Patch "ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()" has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ksmbd-fix-slab-out-of-bounds-in-smb_strndup_from_utf16.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From d10c77873ba1e9e6b91905018e29e196fd5f863d Mon Sep 17 00:00:00 2001
From: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Date: Wed, 20 Dec 2023 15:52:11 +0900
Subject: ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()

From: Namjae Jeon <linkinjeon@xxxxxxxxxx>

commit d10c77873ba1e9e6b91905018e29e196fd5f863d upstream.

If ->NameOffset/Length is bigger than ->CreateContextsOffset/Length,
ksmbd_check_message doesn't validate request buffer it correctly.
So slab-out-of-bounds warning from calling smb_strndup_from_utf16()
in smb2_open() could happen. If ->NameLength is non-zero, Set the larger
of the two sums (Name and CreateContext size) as the offset and length of
the data area.

Reported-by: Yang Chaoming <lometsj@xxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/smb/server/smb2misc.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/fs/smb/server/smb2misc.c
+++ b/fs/smb/server/smb2misc.c
@@ -106,16 +106,25 @@ static int smb2_get_data_area_len(unsign
 		break;
 	case SMB2_CREATE:
 	{
+		unsigned short int name_off =
+			le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset);
+		unsigned short int name_len =
+			le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength);
+
 		if (((struct smb2_create_req *)hdr)->CreateContextsLength) {
 			*off = le32_to_cpu(((struct smb2_create_req *)
 				hdr)->CreateContextsOffset);
 			*len = le32_to_cpu(((struct smb2_create_req *)
 				hdr)->CreateContextsLength);
-			break;
+			if (!name_len)
+				break;
+
+			if (name_off + name_len < (u64)*off + *len)
+				break;
 		}
 
-		*off = le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset);
-		*len = le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength);
+		*off = name_off;
+		*len = name_len;
 		break;
 	}
 	case SMB2_QUERY_INFO:


