From patchwork Thu Nov 17 15:45:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "zhangxiaoxu (A)" X-Patchwork-Id: 1705122 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=linux-cifs-owner@vger.kernel.org; receiver=) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NCjMh3Dznz23mV for ; Fri, 18 Nov 2022 01:43:28 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233725AbiKQOnV (ORCPT ); Thu, 17 Nov 2022 09:43:21 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38098 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240622AbiKQOmK (ORCPT ); Thu, 17 Nov 2022 09:42:10 -0500 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9209573B91 for ; Thu, 17 Nov 2022 06:41:18 -0800 (PST) Received: from dggpeml500023.china.huawei.com (unknown [172.30.72.57]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4NCjJh1DcxzmVyS; Thu, 17 Nov 2022 22:40:52 +0800 (CST) Received: from localhost.localdomain (10.175.101.6) by dggpeml500023.china.huawei.com (7.185.36.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Thu, 17 Nov 2022 22:41:15 +0800 From: Zhang Xiaoxu To: , , , , , , , Subject: [PATCH] cifs: Fix OOB read in parse_server_interfaces() Date: Thu, 17 Nov 2022 23:45:55 +0800 Message-ID: <20221117154555.2973509-1-zhangxiaoxu5@huawei.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To dggpeml500023.china.huawei.com (7.185.36.114) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org There is a OOB read in parse_server_interfaces when mount.cifs with rdma: BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x9ca/0xb80 Read of size 4 at addr ffff8881711f2f98 by task mount.cifs/1402 CPU: 6 PID: 1402 Comm: mount.cifs Not tainted 6.1.0-rc5+ #69 Call Trace: dump_stack_lvl+0x34/0x44 print_report+0x171/0x472 kasan_report+0xad/0x130 kasan_check_range+0x145/0x1a0 parse_server_interfaces+0x9ca/0xb80 SMB3_request_interfaces+0x174/0x1e0 smb3_qfs_tcon+0x150/0x2a0 mount_get_conns+0x218/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Allocated by task 1402: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7a/0x90 __kmalloc_node_track_caller+0x60/0x140 kmemdup+0x22/0x50 SMB2_ioctl+0x58d/0x5d0 SMB3_request_interfaces+0xcd/0x1e0 smb3_qfs_tcon+0x150/0x2a0 mount_get_conns+0x218/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 If all the interface decoded from message, should not check whether has next one, otherwise there will be OOB read. Let's just check the bytes still not decode to determine whether has next interface. Fixes: aa45dadd34e4 ("cifs: change iface_list from array to sorted linked list") Signed-off-by: Zhang Xiaoxu --- fs/cifs/smb2ops.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 880cd494afea..39c7bee87556 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -673,8 +673,7 @@ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf, goto out; } - /* Azure rounds the buffer size up 8, to a 16 byte boundary */ - if ((bytes_left > 8) || p->Next) + if (bytes_left > 0) cifs_dbg(VFS, "%s: incomplete interface info\n", __func__);