This is a note to let you know that I've just added the patch titled ksmbd: fix multiple out-of-bounds read during context decoding to the 5.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: ksmbd-fix-multiple-out-of-bounds-read-during-context-decoding.patch and it can be found in the queue-5.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From linkinjeon@xxxxxxxxx Mon Dec 18 16:40:27 2023 From: Namjae Jeon <linkinjeon@xxxxxxxxxx> Date: Tue, 19 Dec 2023 00:33:55 +0900 Subject: ksmbd: fix multiple out-of-bounds read during context decoding To: gregkh@xxxxxxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx Cc: smfrench@xxxxxxxxx, Kuan-Ting Chen <h3xrabbit@xxxxxxxxx>, Namjae Jeon <linkinjeon@xxxxxxxxxx>, Steve French <stfrench@xxxxxxxxxxxxx> Message-ID: <20231218153454.8090-96-linkinjeon@xxxxxxxxxx> From: Kuan-Ting Chen <h3xrabbit@xxxxxxxxx> [ Upstream commit 0512a5f89e1fae74251fde6893ff634f1c96c6fb ] Check the remaining data length before accessing the context structure to ensure that the entire structure is contained within the packet. Additionally, since the context data length `ctxt_len` has already been checked against the total packet length `len_of_ctxts`, update the comparison to use `ctxt_len`. Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Kuan-Ting Chen <h3xrabbit@xxxxxxxxx> Acked-by: Namjae Jeon <linkinjeon@xxxxxxxxxx> Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/ksmbd/smb2pdu.c | 53 ++++++++++++++++++++++++++++++++++------------------- 1 file changed, 34 insertions(+), 19 deletions(-) --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -879,13 +879,14 @@ static void assemble_neg_contexts(struct static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn, struct smb2_preauth_neg_context *pneg_ctxt, - int len_of_ctxts) + int ctxt_len) { /* * sizeof(smb2_preauth_neg_context) assumes SMB311_SALT_SIZE Salt, * which may not be present. Only check for used HashAlgorithms[1]. */ - if (len_of_ctxts < 6) + if (ctxt_len < + sizeof(struct smb2_neg_context) + 6) return STATUS_INVALID_PARAMETER; if (pneg_ctxt->HashAlgorithms != SMB2_PREAUTH_INTEGRITY_SHA512) @@ -897,15 +898,23 @@ static __le32 decode_preauth_ctxt(struct static void decode_encrypt_ctxt(struct ksmbd_conn *conn, struct smb2_encryption_neg_context *pneg_ctxt, - int len_of_ctxts) + int ctxt_len) { - int cph_cnt = le16_to_cpu(pneg_ctxt->CipherCount); - int i, cphs_size = cph_cnt * sizeof(__le16); + int cph_cnt; + int i, cphs_size; + + if (sizeof(struct smb2_encryption_neg_context) > ctxt_len) { + pr_err("Invalid SMB2_ENCRYPTION_CAPABILITIES context size\n"); + return; + } conn->cipher_type = 0; + cph_cnt = le16_to_cpu(pneg_ctxt->CipherCount); + cphs_size = cph_cnt * sizeof(__le16); + if (sizeof(struct smb2_encryption_neg_context) + cphs_size > - len_of_ctxts) { + ctxt_len) { pr_err("Invalid cipher count(%d)\n", cph_cnt); return; } @@ -953,15 +962,22 @@ static void decode_compress_ctxt(struct static void decode_sign_cap_ctxt(struct ksmbd_conn *conn, struct smb2_signing_capabilities *pneg_ctxt, - int len_of_ctxts) + int ctxt_len) { - int sign_algo_cnt = le16_to_cpu(pneg_ctxt->SigningAlgorithmCount); - int i, sign_alos_size = sign_algo_cnt * sizeof(__le16); + int sign_algo_cnt; + int i, sign_alos_size; + + if (sizeof(struct smb2_signing_capabilities) > ctxt_len) { + pr_err("Invalid SMB2_SIGNING_CAPABILITIES context length\n"); + return; + } conn->signing_negotiated = false; + sign_algo_cnt = le16_to_cpu(pneg_ctxt->SigningAlgorithmCount); + sign_alos_size = sign_algo_cnt * sizeof(__le16); if (sizeof(struct smb2_signing_capabilities) + sign_alos_size > - len_of_ctxts) { + ctxt_len) { pr_err("Invalid signing algorithm count(%d)\n", sign_algo_cnt); return; } @@ -999,18 +1015,16 @@ static __le32 deassemble_neg_contexts(st len_of_ctxts = len_of_smb - offset; while (i++ < neg_ctxt_cnt) { - int clen; - - /* check that offset is not beyond end of SMB */ - if (len_of_ctxts == 0) - break; + int clen, ctxt_len; if (len_of_ctxts < sizeof(struct smb2_neg_context)) break; pctx = (struct smb2_neg_context *)((char *)pctx + offset); clen = le16_to_cpu(pctx->DataLength); - if (clen + sizeof(struct smb2_neg_context) > len_of_ctxts) + ctxt_len = clen + sizeof(struct smb2_neg_context); + + if (ctxt_len > len_of_ctxts) break; if (pctx->ContextType == SMB2_PREAUTH_INTEGRITY_CAPABILITIES) { @@ -1021,7 +1035,7 @@ static __le32 deassemble_neg_contexts(st status = decode_preauth_ctxt(conn, (struct smb2_preauth_neg_context *)pctx, - len_of_ctxts); + ctxt_len); if (status != STATUS_SUCCESS) break; } else if (pctx->ContextType == SMB2_ENCRYPTION_CAPABILITIES) { @@ -1032,7 +1046,7 @@ static __le32 deassemble_neg_contexts(st decode_encrypt_ctxt(conn, (struct smb2_encryption_neg_context *)pctx, - len_of_ctxts); + ctxt_len); } else if (pctx->ContextType == SMB2_COMPRESSION_CAPABILITIES) { ksmbd_debug(SMB, "deassemble SMB2_COMPRESSION_CAPABILITIES context\n"); @@ -1051,9 +1065,10 @@ static __le32 deassemble_neg_contexts(st } else if (pctx->ContextType == SMB2_SIGNING_CAPABILITIES) { ksmbd_debug(SMB, "deassemble SMB2_SIGNING_CAPABILITIES context\n"); + decode_sign_cap_ctxt(conn, (struct smb2_signing_capabilities *)pctx, - len_of_ctxts); + ctxt_len); } /* offsets must be 8 byte aligned */ Patches currently in stable-queue which might be from linkinjeon@xxxxxxxxx are queue-5.15/ksmbd-fix-uaf-issue-from-opinfo-conn.patch queue-5.15/ksmbd-fix-race-condition-from-parallel-smb2-lock-requests.patch queue-5.15/ksmbd-validate-session-id-and-tree-id-in-compound-request.patch queue-5.15/ksmbd-reorganize-ksmbd_iov_pin_rsp.patch queue-5.15/ksmbd-convert-to-use-sysfs_emit-sysfs_emit_at-apis.patch queue-5.15/ksmbd-validate-length-in-smb2_write.patch queue-5.15/ksmbd-add-support-for-key-exchange.patch queue-5.15/ksmbd-request-update-to-stale-share-config.patch queue-5.15/ksmbd-remove-generic_fillattr-use-in-smb2_open.patch queue-5.15/ksmbd-fix-uninitialized-pointer-read-in-smb2_create_link.patch queue-5.15/ksmbd-set-smb2_session_flag_encrypt_data-when-enforcing-data-encryption-for-this-share.patch queue-5.15/ksmbd-constify-struct-path.patch queue-5.15/ksmbd-casefold-utf-8-share-names-and-fix-ascii-lowercase-conversion.patch queue-5.15/ksmbd-validate-smb-request-protocol-id.patch queue-5.15/ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch queue-5.15/ksmbd-release-interim-response-after-sending-status-pending-response.patch queue-5.15/ksmbd-fix-racy-issue-under-cocurrent-smb2-tree-disconnect.patch queue-5.15/ksmbd-fix-out-of-bounds-read-in-smb2_sess_setup.patch queue-5.15/ksmbd-decrease-the-number-of-smb3-smbdirect-server-sges.patch queue-5.15/ksmbd-make-utf-8-file-name-comparison-work-in-__caseless_lookup.patch queue-5.15/ksmbd-use-f_setlk-when-unlocking-a-file.patch queue-5.15/fs-introduce-lock_rename_child-helper.patch queue-5.15/ksmbd-use-kzalloc-instead-of-__gfp_zero.patch queue-5.15/ksmbd-set-ntlmssp_negotiate_seal-flag-to-challenge-blob.patch queue-5.15/ksmbd-call-ib_drain_qp-when-disconnected.patch queue-5.15/ksmbd-fix-posix_acls-and-acls-dereferencing-possible-err_ptr.patch