From patchwork Sat Oct 10 22:54:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 1380207 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=linux-cifs-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=Qlllb9xh; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 4C80zn6lDrz9sTD for ; Sun, 11 Oct 2020 10:11:01 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729820AbgJJXLA (ORCPT ); Sat, 10 Oct 2020 19:11:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41614 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731390AbgJJW4K (ORCPT ); Sat, 10 Oct 2020 18:56:10 -0400 Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 757AFC0604C1 for ; Sat, 10 Oct 2020 15:54:16 -0700 (PDT) Received: by mail-lf1-x129.google.com with SMTP id j30so12132695lfp.4 for ; Sat, 10 Oct 2020 15:54:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=umacdKU1qmBShUCe+7sYcDokc+EmtIwI1pG19qTX9PI=; b=Qlllb9xh2s+9qqeYnF9wdtHkOHuUinTuZLEmj+i1bglVEKZZ1Qhcvehx0GK84+iLcc I3U9LtXT6h8vYS3YTQi/+IS7DC/3OUiZEkNDAkQ77M7hcBYWy+N44GXDUoytejjXovs4 XEsENFi6LQOQZZMwRj9dONKwgLPwZaXZ4rpY10nv191rAtRYbw1r7QBsE25JM5zFFu1A QmHAaCpQ6bJd0UxM1LQcsE0IfsdW5DtJmNtrojDiLP0HTczeGLGsR2GGmRYS4yvuRKlj Sg5LtlTUGiHhbm/86CarxWaYNQQ51aINQyv1crgfoXVVuNnDYv8snHzLkS7s5362rjOq 5xYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=umacdKU1qmBShUCe+7sYcDokc+EmtIwI1pG19qTX9PI=; b=sjB5z+/iVP1ZE5oRToxI2i+Ttv0CtMWawDVGGNvMDKb1jsAoXzdndD+0FfdaoXOFqK UXltc6y/J8GZyxx+XfqzFzXkspv8nSvFYpPfCn31kzi3EYER/+qxgMn5cv40VUTOQXcb gpG21FhQuoDESfpFMAURXS1giARQ9ZEGPnqFxoo68t+lM0y9nLIqDtGcuO5ZZ/d+LX/j cpYLp971iWUMmpzkfnvU5vawdvqaaMv6L9cDh/3UxHBaulcpDOTEWq7cdrW0f6GXOOn+ woz8H0YkAQup96G2RWC7UsRKPgzj+skCTPFFa7HpOddtlM10W5GGmCJnbiP4DNDlaD2I WQDg== X-Gm-Message-State: AOAM533IZV465XNwhfrpalv52Rk4R9+J4zDSt2U/GTr8tMPFNsCFoIRk ZAniqgFsxCbSOa+tqz6b+7za84LUMoG86Ktr3GNe6ag0TEk= X-Google-Smtp-Source: ABdhPJyHK0/K1DYPChLeECYPGSCY8SDcj8vg1CY/C1FNei1GAzWO858u2ATc9mcxDHSJd49100EIJxffPt8EMfdtpm4= X-Received: by 2002:a19:83c1:: with SMTP id f184mr20352lfd.97.1602370453386; Sat, 10 Oct 2020 15:54:13 -0700 (PDT) MIME-Version: 1.0 From: Steve French Date: Sat, 10 Oct 2020 17:54:01 -0500 Message-ID: Subject: [PATCH] cifs: fix memory corruption setting EAs on 32 bit systems To: CIFS , vz@mleia.com, vladimir@tuxera.com Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Original patch was corrupted. Fixed the whitespace/tab and formatting issues and added cc:stable. Merged into cifs-2.6.git for-next pending testing/review Vladimir, Would you verify that the updated patch matches what you expect? Probably easier to send future patches as attachments or links to git tree commit to avoid the usual email corruption of non-plain text patches. From 5c119c376e10f4e943d143d42defb4e0e1bc64e3 Mon Sep 17 00:00:00 2001 From: Vladimir Zapolskiy Date: Sat, 10 Oct 2020 17:44:18 -0500 Subject: [PATCH] cifs: fix memory corruption setting EAs on 32 bit systems On setxattr() syscall path due to an apprent typo the size of a dynamically allocated memory chunk for storing struct smb2_file_full_ea_info object is computed incorrectly, to be more precise the first addend is the size of a pointer instead of the wanted object size. Coincidentally it makes no difference on 64-bit platforms, however on 32-bit targets the following memcpy() writes 4 bytes of data outside of the dynamically allocated memory. BUG kmalloc-16 (Not tainted): Redzone overwritten ----------------------------------------------------------------------------- Disabling lock debugging due to kernel taint INFO: 0x79e69a6f-0x9e5cdecf @offset=368. First byte 0x73 instead of 0xcc INFO: Slab 0xd36d2454 objects=85 used=51 fp=0xf7d0fc7a flags=0x35000201 INFO: Object 0x6f171df3 @offset=352 fp=0x00000000 Redzone 5d4ff02d: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ Object 6f171df3: 00 00 00 00 00 05 06 00 73 6e 72 75 62 00 66 69 ........snrub.fi Redzone 79e69a6f: 73 68 32 0a sh2. Padding 56254d82: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ CPU: 0 PID: 8196 Comm: attr Tainted: G B 5.9.0-rc8+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014 Call Trace: dump_stack+0x54/0x6e print_trailer+0x12c/0x134 check_bytes_and_report.cold+0x3e/0x69 check_object+0x18c/0x250 free_debug_processing+0xfe/0x230 __slab_free+0x1c0/0x300 kfree+0x1d3/0x220 smb2_set_ea+0x27d/0x540 cifs_xattr_set+0x57f/0x620 __vfs_setxattr+0x4e/0x60 __vfs_setxattr_noperm+0x4e/0x100 __vfs_setxattr_locked+0xae/0xd0 vfs_setxattr+0x4e/0xe0 setxattr+0x12c/0x1a0 path_setxattr+0xa4/0xc0 __ia32_sys_lsetxattr+0x1d/0x20 __do_fast_syscall_32+0x40/0x70 do_fast_syscall_32+0x29/0x60 do_SYSENTER_32+0x15/0x20 entry_SYSENTER_32+0x9f/0xf2 Fixes: 5517554e4313 ("cifs: Add support for writing attributes on SMB2+") Signed-off-by: Vladimir Zapolskiy CC: Stable #v4.14+ Signed-off-by: Steve French --- fs/cifs/smb2ops.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 24f107f763f0..76d82a60a550 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -1216,7 +1216,7 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon, rqst[1].rq_iov = si_iov; rqst[1].rq_nvec = 1; - len = sizeof(ea) + ea_name_len + ea_value_len + 1; + len = sizeof(*ea) + ea_name_len + ea_value_len + 1; ea = kzalloc(len, GFP_KERNEL); if (ea == NULL) { rc = -ENOMEM; -- 2.25.1