Pali Rohár <pali@xxxxxxxxxx> writes:
> On Friday 22 November 2024 14:44:10 Mahmoud Adam wrote:
>> From: Pali Rohár <pali@xxxxxxxxxx>
>>
>> upstream e2a8910af01653c1c268984855629d71fb81f404 commit.
>>
>> ReparseDataLength is sum of the InodeType size and DataBuffer size.
>> So to get DataBuffer size it is needed to subtract InodeType's size from
>> ReparseDataLength.
>>
>> Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer
>> at position after the end of the buffer because it does not subtract
>> InodeType size from the length. Fix this problem and correctly subtract
>> variable len.
>>
>> Member InodeType is present only when reparse buffer is large enough. Check
>> for ReparseDataLength before accessing InodeType to prevent another invalid
>> memory access.
>>
>> Major and minor rdev values are present also only when reparse buffer is
>> large enough. Check for reparse buffer size before calling reparse_mkdev().
>>
>> Fixes: d5ecebc4900d ("smb3: Allow query of symlinks stored as reparse points")
>> Reviewed-by: Paulo Alcantara (Red Hat) <pc@xxxxxxxxxxxxx>
>> Signed-off-by: Pali Rohár <pali@xxxxxxxxxx>
>> Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
>> [use variable name symlink_buf, the other buf->InodeType accesses are
>> not used in current version so skip]
>> Signed-off-by: Mahmoud Adam <mngyadam@xxxxxxxxxx>
>> ---
>> This fixes CVE-2024-49996, and applies cleanly on 5.4->6.1, 6.6 and
>> later already has the fix.
>
> Interesting... I have not know that there is CVE number for this issue.
> Have you asked for assigning CVE number? Or was it there before?
>
Nope, It was assigned a CVE here:
https://lore.kernel.org/all/2024102138-CVE-2024-49996-0d29@gregkh/
-MNAdam