queue-5.15/ksmbd-destroy-expired-sessions.patch queue-5.15/ksmbd-fix-resource-leak-in-smb2_lock.patch queue-5.15/ksmbd-check-iov-vector-index-in-ksmbd_conn_write.patch queue-5.15/ksmbd-hide-socket-error-message-when-ipv6-config-is-disable.patch queue-5.15/ksmbd-use-netif_is_bridge_port.patch queue-5.15/ksmbd-smbd-simplify-tracking-pending-packets.patch queue-5.15/ksmbd-implements-sess-rpc_handle_list-as-xarray.patch queue-5.15/ksmbd-remove-duplicate-flag-set-in-smb2_write.patch queue-5.15/ksmbd-separately-allocate-ci-per-dentry.patch queue-5.15/ksmbd-fix-racy-issue-from-session-setup-and-logoff.patch queue-5.15/ksmbd-fix-race-condition-between-session-lookup-and-expire.patch queue-5.15/ksmbd-fix-wrong-smbd-max-read-write-size-check.patch queue-5.15/ksmbd-replace-usage-of-found-with-dedicated-list-iterator-variable.patch queue-5.15/ksmbd-add-support-for-surrogate-pair-conversion.patch queue-5.15/ksmbd-reduce-server-smbdirect-max-send-receive-segment-sizes.patch queue-5.15/ksmbd-fix-force-create-mode-and-force-directory-mode.patch queue-5.15/ksmbd-remove-unneeded-mark_inode_dirty-in-set_info_sec.patch queue-5.15/ksmbd-fix-potential-double-free-on-smb2_read_pipe-error-path.patch queue-5.15/ksmbd-remove-unused-ksmbd_tree_conn_share-function.patch queue-5.15/ksmbd-block-asynchronous-requests-when-making-a-delay-on-session-setup.patch queue-5.15/ksmbd-call-putname-after-using-the-last-component.patch queue-5.15/ksmbd-don-t-open-code-file_path.patch queue-5.15/ksmbd-fix-passing-freed-memory-aux_payload_buf.patch queue-5.15/ksmbd-fill-sids-in-smb_find_file_posix_info-response.patch queue-5.15/ksmbd-don-t-open-code-pd.patch queue-5.15/ksmbd-shorten-experimental-warning-on-loading-the-module.patch queue-5.15/ksmbd-remove-filename-in-ksmbd_file.patch queue-5.15/ksmbd-move-oplock-handling-after-unlock-parent-dir.patch queue-5.15/ksmbd-fix-race-condition-between-tree-conn-lookup-and-disconnect.patch queue-5.15/ksmbd-smbd-introduce-read-write-credits-for-rdma-read-write.patch queue-5.15/ksmbd-fix-slab-out-of-bounds-in-init_smb2_rsp_hdr.patch queue-5.15/ksmbd-fix-recursive-locking-in-vfs-helpers.patch queue-5.15/ksmbd-fix-some-kernel-doc-comments.patch queue-5.15/ksmbd-use-struct_size-helper-in-ksmbd_negotiate_smb_dialect.patch queue-5.15/ksmbd-smbd-relax-the-count-of-sges-required.patch queue-5.15/ksmbd-fix-wrong-error-response-status-by-using-set_smb2_rsp_status.patch queue-5.15/ksmbd-fix-spelling-mistake-excceed-exceeded.patch queue-5.15/ksmbd-fix-null-pointer-dereferences-in-ksmbd_update_fstate.patch queue-5.15/ksmbd-fix-encryption-failure-issue-for-session-logoff-response.patch queue-5.15/ksmbd-prevent-memory-leak-on-error-return.patch queue-5.15/ksmbd-fix-racy-issue-from-using-d_parent-and-d_name.patch queue-5.15/ksmbd-change-security-id-to-the-one-samba-used-for-posix-extension.patch queue-5.15/ksmbd-handle-malformed-smb1-message.patch queue-5.15/ksmbd-don-t-update-op_state-as-oplock_state_none-on-error.patch queue-5.15/ksmbd-smbd-fix-connection-dropped-issue.patch queue-5.15/ksmbd-fix-racy-issue-from-smb2-close-and-logoff-with-multichannel.patch queue-5.15/ksmbd-change-the-return-value-of-ksmbd_vfs_query_maximal_access-to-void.patch queue-5.15/ksmbd-fix-slub-overflow-in-ksmbd_decode_ntlmssp_auth_blob.patch queue-5.15/ksmbd-replace-one-element-array-with-flexible-array-member.patch queue-5.15/ksmbd-fix-uninitialized-pointer-read-in-ksmbd_vfs_rename.patch queue-5.15/ksmbd-replace-one-element-arrays-with-flexible-array-members.patch