Patches currently in stable-queue which might be from linkinjeon@xxxxxxxxxx are

queue-6.1/ksmbd-fix-wrong-error-response-status-by-using-set_s.patch
queue-6.1/ksmbd-fix-wrong-allocation-size-update-in-smb2_open.patch
queue-6.1/ksmbd-reorganize-ksmbd_iov_pin_rsp.patch
queue-6.1/ksmbd-add-mnt_want_write-to-ksmbd-vfs-functions.patch
queue-6.1/ksmbd-avoid-duplicate-opinfo_put-call-on-error-of-sm.patch
queue-6.1/ksmbd-convert-to-use-sysfs_emit-sysfs_emit_at-apis.patch
queue-6.1/ksmbd-replace-one-element-array-with-flexible-array-.patch
queue-6.1/ksmbd-fix-null-pointer-dereferences-in-ksmbd_update_.patch
queue-6.1/ksmbd-send-v2-lease-break-notification-for-directory.patch
queue-6.1/ksmbd-return-invalid-parameter-error-response-if-smb.patch
queue-6.1/ksmbd-update-kconfig-to-note-kerberos-support-and-fi.patch
queue-6.1/ksmbd-avoid-duplicate-negotiate-ctx-offset-increment.patch
queue-6.1/ksmbd-move-setting-smb2_flags_async_command-and-asyn.patch
queue-6.1/ksmbd-fix-potential-double-free-on-smb2_read_pipe-er.patch
queue-6.1/ksmbd-set-v2-lease-capability.patch
queue-6.1/ksmbd-fix-uninitialized-pointer-read-in-ksmbd_vfs_re.patch
queue-6.1/ksmbd-fix-kernel-doc-comment-of-ksmbd_vfs_kern_path_.patch
queue-6.1/ksmbd-use-struct_size-helper-in-ksmbd_negotiate_smb_.patch
queue-6.1/ksmbd-use-f_setlk-when-unlocking-a-file.patch
queue-6.1/fs-introduce-lock_rename_child-helper.patch
queue-6.1/ksmbd-use-kzalloc-instead-of-__gfp_zero.patch
queue-6.1/ksmbd-remove-unused-compression-negotiate-ctx-packin.patch
queue-6.1/ksmbd-fix-resource-leak-in-smb2_lock.patch
queue-6.1/ksmbd-check-iov-vector-index-in-ksmbd_conn_write.patch
queue-6.1/ksmbd-fix-uninitialized-pointer-read-in-smb2_create_.patch
queue-6.1/ksmbd-change-the-return-value-of-ksmbd_vfs_query_max.patch
queue-6.1/ksmbd-implements-sess-rpc_handle_list-as-xarray.patch
queue-6.1/ksmbd-downgrade-rwh-lease-caching-state-to-rh-for-di.patch
queue-6.1/ksmbd-separately-allocate-ci-per-dentry.patch
queue-6.1/ksmbd-release-interim-response-after-sending-status-.patch
queue-6.1/ksmbd-add-support-for-surrogate-pair-conversion.patch
queue-6.1/ksmbd-fix-force-create-mode-and-force-directory-mode.patch
queue-6.1/ksmbd-remove-unused-ksmbd_tree_conn_share-function.patch
queue-6.1/ksmbd-set-epoch-in-create-context-v2-lease.patch
queue-6.1/ksmbd-call-putname-after-using-the-last-component.patch
queue-6.1/ksmbd-fix-passing-freed-memory-aux_payload_buf.patch
queue-6.1/ksmbd-move-oplock-handling-after-unlock-parent-dir.patch
queue-6.1/ksmbd-set-negotiatecontextcount-once-instead-of-ever.patch
queue-6.1/ksmbd-fix-slab-out-of-bounds-in-smb_strndup_from_utf16.patch
queue-6.1/ksmbd-fix-recursive-locking-in-vfs-helpers.patch
queue-6.1/ksmbd-replace-one-element-arrays-with-flexible-array.patch
queue-6.1/ksmbd-set-smb2_session_flag_encrypt_data-when-enforc.patch
queue-6.1/ksmbd-fix-race-condition-between-tree-conn-lookup-an.patch
queue-6.1/ksmbd-fix-spelling-mistake-excceed-exceeded.patch
queue-6.1/ksmbd-return-a-literal-instead-of-err-in-ksmbd_vfs_k.patch
queue-6.1/ksmbd-prevent-memory-leak-on-error-return.patch
queue-6.1/ksmbd-fix-racy-issue-from-using-d_parent-and-d_name.patch
queue-6.1/ksmbd-fix-race-condition-from-parallel-smb2-lock-req.patch
queue-6.1/ksmbd-check-if-a-mount-point-is-crossed-during-path-.patch
queue-6.1/ksmbd-don-t-update-op_state-as-oplock_state_none-on-.patch
queue-6.1/ksmbd-fix-parameter-name-and-comment-mismatch.patch
queue-6.1/ksmbd-fix-missing-rdma-capable-flag-for-ipoib-device.patch
queue-6.1/ksmbd-remove-unneeded-mark_inode_dirty-in-set_info_s.patch
queue-6.1/ksmbd-fix-unsigned-expression-compared-with-zero.patch
queue-6.1/ksmbd-fix-wrong-interim-response-on-compound.patch
queue-6.1/ksmbd-fix-typo-syncronous-synchronous.patch
queue-6.1/ksmbd-replace-the-ternary-conditional-operator-with-.patch
queue-6.1/ksmbd-fix-possible-deadlock-in-smb2_open.patch
queue-6.1/ksmbd-no-need-to-wait-for-binded-connection-terminat.patch
queue-6.1/ksmbd-add-missing-calling-smb2_set_err_rsp-on-error.patch
queue-6.1/ksmbd-remove-duplicated-codes.patch
queue-6.1/ksmbd-lazy-v2-lease-break-on-smb2_write.patch
queue-6.1/ksmbd-add-support-for-read-compound.patch
queue-6.1/ksmbd-fix-kernel-doc-comment-of-ksmbd_vfs_setxattr.patch
queue-6.1/ksmbd-switch-to-use-kmemdup_nul-helper.patch
queue-6.1/ksmbd-fix-race-condition-from-parallel-smb2-logoff-r.patch
queue-6.1/ksmbd-fix-posix_acls-and-acls-dereferencing-possible.patch
queue-6.1/ksmbd-remove-experimental-warning.patch
queue-6.1/ksmbd-remove-unused-field-in-ksmbd_user-struct.patch
queue-6.1/ksmbd-fix-one-kernel-doc-comment.patch
queue-6.1/ksmbd-fix-race-condition-with-fp.patch
queue-6.1/ksmbd-delete-asynchronous-work-from-list.patch
queue-6.1/ksmbd-use-kvzalloc-instead-of-kvmalloc.patch
queue-6.1/ksmbd-remove-unused-is_char_allowed-function.patch
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux