tentatively merged into cifs-2.6.git for-next pending testing and any
additional reviews
On Thu, Nov 17, 2022 at 8:07 PM Zhang Xiaoxu <zhangxiaoxu5@xxxxxxxxxx> wrote:
>
> There is a OOB read in when decode the server interfaces response:
>
> BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x9ca/0xb80
> Read of size 4 at addr ffff8881711f2f98 by task mount.cifs/1402
>
> CPU: 6 PID: 1402 Comm: mount.cifs Not tainted 6.1.0-rc5+ #69
> Call Trace:
> <TASK>
> dump_stack_lvl+0x34/0x44
> print_report+0x171/0x472
> kasan_report+0xad/0x130
> kasan_check_range+0x145/0x1a0
> parse_server_interfaces+0x9ca/0xb80
> SMB3_request_interfaces+0x174/0x1e0
> smb3_qfs_tcon+0x150/0x2a0
> mount_get_conns+0x218/0x750
> cifs_mount+0x103/0xd00
> cifs_smb3_do_mount+0x1dd/0xcb0
> smb3_get_tree+0x1d5/0x300
> vfs_get_tree+0x41/0xf0
> path_mount+0x9b3/0xdd0
> __x64_sys_mount+0x190/0x1d0
> do_syscall_64+0x35/0x80
> entry_SYSCALL_64_after_hwframe+0x46/0xb0
>
> Allocated by task 1402:
> kasan_save_stack+0x1e/0x40
> kasan_set_track+0x21/0x30
> __kasan_kmalloc+0x7a/0x90
> __kmalloc_node_track_caller+0x60/0x140
> kmemdup+0x22/0x50
> SMB2_ioctl+0x58d/0x5d0
> SMB3_request_interfaces+0xcd/0x1e0
> smb3_qfs_tcon+0x150/0x2a0
> mount_get_conns+0x218/0x750
> cifs_mount+0x103/0xd00
> cifs_smb3_do_mount+0x1dd/0xcb0
> smb3_get_tree+0x1d5/0x300
> vfs_get_tree+0x41/0xf0
> path_mount+0x9b3/0xdd0
> __x64_sys_mount+0x190/0x1d0
> do_syscall_64+0x35/0x80
> entry_SYSCALL_64_after_hwframe+0x46/0xb0
>
> It can be reproduce with mount.cifs over rdma.
>
> When decode ioctl(FSCTL_QUERY_NETWORK_INTERFACE_INFO) response complete,
> still try to decode the 'p->Next' check whether has interface not decode.
> Since no more data in the response, then OOB read occurred.
>
> Let's just check the bytes still not decode to determine whether has
> uncomplete interface in the response.
>
> Fixes: fe856be475f7 ("CIFS: parse and store info on iface queries")
> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@xxxxxxxxxx>
> ---
> v2: Update commit message and fixes tag.
>
> fs/cifs/smb2ops.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
> index 880cd494afea..39c7bee87556 100644
> --- a/fs/cifs/smb2ops.c
> +++ b/fs/cifs/smb2ops.c
> @@ -673,8 +673,7 @@ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf,
> goto out;
> }
>
> - /* Azure rounds the buffer size up 8, to a 16 byte boundary */
> - if ((bytes_left > 8) || p->Next)
> + if (bytes_left > 0)
> cifs_dbg(VFS, "%s: incomplete interface info\n", __func__);
>
>
> --
> 2.31.1
>
--
Thanks,
Steve