queue-5.15/ksmbd-fix-unsigned-expression-compared-with-zero.patch queue-5.15/ksmbd-implements-sess-ksmbd_chann_list-as-xarray.patch queue-5.15/ksmbd-set-file-permission-mode-to-match-samba-server-posix-extension-behavior.patch queue-5.15/ksmbd-fix-wrong-interim-response-on-compound.patch queue-5.15/ksmbd-return-invalid-parameter-error-response-if-smb2-request-is-invalid.patch queue-5.15/ksmbd-smbd-validate-buffer-descriptor-structures.patch queue-5.15/ksmbd-fix-missing-rdma-capable-flag-for-ipoib-device-in-ksmbd_rdma_capable_netdev.patch queue-5.15/ksmbd-send-proper-error-response-in-smb2_tree_connect.patch queue-5.15/ksmbd-set-negotiatecontextcount-once-instead-of-every-inc.patch queue-5.15/ksmbd-fix-typo-syncronous-synchronous.patch queue-5.15/ksmbd-validate-share-name-from-share-config-response.patch queue-5.15/ksmbd-fix-possible-deadlock-in-smb2_open.patch queue-5.15/ksmbd-fix-multiple-out-of-bounds-read-during-context-decoding.patch queue-5.15/ksmbd-add-missing-calling-smb2_set_err_rsp-on-error.patch queue-5.15/ksmbd-remove-unused-ksmbd_share_configs_cleanup-function.patch queue-5.15/ksmbd-fix-out-of-bound-read-in-parse_lease_state.patch queue-5.15/ksmbd-remove-duplicated-codes.patch queue-5.15/ksmbd-remove-a-redundant-zeroing-of-memory.patch queue-5.15/ksmbd-change-leasekey-data-type-to-u8-array.patch queue-5.15/ksmbd-add-support-for-read-compound.patch queue-5.15/ksmbd-fix-kernel-doc-comment-of-ksmbd_vfs_setxattr.patch queue-5.15/ksmbd-remove-unused-compression-negotiate-ctx-packing.patch queue-5.15/ksmbd-switch-to-use-kmemdup_nul-helper.patch queue-5.15/ksmbd-fix-race-condition-from-parallel-smb2-logoff-requests.patch queue-5.15/ksmbd-fix-out-of-bound-read-in-deassemble_neg_contexts.patch queue-5.15/ksmbd-remove-unnecessary-generic_fillattr-in-smb2_open.patch queue-5.15/ksmbd-avoid-duplicate-negotiate-ctx-offset-increments.patch queue-5.15/ksmbd-remove-experimental-warning.patch queue-5.15/ksmbd-return-a-literal-instead-of-err-in-ksmbd_vfs_kern_path_locked.patch queue-5.15/ksmbd-smbd-change-prototypes-of-rdma-read-write-related-functions.patch queue-5.15/ksmbd-fix-out-of-bounds-in-init_smb2_rsp_hdr.patch queue-5.15/ksmbd-fix-possible-memory-leak-in-smb2_lock.patch queue-5.15/ksmbd-remove-unused-field-in-ksmbd_user-struct.patch queue-5.15/ksmbd-fix-one-kernel-doc-comment.patch queue-5.15/ksmbd-no-need-to-wait-for-binded-connection-termination-at-logoff.patch queue-5.15/ksmbd-fix-race-condition-with-fp.patch queue-5.15/ksmbd-fix-wrong-signingkey-creation-when-encryption-is-aes256.patch queue-5.15/ksmbd-update-kconfig-to-note-kerberos-support-and-fix-indentation.patch queue-5.15/ksmbd-move-setting-smb2_flags_async_command-and-asyncid.patch queue-5.15/smb3-fix-ksmbd-bigendian-bug-in-oplock-break-and-move-its-struct-to-smbfs_common.patch queue-5.15/ksmbd-store-fids-as-opaque-u64-integers.patch queue-5.15/ksmbd-delete-asynchronous-work-from-list.patch queue-5.15/ksmbd-use-kvzalloc-instead-of-kvmalloc.patch queue-5.15/ksmbd-smbd-change-the-return-value-of-get_sg_list.patch queue-5.15/ksmbd-add-missing-compound-request-handing-in-some-commands.patch queue-5.15/ksmbd-remove-unused-is_char_allowed-function.patch queue-5.15/ksmbd-use-oid-registry-functions-to-decode-oids.patch queue-5.15/ksmbd-fix-kernel-doc-comment-of-ksmbd_vfs_kern_path_locked.patch queue-5.15/ksmbd-use-wait_event-instead-of-schedule_timeout.patch queue-5.15/ksmbd-check-if-a-mount-point-is-crossed-during-path-lookup.patch queue-5.15/ksmbd-replace-the-ternary-conditional-operator-with-min.patch