removed the duplicate definition of IO_REPARSE_TAG_SYMLINK and tentatively merged to cifs-2.6.git for-next but looks good so far in testing. On Wed, Jun 26, 2019 at 11:57 PM Ronnie Sahlberg <lsahlber@xxxxxxxxxx> wrote: > > We never parsed/returned any data from .get_link() when the object is a windows reparse-point > containing a symlink. This results in the VFS layer oopsing accessing an uninitialized buffer: > > ... > [ 171.407172] Call Trace: > [ 171.408039] readlink_copy+0x29/0x70 > [ 171.408872] vfs_readlink+0xc1/0x1f0 > [ 171.409709] ? readlink_copy+0x70/0x70 > [ 171.410565] ? simple_attr_release+0x30/0x30 > [ 171.411446] ? getname_flags+0x105/0x2a0 > [ 171.412231] do_readlinkat+0x1b7/0x1e0 > [ 171.412938] ? __ia32_compat_sys_newfstat+0x30/0x30 > ... > > Fix this by adding code to handle these buffers and make sure we do return a valid buffer > to .get_link() > > CC: Stable <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Ronnie Sahlberg <lsahlber@xxxxxxxxxx> > --- > fs/cifs/smb2ops.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++---- > fs/cifs/smb2pdu.h | 16 +++++++++++++- > 2 files changed, 75 insertions(+), 5 deletions(-) > > diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c > index e921e6511728..74c826007069 100644 > --- a/fs/cifs/smb2ops.c > +++ b/fs/cifs/smb2ops.c > @@ -2385,6 +2385,41 @@ smb2_get_dfs_refer(const unsigned int xid, struct cifs_ses *ses, > kfree(dfs_rsp); > return rc; > } > + > +static int > +parse_reparse_symlink(struct reparse_symlink_data_buffer *symlink_buf, > + u32 plen, char **target_path, > + struct cifs_sb_info *cifs_sb) > +{ > + unsigned int sub_len; > + unsigned int sub_offset; > + > + /* We only handle Symbolic Link : MS-FSCC 2.1.2.4 */ > + if (le32_to_cpu(symlink_buf->ReparseTag) != REPARSE_TAG_SYMLINK) { > + cifs_dbg(VFS, "srv returned invalid symlink buffer\n"); > + return -EIO; > + } > + > + sub_offset = le16_to_cpu(symlink_buf->SubstituteNameOffset); > + sub_len = le16_to_cpu(symlink_buf->SubstituteNameLength); > + if (sub_offset + 20 > plen || > + sub_offset + sub_len + 20 > plen) { > + cifs_dbg(VFS, "srv returned malformed symlink buffer\n"); > + return -EIO; > + } > + > + *target_path = cifs_strndup_from_utf16( > + symlink_buf->PathBuffer + sub_offset, > + sub_len, true, cifs_sb->local_nls); > + if (!(*target_path)) > + return -ENOMEM; > + > + convert_delimiter(*target_path, '/'); > + cifs_dbg(FYI, "%s: target path: %s\n", __func__, *target_path); > + > + return 0; > +} > + > #define SMB2_SYMLINK_STRUCT_SIZE \ > (sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp)) > > @@ -2414,11 +2449,13 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon, > struct kvec close_iov[1]; > struct smb2_create_rsp *create_rsp; > struct smb2_ioctl_rsp *ioctl_rsp; > - char *ioctl_buf; > + struct reparse_data_buffer *reparse_buf; > u32 plen; > > cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path); > > + *target_path = NULL; > + > if (smb3_encryption_required(tcon)) > flags |= CIFS_TRANSFORM_REQ; > > @@ -2496,17 +2533,36 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon, > if ((rc == 0) && (is_reparse_point)) { > /* See MS-FSCC 2.3.23 */ > > - ioctl_buf = (char *)ioctl_rsp + le32_to_cpu(ioctl_rsp->OutputOffset); > + reparse_buf = (struct reparse_data_buffer *) > + ((char *)ioctl_rsp + > + le32_to_cpu(ioctl_rsp->OutputOffset)); > plen = le32_to_cpu(ioctl_rsp->OutputCount); > > if (plen + le32_to_cpu(ioctl_rsp->OutputOffset) > > rsp_iov[1].iov_len) { > - cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", plen); > + cifs_dbg(VFS, "srv returned invalid ioctl len: %d\n", > + plen); > + rc = -EIO; > + goto querty_exit; > + } > + > + if (plen < 8) { > + cifs_dbg(VFS, "reparse buffer is too small. Must be " > + "at least 8 bytes but was %d\n", plen); > + rc = -EIO; > + goto querty_exit; > + } > + > + if (plen < le16_to_cpu(reparse_buf->ReparseDataLength) + 8) { > + cifs_dbg(VFS, "srv returned invalid reparse buf " > + "length: %d\n", plen); > rc = -EIO; > goto querty_exit; > } > > - /* Do stuff with ioctl_buf/plen */ > + rc = parse_reparse_symlink( > + (struct reparse_symlink_data_buffer *)reparse_buf, > + plen, target_path, cifs_sb); > goto querty_exit; > } > > diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h > index c7d5813bebd8..31f7c56e0ed8 100644 > --- a/fs/cifs/smb2pdu.h > +++ b/fs/cifs/smb2pdu.h > @@ -888,6 +888,8 @@ struct file_allocated_range_buffer { > > /* struct fsctl_reparse_info_req is empty, only response structs (see below) */ > > +#define REPARSE_TAG_SYMLINK 0xa000000c > + > struct reparse_data_buffer { > __le32 ReparseTag; > __le16 ReparseDataLength; > @@ -914,7 +916,19 @@ struct reparse_mount_point_data_buffer { > __u8 PathBuffer[0]; /* Variable Length */ > } __packed; > > -/* See MS-FSCC 2.1.2.4 and cifspdu.h for struct reparse_symlink_data */ > +#define SYMLINK_FLAG_RELATIVE 0x00000001 > + > +struct reparse_symlink_data_buffer { > + __le32 ReparseTag; > + __le16 ReparseDataLength; > + __u16 Reserved; > + __le16 SubstituteNameOffset; > + __le16 SubstituteNameLength; > + __le16 PrintNameOffset; > + __le16 PrintNameLength; > + __le32 Flags; > + __u8 PathBuffer[0]; /* Variable Length */ > +} __packed; > > /* See MS-FSCC 2.1.2.6 and cifspdu.h for struct reparse_posix_data */ > > -- > 2.13.6 > -- Thanks, Steve
From 2ccab39b92590e62a3a88c8f94e6a4fb7b3d9895 Mon Sep 17 00:00:00 2001 From: Ronnie Sahlberg <lsahlber@xxxxxxxxxx> Date: Thu, 27 Jun 2019 14:57:02 +1000 Subject: [PATCH] cifs: fix crash querying symlinks stored as reparse-points We never parsed/returned any data from .get_link() when the object is a windows reparse-point containing a symlink. This results in the VFS layer oopsing accessing an uninitialized buffer: ... [ 171.407172] Call Trace: [ 171.408039] readlink_copy+0x29/0x70 [ 171.408872] vfs_readlink+0xc1/0x1f0 [ 171.409709] ? readlink_copy+0x70/0x70 [ 171.410565] ? simple_attr_release+0x30/0x30 [ 171.411446] ? getname_flags+0x105/0x2a0 [ 171.412231] do_readlinkat+0x1b7/0x1e0 [ 171.412938] ? __ia32_compat_sys_newfstat+0x30/0x30 ... Fix this by adding code to handle these buffers and make sure we do return a valid buffer to .get_link() CC: Stable <stable@xxxxxxxxxxxxxxx> Signed-off-by: Ronnie Sahlberg <lsahlber@xxxxxxxxxx> Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx> --- fs/cifs/smb2ops.c | 64 ++++++++++++++++++++++++++++++++++++++++++++--- fs/cifs/smb2pdu.h | 16 +++++++++++- 2 files changed, 75 insertions(+), 5 deletions(-) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 3fdc6a41b304..f9bd1e6e15c6 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -2372,6 +2372,41 @@ smb2_get_dfs_refer(const unsigned int xid, struct cifs_ses *ses, kfree(dfs_rsp); return rc; } + +static int +parse_reparse_symlink(struct reparse_symlink_data_buffer *symlink_buf, + u32 plen, char **target_path, + struct cifs_sb_info *cifs_sb) +{ + unsigned int sub_len; + unsigned int sub_offset; + + /* We only handle Symbolic Link : MS-FSCC 2.1.2.4 */ + if (le32_to_cpu(symlink_buf->ReparseTag) != IO_REPARSE_TAG_SYMLINK) { + cifs_dbg(VFS, "srv returned invalid symlink buffer\n"); + return -EIO; + } + + sub_offset = le16_to_cpu(symlink_buf->SubstituteNameOffset); + sub_len = le16_to_cpu(symlink_buf->SubstituteNameLength); + if (sub_offset + 20 > plen || + sub_offset + sub_len + 20 > plen) { + cifs_dbg(VFS, "srv returned malformed symlink buffer\n"); + return -EIO; + } + + *target_path = cifs_strndup_from_utf16( + symlink_buf->PathBuffer + sub_offset, + sub_len, true, cifs_sb->local_nls); + if (!(*target_path)) + return -ENOMEM; + + convert_delimiter(*target_path, '/'); + cifs_dbg(FYI, "%s: target path: %s\n", __func__, *target_path); + + return 0; +} + #define SMB2_SYMLINK_STRUCT_SIZE \ (sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp)) @@ -2401,11 +2436,13 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon, struct kvec close_iov[1]; struct smb2_create_rsp *create_rsp; struct smb2_ioctl_rsp *ioctl_rsp; - char *ioctl_buf; + struct reparse_data_buffer *reparse_buf; u32 plen; cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path); + *target_path = NULL; + if (smb3_encryption_required(tcon)) flags |= CIFS_TRANSFORM_REQ; @@ -2483,17 +2520,36 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon, if ((rc == 0) && (is_reparse_point)) { /* See MS-FSCC 2.3.23 */ - ioctl_buf = (char *)ioctl_rsp + le32_to_cpu(ioctl_rsp->OutputOffset); + reparse_buf = (struct reparse_data_buffer *) + ((char *)ioctl_rsp + + le32_to_cpu(ioctl_rsp->OutputOffset)); plen = le32_to_cpu(ioctl_rsp->OutputCount); if (plen + le32_to_cpu(ioctl_rsp->OutputOffset) > rsp_iov[1].iov_len) { - cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", plen); + cifs_dbg(VFS, "srv returned invalid ioctl len: %d\n", + plen); + rc = -EIO; + goto querty_exit; + } + + if (plen < 8) { + cifs_dbg(VFS, "reparse buffer is too small. Must be " + "at least 8 bytes but was %d\n", plen); + rc = -EIO; + goto querty_exit; + } + + if (plen < le16_to_cpu(reparse_buf->ReparseDataLength) + 8) { + cifs_dbg(VFS, "srv returned invalid reparse buf " + "length: %d\n", plen); rc = -EIO; goto querty_exit; } - /* Do stuff with ioctl_buf/plen */ + rc = parse_reparse_symlink( + (struct reparse_symlink_data_buffer *)reparse_buf, + plen, target_path, cifs_sb); goto querty_exit; } diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h index c7d5813bebd8..31f7c56e0ed8 100644 --- a/fs/cifs/smb2pdu.h +++ b/fs/cifs/smb2pdu.h @@ -914,7 +916,19 @@ struct reparse_mount_point_data_buffer { __u8 PathBuffer[0]; /* Variable Length */ } __packed; -/* See MS-FSCC 2.1.2.4 and cifspdu.h for struct reparse_symlink_data */ +#define SYMLINK_FLAG_RELATIVE 0x00000001 + +struct reparse_symlink_data_buffer { + __le32 ReparseTag; + __le16 ReparseDataLength; + __u16 Reserved; + __le16 SubstituteNameOffset; + __le16 SubstituteNameLength; + __le16 PrintNameOffset; + __le16 PrintNameLength; + __le32 Flags; + __u8 PathBuffer[0]; /* Variable Length */ +} __packed; /* See MS-FSCC 2.1.2.6 and cifspdu.h for struct reparse_posix_data */ -- 2.20.1