Patch "cifs: fix off-by-one in SMB2_query_info_init()" has been added to the 5.10-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    cifs: fix off-by-one in SMB2_query_info_init()

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cifs-fix-off-by-one-in-smb2_query_info_init.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From harshit.m.mogalapalli@xxxxxxxxxx  Mon Jan 29 08:14:10 2024
From: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
Date: Sun, 28 Jan 2024 21:43:42 -0800
Subject: cifs: fix off-by-one in SMB2_query_info_init()
To: stable@xxxxxxxxxxxxxxx
Cc: kovalev@xxxxxxxxxxxx, abuehaze@xxxxxxxxxx, smfrench@xxxxxxxxx, greg@xxxxxxxxx, linux-cifs@xxxxxxxxxxxxxxx, keescook@xxxxxxxxxxxx, darren.kenny@xxxxxxxxxx, pc@xxxxxxxxxxxxx, nspmangalore@xxxxxxxxx, vegard.nossum@xxxxxxxxxx, Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
Message-ID: <20240129054342.2472454-1-harshit.m.mogalapalli@xxxxxxxxxx>

From: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>

Bug: After mounting the cifs fs, it complains with Resource temporarily
unavailable messages.

[root@vm1 xfstests-dev]# ./check -g quick -s smb3
TEST_DEV=//<SERVER_IP>/TEST is mounted but not a type cifs filesystem
[root@vm1 xfstests-dev]# df
df: /mnt/test: Resource temporarily unavailable

Paul's analysis of the bug:

	Bug is related to an off-by-one in smb2_set_next_command() when
	the client attempts to pad SMB2_QUERY_INFO request -- since it isn't
	8 byte aligned -- even though smb2_query_info_compound() doesn't
	provide an extra iov for such padding.

	v5.10.y doesn't have

        eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")

	and the commit does

		if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) ||
			     len > CIFSMaxBufSize))
			return -EINVAL;

	so sizeof(*req) will wrongly include the extra byte from
	smb2_query_info_req::Buffer making @len unaligned and therefore causing
	OOB in smb2_set_next_command().

Fixes: 203a412e52b5 ("smb: client: fix OOB in SMB2_query_info_init()")
Suggested-by: Paulo Alcantara <pc@xxxxxxxxxxxxx>
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/cifs/smb2pdu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -3378,7 +3378,7 @@ SMB2_query_info_init(struct cifs_tcon *t
 
 	iov[0].iov_base = (char *)req;
 	/* 1 for Buffer */
-	iov[0].iov_len = len;
+	iov[0].iov_len = len - 1;
 	return 0;
 }
 


Patches currently in stable-queue which might be from harshit.m.mogalapalli@xxxxxxxxxx are

queue-5.10/cifs-fix-off-by-one-in-smb2_query_info_init.patch




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux