Re: [PATCH] cifs: Fix OOB read in parse_server_interfaces()

[Tom Talpey <tom@xxxxxxxxxx>]

So, this only happens when the mount is over RDMA?

Nov 17, 2022 9:45:35 AM Zhang Xiaoxu <zhangxiaoxu5@xxxxxxxxxx>:

> There is a OOB read in parse_server_interfaces when mount.cifs with rdma:
> 
>   BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x9ca/0xb80
>   Read of size 4 at addr ffff8881711f2f98 by task mount.cifs/1402
> 
>   CPU: 6 PID: 1402 Comm: mount.cifs Not tainted 6.1.0-rc5+ #69
>   Call Trace:
>    <TASK>
>    dump_stack_lvl+0x34/0x44
>    print_report+0x171/0x472
>    kasan_report+0xad/0x130
>    kasan_check_range+0x145/0x1a0
>    parse_server_interfaces+0x9ca/0xb80
>    SMB3_request_interfaces+0x174/0x1e0
>    smb3_qfs_tcon+0x150/0x2a0
>    mount_get_conns+0x218/0x750
>    cifs_mount+0x103/0xd00
>    cifs_smb3_do_mount+0x1dd/0xcb0
>    smb3_get_tree+0x1d5/0x300
>    vfs_get_tree+0x41/0xf0
>    path_mount+0x9b3/0xdd0
>    __x64_sys_mount+0x190/0x1d0
>    do_syscall_64+0x35/0x80
>    entry_SYSCALL_64_after_hwframe+0x46/0xb0
> 
>   Allocated by task 1402:
>    kasan_save_stack+0x1e/0x40
>    kasan_set_track+0x21/0x30
>    __kasan_kmalloc+0x7a/0x90
>    __kmalloc_node_track_caller+0x60/0x140
>    kmemdup+0x22/0x50
>    SMB2_ioctl+0x58d/0x5d0
>    SMB3_request_interfaces+0xcd/0x1e0
>    smb3_qfs_tcon+0x150/0x2a0
>    mount_get_conns+0x218/0x750
>    cifs_mount+0x103/0xd00
>    cifs_smb3_do_mount+0x1dd/0xcb0
>    smb3_get_tree+0x1d5/0x300
>    vfs_get_tree+0x41/0xf0
>    path_mount+0x9b3/0xdd0
>    __x64_sys_mount+0x190/0x1d0
>    do_syscall_64+0x35/0x80
>    entry_SYSCALL_64_after_hwframe+0x46/0xb0
> 
> If all the interface decoded from message, should not check whether
> has next one, otherwise there will be OOB read.
> 
> Let's just check the bytes still not decode to determine whether
> has next interface.
> 
> Fixes: aa45dadd34e4 ("cifs: change iface_list from array to sorted linked list")
> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@xxxxxxxxxx>
> ---
> fs/cifs/smb2ops.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
> index 880cd494afea..39c7bee87556 100644
> --- a/fs/cifs/smb2ops.c
> +++ b/fs/cifs/smb2ops.c
> @@ -673,8 +673,7 @@ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf,
>         goto out;
>     }
> 
> -   /* Azure rounds the buffer size up 8, to a 16 byte boundary */
> -   if ((bytes_left > 8) || p->Next)
> +   if (bytes_left > 0)
>         cifs_dbg(VFS, "%s: incomplete interface info\n", __func__);
> 
> 
> -- 
> 2.31.1