = cpu_to_le64(offset + len);
+	fsctl_buf = kzalloc(sizeof(struct file_zero_data_information),
+			    GFP_KERNEL);
+	if (!fsctl_buf) {
+		cifs_dbg(VFS, "failed to allocate fsctl_buf\n");
+		rc = -ENOMEM;
+		goto out;
+	}
+	fsctl_buf->FileOffset = cpu_to_le64(offset);
+	fsctl_buf->BeyondFinalZero = cpu_to_le64(offset + len);
 
 	rc = SMB2_ioctl(xid, tcon, cfile->fid.persistent_fid,
 			cfile->fid.volatile_fid, FSCTL_SET_ZERO_DATA,
-			true /* is_fctl */, (char *)&fsctl_buf,
+			true /* is_fctl */, (char *)fsctl_buf,
 			sizeof(struct file_zero_data_information), NULL, NULL);
+	kfree(fsctl_buf);
+out:
 	free_xid(xid);
 	return rc;
 }
@@ -1732,10 +1764,9 @@ static long smb3_punch_hole(struct file *file, struct cifs_tcon *tcon,
 	struct inode *inode;
 	struct cifsInodeInfo *cifsi;
 	struct cifsFileInfo *cfile = file->private_data;
-	struct file_zero_data_information fsctl_buf;
+	struct file_zero_data_information *fsctl_buf;
 	long rc;
 	unsigned int xid;
-	__u8 set_sparse = 1;
 
 	xid = get_xid();
 
@@ -1744,18 +1775,28 @@ static long smb3_punch_hole(struct file *file, struct cifs_tcon *tcon,
 
 	/* Need to make file sparse, if not already, before freeing range. */
 	/* Consider adding equivalent for compressed since it could also work */
-	if (!smb2_set_sparse(xid, tcon, cfile, inode, set_sparse))
-		return -EOPNOTSUPP;
-
+	if (!smb2_set_sparse(xid, tcon, cfile, inode, 1)) {
+		rc = -EOPNOTSUPP;
+		goto out;
+	}
 	cifs_dbg(FYI, "offset %lld len %lld", offset, len);
 
-	fsctl_buf.FileOffset = cpu_to_le64(offset);
-	fsctl_buf.BeyondFinalZero = cpu_to_le64(offset + len);
+	fsctl_buf = kzalloc(sizeof(struct file_zero_data_information),
+			    GFP_KERNEL);
+	if (!fsctl_buf) {
+		cifs_dbg(VFS, "failed to allocate fsctl_buf\n");
+		rc -ENOMEM;
+		goto out;
+	}
+	fsctl_buf->FileOffset = cpu_to_le64(offset);
+	fsctl_buf->BeyondFinalZero = cpu_to_le64(offset + len);
 
 	rc = SMB2_ioctl(xid, tcon, cfile->fid.persistent_fid,
 			cfile->fid.volatile_fid, FSCTL_SET_ZERO_DATA,
-			true /* is_fctl */, (char *)&fsctl_buf,
+			true /* is_fctl */, (char *)fsctl_buf,
 			sizeof(struct file_zero_data_information), NULL, NULL);
+	kfree(fsctl_buf);
+out:
 	free_xid(xid);
 	return rc;
 }
@@ -1808,7 +1849,7 @@ static long smb3_simple_falloc(struct file *file, struct cifs_tcon *tcon,
 		if ((off > 8192) || (off + len + 8192 < i_size_read(inode)))
 			return -EOPNOTSUPP;
 
-		rc = smb2_set_sparse(xid, tcon, cfile, inode, false);
+		rc = smb2_set_sparse(xid, tcon, cfile, inode, 0);
 	}
 	/* BB: else ... in future add code to extend file and set sparse */
 
@@ -2128,7 +2169,7 @@ crypt_message(struct TCP_Server_Info *server, struct smb_rqst *rqst, int enc)
 	unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 24;
 	int rc = 0;
 	struct scatterlist *sg;
-	u8 sign[SMB2_SIGNATURE_SIZE] = {};
+	u8 *sign;
 	u8 key[SMB3_SIGN_KEY_SIZE];
 	struct aead_request *req;
 	char *iv;
@@ -2143,7 +2184,6 @@ crypt_message(struct TCP_Server_Info *server, struct smb_rqst *rqst, int enc)
 			 enc ? "en" : "de");
 		return 0;
 	}
-
 	rc = smb3_crypto_aead_allocate(server);
 	if (rc) {
 		cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__);
@@ -2170,6 +2210,13 @@ crypt_message(struct TCP_Server_Info *server, struct smb_rqst *rqst, int enc)
 		return -ENOMEM;
 	}
 
