On Mon, Jan 13, 2025 at 3:17 PM Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
>
> On 32bit systems the addition operations in ipc_msg_alloc() can
> potentially overflow leading to memory corruption. Fix this using
> size_add() which will ensure that the invalid allocations do not succeed.
You previously said that memcpy overrun does not occur due to memory
allocation failure with SIZE_MAX.
Would it be better to handle integer overflows as an error before
memory allocation?
And static checkers don't detect memcpy overrun by considering memory
allocation failure?
Thanks.
> In the callers, move the two constant values
> "sizeof(struct ksmbd_rpc_command) + 1" onto the same side and use
> size_add() for the user controlled values.
>
> Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> I sent this patch in Oct 2023 but it wasn't applied.
> https://lore.kernel.org/all/205c4ec1-7c41-4f5d-8058-501fc1b5163c@moroto.mountain/
> I reviewed this code again today and it is still an issue.
>
> fs/smb/server/transport_ipc.c | 13 +++++++------
> 1 file changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c
> index befaf42b84cc..ec72c97b2f0b 100644
> --- a/fs/smb/server/transport_ipc.c
> +++ b/fs/smb/server/transport_ipc.c
> @@ -242,7 +242,7 @@ static void ipc_update_last_active(void)
> static struct ksmbd_ipc_msg *ipc_msg_alloc(size_t sz)
> {
> struct ksmbd_ipc_msg *msg;
> - size_t msg_sz = sz + sizeof(struct ksmbd_ipc_msg);
> + size_t msg_sz = size_add(sz, sizeof(struct ksmbd_ipc_msg));
>
> msg = kvzalloc(msg_sz, KSMBD_DEFAULT_GFP);
> if (msg)
> @@ -626,8 +626,8 @@ ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len)
> struct ksmbd_spnego_authen_request *req;
> struct ksmbd_spnego_authen_response *resp;
>
> - msg = ipc_msg_alloc(sizeof(struct ksmbd_spnego_authen_request) +
> - blob_len + 1);
> + msg = ipc_msg_alloc(size_add(sizeof(struct ksmbd_spnego_authen_request) + 1,
> + blob_len));
> if (!msg)
> return NULL;
>
> @@ -805,7 +805,8 @@ struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, int handle
> struct ksmbd_rpc_command *req;
> struct ksmbd_rpc_command *resp;
>
> - msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);
> + msg = ipc_msg_alloc(size_add(sizeof(struct ksmbd_rpc_command) + 1,
> + payload_sz));
> if (!msg)
> return NULL;
>
> @@ -853,7 +854,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle
> struct ksmbd_rpc_command *req;
> struct ksmbd_rpc_command *resp;
>
> - msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);
> + msg = ipc_msg_alloc(size_add(sizeof(struct ksmbd_rpc_command) + 1, payload_sz));
> if (!msg)
> return NULL;
>
> @@ -878,7 +879,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, void *payloa
> struct ksmbd_rpc_command *req;
> struct ksmbd_rpc_command *resp;
>
> - msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);
> + msg = ipc_msg_alloc(size_add(sizeof(struct ksmbd_rpc_command) + 1, payload_sz));
> if (!msg)
> return NULL;
>
> --
> 2.45.2
>
