Hi Hyunchul, patch looks excellent, few more nitpicks below. Am 22.09.21 um 03:26 schrieb Hyunchul Lee:
Add buffer validation for SMB2_CREATE_CONTEXT.
Cc: Ronnie Sahlberg <ronniesahlberg@xxxxxxxxx>
Cc: Ralph Boehme <slow@xxxxxxxxx>
Cc: Steve French <smfrench@xxxxxxxxx>
Signed-off-by: Hyunchul Lee <hyc.lee@xxxxxxxxx>
Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
---
Changes from v2:
- check struct create_context's fields more in smb2_find_context_vals
(suggested by Ralph Boehme).
fs/ksmbd/oplock.c | 34 ++++++++++++++++++++++++----------
fs/ksmbd/smb2pdu.c | 25 ++++++++++++++++++++++++-
fs/ksmbd/smbacl.c | 9 ++++++++-
3 files changed, 56 insertions(+), 12 deletions(-)
diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c
index 16b6236d1bd2..8f743913b1cf 100644
--- a/fs/ksmbd/oplock.c
+++ b/fs/ksmbd/oplock.c
@@ -1451,26 +1451,40 @@ struct lease_ctx_info *parse_lease_state(void *open_req)
*/
struct create_context *smb2_find_context_vals(void *open_req, const char *tag)
{
- char *data_offset;
+ struct smb2_create_req *req = (struct smb2_create_req *)open_req;
struct create_context *cc;
- unsigned int next = 0;
+ char *data_offset, *data_end;
char *name;
- struct smb2_create_req *req = (struct smb2_create_req *)open_req;
this line is only moved, not changed. Can we remove this change from the diff?
+ unsigned int next = 0; + unsigned int name_off, name_len, value_off, value_len;data_offset = (char *)req + 4 + le32_to_cpu(req->CreateContextsOffset);+ data_end = data_offset + le32_to_cpu(req->CreateContextsLength);
do we need overflow checks here? At least on 32-bit arch this could easily overflow.
cc = (struct create_context *)data_offset; do { - int val; - cc = (struct create_context *)((char *)cc + next); - name = le16_to_cpu(cc->NameOffset) + (char *)cc; - val = le16_to_cpu(cc->NameLength); - if (val < 4) + if ((char *)cc + offsetof(struct create_context, Buffer) > + data_end) return ERR_PTR(-EINVAL);- if (memcmp(name, tag, val) == 0)- return cc; next = le32_to_cpu(cc->Next); + name_off = le16_to_cpu(cc->NameOffset); + name_len = le16_to_cpu(cc->NameLength); + value_off = le16_to_cpu(cc->DataOffset); + value_len = le32_to_cpu(cc->DataLength);
same here: possible overflow checks needed?
+ + if ((next & 0x7) != 0 || + name_off != 16 || + name_len < 4 || + (char *)cc + name_off + name_len > data_end || + (value_off & 0x7) != 0 || + (value_off && value_off < name_off + name_len) ||
I guess this must be (value_off && (value_off < name_off + name_len)) ||
+ (char *)cc + value_off + value_len > data_end) + return ERR_PTR(-EINVAL); + + name = (char *)cc + name_off; + if (memcmp(name, tag, name_len) == 0) + return cc; } while (next != 0);return NULL;diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index c86164dc70bb..976490bfd93c 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2377,6 +2377,10 @@ static int smb2_create_sd_buffer(struct ksmbd_work *work, ksmbd_debug(SMB, "Set ACLs using SMB2_CREATE_SD_BUFFER context\n"); sd_buf = (struct create_sd_buf_req *)context; + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_sd_buf_req)) + return -EINVAL; return set_info_sec(work->conn, work->tcon, path, &sd_buf->ntsd, le32_to_cpu(sd_buf->ccontext.DataLength), true); } @@ -2577,6 +2581,12 @@ int smb2_open(struct ksmbd_work *work) goto err_out1; } else if (context) { ea_buf = (struct create_ea_buf_req *)context; + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_ea_buf_req)) { + rc = -EINVAL; + goto err_out1; + } if (req->CreateOptions & FILE_NO_EA_KNOWLEDGE_LE) { rsp->hdr.Status = STATUS_ACCESS_DENIED; rc = -EACCES; @@ -2615,6 +2625,12 @@ int smb2_open(struct ksmbd_work *work) } else if (context) { struct create_posix *posix = (struct create_posix *)context; + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_posix)) { + rc = -EINVAL; + goto err_out1; + } ksmbd_debug(SMB, "get posix context\n");posix_mode = le32_to_cpu(posix->Mode);@@ -3019,9 +3035,16 @@ int smb2_open(struct ksmbd_work *work) rc = PTR_ERR(az_req); goto err_out; } else if (az_req) { - loff_t alloc_size = le64_to_cpu(az_req->AllocationSize); + loff_t alloc_size; int err;+ if (le16_to_cpu(az_req->ccontext.DataOffset) ++ le32_to_cpu(az_req->ccontext.DataLength) < + sizeof(struct create_alloc_size_req)) { + rc = -EINVAL; + goto err_out; + } + alloc_size = le64_to_cpu(az_req->AllocationSize); ksmbd_debug(SMB, "request smb2 create allocate size : %llu\n", alloc_size); diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c index 0a95cdec8c80..f67567e1e178 100644 --- a/fs/ksmbd/smbacl.c +++ b/fs/ksmbd/smbacl.c @@ -392,7 +392,7 @@ static void parse_dacl(struct user_namespace *user_ns, return;/* validate that we do not go past end of acl */- if (end_of_acl <= (char *)pdacl || + if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl) || end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) { pr_err("ACL too small to parse DACL\n"); return; @@ -434,6 +434,10 @@ static void parse_dacl(struct user_namespace *user_ns, ppace[i] = (struct smb_ace *)(acl_base + acl_size); acl_base = (char *)ppace[i]; acl_size = le16_to_cpu(ppace[i]->size);
overflow check needed?
+ + if (acl_base + acl_size > end_of_acl) + break; + ppace[i]->access_req = smb_map_generic_desired_access(ppace[i]->access_req);@@ -807,6 +811,9 @@ int parse_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd,if (!pntsd) return -EIO;+ if (acl_len < sizeof(struct smb_ntsd))+ return -EINVAL; + owner_sid_ptr = (struct smb_sid *)((char *)pntsd + le32_to_cpu(pntsd->osidoffset)); group_sid_ptr = (struct smb_sid *)((char *)pntsd +
Thanks! -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