+	sign = kzalloc(SMB2_SIGNATURE_SIZE, GFP_KERNEL);
+	if (!sign) {
+		cifs_dbg(VFS, "%s: Failed to kzalloc sign", __func__);
+		rc = -ENOMEM;
+		goto free_req;
+	}
+
 	if (!enc) {
 		memcpy(sign, &tr_hdr->Signature, SMB2_SIGNATURE_SIZE);
 		crypt_len += SMB2_SIGNATURE_SIZE;
@@ -2179,7 +2226,7 @@ crypt_message(struct TCP_Server_Info *server, struct smb_rqst *rqst, int enc)
 	if (!sg) {
 		cifs_dbg(VFS, "%s: Failed to init sg", __func__);
 		rc = -ENOMEM;
-		goto free_req;
+		goto free_sign;
 	}
 
 	iv_len = crypto_aead_ivsize(tfm);
@@ -2207,6 +2254,8 @@ crypt_message(struct TCP_Server_Info *server, struct smb_rqst *rqst, int enc)
 	kfree(iv);
 free_sg:
 	kfree(sg);
+free_sign:
+	kfree(sign);
 free_req:
 	kfree(req);
 	return rc;
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 63778ac22fd9..eca036faa755 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -609,7 +609,7 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
 int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
 {
 	int rc = 0;
-	struct validate_negotiate_info_req vneg_inbuf;
+	struct validate_negotiate_info_req *vneg_inbuf;
 	struct validate_negotiate_info_rsp *pneg_rsp = NULL;
 	u32 rsplen;
 	u32 inbuflen; /* max of 4 dialects */
@@ -639,50 +639,57 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
 	if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL)
 		cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n");
 
-	vneg_inbuf.Capabilities =
+	vneg_inbuf = kzalloc(sizeof(struct validate_negotiate_info_req),
+			     GFP_KERNEL);
+	if (!vneg_inbuf) {
+		cifs_dbg(VFS, "failed to allocate vneg_inbuf\n");
+		return -ENOMEM;
+	}
+
+	vneg_inbuf->Capabilities =
 			cpu_to_le32(tcon->ses->server->vals->req_capabilities);
-	memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid,
+	memcpy(vneg_inbuf->Guid, tcon->ses->server->client_guid,
 					SMB2_CLIENT_GUID_SIZE);
 
 	if (tcon->ses->sign)
-		vneg_inbuf.SecurityMode =
+		vneg_inbuf->SecurityMode =
 			cpu_to_le16(SMB2_NEGOTIATE_SIGNING_REQUIRED);
 	else if (global_secflags & CIFSSEC_MAY_SIGN)
-		vneg_inbuf.SecurityMode =
+		vneg_inbuf->SecurityMode =
 			cpu_to_le16(SMB2_NEGOTIATE_SIGNING_ENABLED);
 	else
-		vneg_inbuf.SecurityMode = 0;
+		vneg_inbuf->SecurityMode = 0;
 
 
 	if (strcmp(tcon->ses->server->vals->version_string,
 		SMB3ANY_VERSION_STRING) == 0) {
-		vneg_inbuf.Dialects[0] = cpu_to_le16(SMB30_PROT_ID);
-		vneg_inbuf.Dialects[1] = cpu_to_le16(SMB302_PROT_ID);
-		vneg_inbuf.DialectCount = cpu_to_le16(2);
+		vneg_inbuf->Dialects[0] = cpu_to_le16(SMB30_PROT_ID);
+		vneg_inbuf->Dialects[1] = cpu_to_le16(SMB302_PROT_ID);
+		vneg_inbuf->DialectCount = cpu_to_le16(2);
 		/* structure is big enough for 3 dialects, sending only 2 */
 		inbuflen = sizeof(struct validate_negotiate_info_req) - 2;
 	} else if (strcmp(tcon->ses->server->vals->version_string,
 		SMBDEFAULT_VERSION_STRING) == 0) {
-		vneg_inbuf.Dialects[0] = cpu_to_le16(SMB21_PROT_ID);
-		vneg_inbuf.Dialects[1] = cpu_to_le16(SMB30_PROT_ID);
-		vneg_inbuf.Dialects[2] = cpu_to_le16(SMB302_PROT_ID);
-		vneg_inbuf.DialectCount = cpu_to_le16(3);
+		vneg_inbuf->Dialects[0] = cpu_to_le16(SMB21_PROT_ID);
+		vneg_inbuf->Dialects[1] = cpu_to_le16(SMB30_PROT_ID);
+		vneg_inbuf->Dialects[2] = cpu_to_le16(SMB302_PROT_ID);
+		vneg_inbuf->DialectCount = cpu_to_le16(3);
 		/* structure is big enough for 3 dialects */
 		inbuflen = sizeof(struct validate_negotiate_info_req);
 	} else {
 		/* otherwise specific dialect was requested */
-		vneg_inbuf.Dialects[0] =
+		vneg_inbuf->Dialects[0] =
 			cpu_to_le16(tcon->ses->server->vals->protocol_id);
-		vneg_inbuf.DialectCount = cpu_to_le16(1);
+		vneg_inbuf->DialectCount = cpu_to_le16(1);
 		/* structure is big enough for 3 dialects, sending only 1 */
 		inbuflen = sizeof(struct validate_negotiate_info_req) - 4;
 	}
 
 	rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,
 		FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */,
-		(char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req),
+		(char *)vneg_inbuf, sizeof(struct validate_negotiate_info_req),
 		(char **)&pneg_rsp, &rsplen);
-
+	kfree(vneg_inbuf);
 	if (rc != 0) {
 		cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc);
 		return -EIO;
@@ -1997,16 +2004,24 @@ SMB2_set_compression(const unsigned int xid, struct cifs_tcon *tcon,
 		     u64 persistent_fid, u64 volatile_fid)
 {
 	int rc;
-	struct  compress_ioctl fsctl_input;
+	struct  compress_ioctl *fsctl_input;
 	char *ret_data = NULL;
 
-	fsctl_input.CompressionState =
+	fsctl_input = kzalloc(sizeof(struct  compress_ioctl),
+			     GFP_KERNEL);
+	if (!fsctl_input) {
+		cifs_dbg(VFS, "failed to allocate fsctl_input\n");
+		return -ENOMEM;
+	}
+
+	fsctl_input->CompressionState =
 			cpu_to_le16(COMPRESSION_FORMAT_DEFAULT);
 
 	rc = SMB2_ioctl(xid, tcon, persistent_fid, volatile_fid,
 			FSCTL_SET_COMPRESSION, true /* is_fsctl */,
 			(char *)&fsctl_input /* data input */,
 			2 /* in data len */, &ret_data /* out data */, NULL);
+	kfree(fsctl_input);
 
 	cifs_dbg(FYI, "set compression rc %d\n", rc);
 
@@ -3613,15 +3628,24 @@ SMB2_lock(const unsigned int xid, struct cifs_tcon *tcon,
 	  const __u64 length, const __u64 offset, const __u32 lock_flags,
 	  const bool wait)
 {
-	struct smb2_lock_element lock;
+	struct smb2_lock_element *lock;
+	int rc;
 
-	lock.Offset = cpu_to_le64(offset);
-	lock.Length = cpu_to_le64(length);
-	lock.Flags = cpu_to_le32(lock_flags);
+	lock = kzalloc(sizeof(struct smb2_lock_element), GFP_KERNEL);
+	if (!lock) {
+		cifs_dbg(VFS, "failed to allocate smb2_lock_element\n");
+		return -ENOMEM;
+	}
+	lock->Offset = cpu_to_le64(offset);
+	lock->Length = cpu_to_le64(length);
+	lock->Flags = cpu_to_le32(lock_flags);
 	if (!wait && lock_flags != SMB2_LOCKFLAG_UNLOCK)
-		lock.Flags |= cpu_to_le32(SMB2_LOCKFLAG_FAIL_IMMEDIATELY);
+		lock->Flags |= cpu_to_le32(SMB2_LOCKFLAG_FAIL_IMMEDIATELY);
+
+	rc = smb2_lockv(xid, tcon, persist_fid, volatile_fid, pid, 1, lock);
+	kfree(lock);
 
-	return smb2_lockv(xid, tcon, persist_fid, volatile_fid, pid, 1, &lock);
+	return rc;
 }
 
 int
-- 
2.13.3

--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux