Patch "cifs: prevent copying past input buffer boundaries" has been added to the 5.15-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sat, 07 Jan 2023 10:31:48 +0100

This is a note to let you know that I've just added the patch titled

    cifs: prevent copying past input buffer boundaries

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cifs-prevent-copying-past-input-buffer-boundaries.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 9ee2afe5207b63b20426ee081f486d831bae871d Mon Sep 17 00:00:00 2001
From: Paulo Alcantara <pc@xxxxxx>
Date: Thu, 6 Oct 2022 13:04:05 -0300
Subject: cifs: prevent copying past input buffer boundaries

From: Paulo Alcantara <pc@xxxxxx>

commit 9ee2afe5207b63b20426ee081f486d831bae871d upstream.

Prevent copying past @data buffer in smb2_validate_and_copy_iov() as
the output buffer in @iov might be potentially bigger and thus copying
more bytes than requested in @minbufsize.

Signed-off-by: Paulo Alcantara (SUSE) <pc@xxxxxx>
Reviewed-by: Ronnie Sahlberg <lsahlber@xxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Cc: Georg Müller <georgmueller@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/cifs/smb2pdu.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -3400,7 +3400,7 @@ smb2_validate_and_copy_iov(unsigned int
 	if (rc)
 		return rc;
 
-	memcpy(data, begin_of_buf, buffer_length);
+	memcpy(data, begin_of_buf, minbufsize);
 
 	return 0;
 }
@@ -3524,7 +3524,7 @@ query_info(const unsigned int xid, struc
 
 	rc = smb2_validate_and_copy_iov(le16_to_cpu(rsp->OutputBufferOffset),
 					le32_to_cpu(rsp->OutputBufferLength),
-					&rsp_iov, min_len, *data);
+					&rsp_iov, dlen ? *dlen : min_len, *data);
 	if (rc && allocated) {
 		kfree(*data);
 		*data = NULL;


Patches currently in stable-queue which might be from pc@xxxxxx are

queue-5.15/cifs-fix-missing-display-of-three-mount-options.patch
queue-5.15/cifs-prevent-copying-past-input-buffer-boundaries.patch
queue-5.15/cifs-fix-confusing-debug-message.patch
queue-5.15/cifs-fix-oops-during-encryption.patch






