Patch "cifs: Validate content of NFS reparse point buffer" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Thu, 24 Oct 2024 07:18:34 -0400

This is a note to let you know that I've just added the patch titled

    cifs: Validate content of NFS reparse point buffer

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cifs-validate-content-of-nfs-reparse-point-buffer.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 280e78cf09f85b935f1a89013dd93fa912886a8c
Author: Pali Rohár <pali@xxxxxxxxxx>
Date:   Sat Sep 28 23:59:47 2024 +0200

    cifs: Validate content of NFS reparse point buffer
    
    [ Upstream commit 556ac52bb1e76cc28fd30aa117b42989965b3efd ]
    
    Symlink target location stored in DataBuffer is encoded in UTF-16. So check
    that symlink DataBuffer length is non-zero and even number. And check that
    DataBuffer does not contain UTF-16 null codepoint because Linux cannot
    process symlink with null byte.
    
    DataBuffer for char and block devices is 8 bytes long as it contains two
    32-bit numbers (major and minor). Add check for this.
    
    DataBuffer buffer for sockets and fifos zero-length. Add checks for this.
    
    Signed-off-by: Pali Rohár <pali@xxxxxxxxxx>
    Reviewed-by: Paulo Alcantara (Red Hat) <pc@xxxxxxxxxxxxx>
    Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
index ad0e0de9a165d..7429b96a6ae5e 100644
--- a/fs/smb/client/reparse.c
+++ b/fs/smb/client/reparse.c
@@ -330,6 +330,18 @@ static int parse_reparse_posix(struct reparse_posix_data *buf,
 
 	switch ((type = le64_to_cpu(buf->InodeType))) {
 	case NFS_SPECFILE_LNK:
+		if (len == 0 || (len % 2)) {
+			cifs_dbg(VFS, "srv returned malformed nfs symlink buffer\n");
+			return -EIO;
+		}
+		/*
+		 * Check that buffer does not contain UTF-16 null codepoint
+		 * because Linux cannot process symlink with null byte.
+		 */
+		if (UniStrnlen((wchar_t *)buf->DataBuffer, len/2) != len/2) {
+			cifs_dbg(VFS, "srv returned null byte in nfs symlink target location\n");
+			return -EIO;
+		}
 		data->symlink_target = cifs_strndup_from_utf16(buf->DataBuffer,
 							       len, true,
 							       cifs_sb->local_nls);
@@ -340,8 +352,19 @@ static int parse_reparse_posix(struct reparse_posix_data *buf,
 		break;
 	case NFS_SPECFILE_CHR:
 	case NFS_SPECFILE_BLK:
+		/* DataBuffer for block and char devices contains two 32-bit numbers */
+		if (len != 8) {
+			cifs_dbg(VFS, "srv returned malformed nfs buffer for type: 0x%llx\n", type);
+			return -EIO;
+		}
+		break;
 	case NFS_SPECFILE_FIFO:
 	case NFS_SPECFILE_SOCK:
+		/* DataBuffer for fifos and sockets is empty */
+		if (len != 0) {
+			cifs_dbg(VFS, "srv returned malformed nfs buffer for type: 0x%llx\n", type);
+			return -EIO;
+		}
 		break;
 	default:
 		cifs_dbg(VFS, "%s: unhandled inode type: 0x%llx\n",







