From patchwork Fri Aug 25 14:48:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Namjae Jeon X-Patchwork-Id: 1826193 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=linux-cifs-owner@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4RXND15Cbqz1yZs for ; Sat, 26 Aug 2023 00:50:25 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343860AbjHYOtu (ORCPT ); Fri, 25 Aug 2023 10:49:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48462 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343897AbjHYOtf (ORCPT ); Fri, 25 Aug 2023 10:49:35 -0400 Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EDF1F2127 for ; Fri, 25 Aug 2023 07:49:33 -0700 (PDT) Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-68a3e271491so813838b3a.0 for ; Fri, 25 Aug 2023 07:49:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692974973; x=1693579773; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vDyNSywzmPX/ucLdVYc/IA9y3uXrOJxBBVODBmdFAZ4=; b=Q/oFxNYtsE2jLepV1LoRqAVKiDcL6ca5jTPcD2wWaahPG6TglVdHkunHbvDDyCxAWW 0l3Uka607rnCIQFPK9GDR0B/qo1KT5t6mWvbDd7HTdOE3MCoGJ4ASwzE1AVrOGZHLhEh Ht46oJEixM1jIktNfunUf3jx4pT9ClvqCVtizF1UY8h974Z8uZJHP9KNFmu9T6n8y+l9 6oCppLje38PW886D0lwgxEcb+wboIsJ6yTTQ0HiTrvrF5OB3gEMeU7RG9xWkvDX/sjkp MjghrPEK+r0716EZA995h5D0KX0mFr+GswbFftVKnHGkypPNTQNKWHK82FfKnnfU+ad9 /Ozw== X-Gm-Message-State: AOJu0YwGBYGKz7kj5puX2Bz7bwvt6p/jed84tay3ousMp737fi1e2GNj LafKQLEIrWIG47/mQE6BlNVRhvqP+xw= X-Google-Smtp-Source: AGHT+IGnAzk6NkhRDQtA6PjDY+O3eEykAsa/hQ3XWtu5+okPfmP45h/C/b5bgHvUyVSz8ye+HScoRQ== X-Received: by 2002:a05:6a20:13c7:b0:147:e55f:cced with SMTP id ho7-20020a056a2013c700b00147e55fccedmr16204429pzc.49.1692974972784; Fri, 25 Aug 2023 07:49:32 -0700 (PDT) Received: from localhost.localdomain ([110.14.71.32]) by smtp.gmail.com with ESMTPSA id jh12-20020a170903328c00b001bee782a1desm1798020plb.181.2023.08.25.07.49.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Aug 2023 07:49:32 -0700 (PDT) From: Namjae Jeon To: linux-cifs@vger.kernel.org Cc: smfrench@gmail.com, senozhatsky@chromium.org, tom@talpey.com, hyc.lee@gmail.com, atteh.mailbox@gmail.com, Namjae Jeon , zdi-disclosures@trendmicro.com Subject: [PATCH 1/3] ksmbd: fix wrong DataOffset validation of create context Date: Fri, 25 Aug 2023 23:48:46 +0900 Message-Id: <20230825144848.9034-1-linkinjeon@kernel.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org If ->DataOffset of create context is 0, DataBuffer size is not correctly validated. This patch change wrong validation code and consider tag length in request. Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21824 Signed-off-by: Namjae Jeon --- fs/smb/server/oplock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/smb/server/oplock.c b/fs/smb/server/oplock.c index 6bc8a1e48171..9bc0103720f5 100644 --- a/fs/smb/server/oplock.c +++ b/fs/smb/server/oplock.c @@ -1481,7 +1481,7 @@ struct create_context *smb2_find_context_vals(void *open_req, const char *tag, i name_len < 4 || name_off + name_len > cc_len || (value_off & 0x7) != 0 || - (value_off && (value_off < name_off + name_len)) || + (value_len && value_off < name_off + (name_len < 8 ? 8 : name_len)) || ((u64)value_off + value_len > cc_len)) return ERR_PTR(-EINVAL); From patchwork Fri Aug 25 14:48:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Namjae Jeon X-Patchwork-Id: 1826194 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=linux-cifs-owner@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4RXND244qGz1ygH for ; Sat, 26 Aug 2023 00:50:26 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343863AbjHYOtu (ORCPT ); Fri, 25 Aug 2023 10:49:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48558 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343910AbjHYOtk (ORCPT ); Fri, 25 Aug 2023 10:49:40 -0400 Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A21D72119 for ; Fri, 25 Aug 2023 07:49:37 -0700 (PDT) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-1c09673b006so7503435ad.1 for ; Fri, 25 Aug 2023 07:49:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692974976; x=1693579776; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=f3DI36WNdRKRJ8jT0b6JWEBzJ5oQWCD9tqcC8NDl9nI=; b=ZBH1MdHFsSXS3ZPYa3DBYgRvzasqtNRVUuU9XCE5glSHQR9U4ybT5A59JHDVshFURk TNUofmQ/Gkj8ygvqKC5jUBdDv9tTghR2WQxPOP0wP/Ric2NTNB/pYdSUtQzzr6MWIq7O OKTZC2WLgDkTmB6FlxeKBCmFtgVtMon3djBqVSYRMkDoAI8V3Ku3ZXbRJ4cd1BG2YXus VMADkI6I/5ZTzZd2ai/bLE24D0cnpJ9un6JlJIcBZ4J1aFo/aWlSweUdV9SKNHUj1s95 Q5e1RRk76DlUL0lMP+LgZvu7okIJTj0CqTuiJcS8LyKymH87eQ6/h03EoV2j6b6zRGVw arAA== X-Gm-Message-State: AOJu0YyMURxU1mH+2XCFw9KfO8FyKH5n2fsBY7QNTHIneOfFeT3ZrIEH A+EW2lhA4L6YkPcmuM8ZaC04ZxrN04o= X-Google-Smtp-Source: AGHT+IH2GJv0YkTHCUxFd4VwMLoWWjVg8upoNtaMLR+VVGUlul/j9zKtAve4LxHWMEwrMeWiUFyolg== X-Received: by 2002:a17:902:ea06:b0:1c0:a5c9:e05a with SMTP id s6-20020a170902ea0600b001c0a5c9e05amr9839760plg.43.1692974976596; Fri, 25 Aug 2023 07:49:36 -0700 (PDT) Received: from localhost.localdomain ([110.14.71.32]) by smtp.gmail.com with ESMTPSA id jh12-20020a170903328c00b001bee782a1desm1798020plb.181.2023.08.25.07.49.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Aug 2023 07:49:36 -0700 (PDT) From: Namjae Jeon To: linux-cifs@vger.kernel.org Cc: smfrench@gmail.com, senozhatsky@chromium.org, tom@talpey.com, hyc.lee@gmail.com, atteh.mailbox@gmail.com, Namjae Jeon , zdi-disclosures@trendmicro.com Subject: [PATCH 2/3] ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() Date: Fri, 25 Aug 2023 23:48:47 +0900 Message-Id: <20230825144848.9034-2-linkinjeon@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230825144848.9034-1-linkinjeon@kernel.org> References: <20230825144848.9034-1-linkinjeon@kernel.org> MIME-Version: 1.0 X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org If authblob->SessionKey.Length is bigger than session key size(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes. cifs_arc4_crypt copy to session key array from SessionKey from client. Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21940 Signed-off-by: Namjae Jeon --- fs/smb/server/auth.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/smb/server/auth.c b/fs/smb/server/auth.c index af7b2cdba126..229a6527870d 100644 --- a/fs/smb/server/auth.c +++ b/fs/smb/server/auth.c @@ -355,6 +355,9 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, if (blob_len < (u64)sess_key_off + sess_key_len) return -EINVAL; + if (sess_key_len > CIFS_KEY_SIZE) + return -EINVAL; + ctx_arc4 = kmalloc(sizeof(*ctx_arc4), GFP_KERNEL); if (!ctx_arc4) return -ENOMEM; From patchwork Fri Aug 25 14:48:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Namjae Jeon X-Patchwork-Id: 1826192 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=linux-cifs-owner@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4RXND20Ddmz1yg8 for ; Sat, 26 Aug 2023 00:50:26 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343864AbjHYOtu (ORCPT ); Fri, 25 Aug 2023 10:49:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60070 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343917AbjHYOtn (ORCPT ); Fri, 25 Aug 2023 10:49:43 -0400 Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 863632123 for ; Fri, 25 Aug 2023 07:49:41 -0700 (PDT) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-1bc5acc627dso8291265ad.1 for ; Fri, 25 Aug 2023 07:49:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692974980; x=1693579780; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pSnkPrvkw2nAyl+/q49FXKUyvEQvfLcqmGYj81ZWOLU=; b=WDfYmYD0v372KX/mTs419esUXYg/TzpYj2tjIKGjuZWCIMyhKlzJBjZ2ily6p+3nFn b3WmDJKcNgEOk6NHs9vqTj+8wODkLoTKHte1NLF4+QEpVvAYNcLLAjJsw1k4UK2EMB3V ubugM3UewucPHx30o8rUdNWQ6ELbDBIWjDu0D2/OEKzZod2ZT5crcHDJLeWD/lE+BPs/ k8YencgFUpWTSh5+cFqsOho/eQ4Iyq6d94x5uOADJ3Z2H3Yd/H7KAXG5lXhAQVe7tlcf 1QhkbtwoJi/in/cDgpLFwCDIIyk4SwbA/tvRy7OTSM3AbBFDUTjNjIvyqlRHwLSgWlDy HRHw== X-Gm-Message-State: AOJu0YzV7r4O+XVV02NebVPw6GyYKa12YAJqk7ZQGp+oj9n4nQ150Jso +t72AvcGjJsQ9Yq+y3t9pbvblbRsTUk= X-Google-Smtp-Source: AGHT+IEuQ2v9vzNWarE5g6SKefrpej7FfxHSfUtihxBhjs2ZJXlMLeCE9TRGCog51iXGvBQJynojbQ== X-Received: by 2002:a17:902:b602:b0:1bd:f378:b1a8 with SMTP id b2-20020a170902b60200b001bdf378b1a8mr16690472pls.11.1692974980585; Fri, 25 Aug 2023 07:49:40 -0700 (PDT) Received: from localhost.localdomain ([110.14.71.32]) by smtp.gmail.com with ESMTPSA id jh12-20020a170903328c00b001bee782a1desm1798020plb.181.2023.08.25.07.49.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Aug 2023 07:49:39 -0700 (PDT) From: Namjae Jeon To: linux-cifs@vger.kernel.org Cc: smfrench@gmail.com, senozhatsky@chromium.org, tom@talpey.com, hyc.lee@gmail.com, atteh.mailbox@gmail.com, Namjae Jeon Subject: [PATCH 3/3] ksmbd: replace one-element array with flex-array member in struct smb2_ea_info Date: Fri, 25 Aug 2023 23:48:48 +0900 Message-Id: <20230825144848.9034-3-linkinjeon@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230825144848.9034-1-linkinjeon@kernel.org> References: <20230825144848.9034-1-linkinjeon@kernel.org> MIME-Version: 1.0 X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org UBSAN complains about out-of-bounds array indexes on 1-element arrays in struct smb2_ea_info. UBSAN: array-index-out-of-bounds in fs/smb/server/smb2pdu.c:4335:15 index 1 is out of range for type 'char [1]' CPU: 1 PID: 354 Comm: kworker/1:4 Not tainted 6.5.0-rc4 #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/22/2020 Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] Call Trace: __dump_stack linux/lib/dump_stack.c:88 dump_stack_lvl+0x48/0x70 linux/lib/dump_stack.c:106 dump_stack+0x10/0x20 linux/lib/dump_stack.c:113 ubsan_epilogue linux/lib/ubsan.c:217 __ubsan_handle_out_of_bounds+0xc6/0x110 linux/lib/ubsan.c:348 smb2_get_ea linux/fs/smb/server/smb2pdu.c:4335 smb2_get_info_file linux/fs/smb/server/smb2pdu.c:4900 smb2_query_info+0x63ae/0x6b20 linux/fs/smb/server/smb2pdu.c:5275 __process_request linux/fs/smb/server/server.c:145 __handle_ksmbd_work linux/fs/smb/server/server.c:213 handle_ksmbd_work+0x348/0x10b0 linux/fs/smb/server/server.c:266 process_one_work+0x85a/0x1500 linux/kernel/workqueue.c:2597 worker_thread+0xf3/0x13a0 linux/kernel/workqueue.c:2748 kthread+0x2b7/0x390 linux/kernel/kthread.c:389 ret_from_fork+0x44/0x90 linux/arch/x86/kernel/process.c:145 ret_from_fork_asm+0x1b/0x30 linux/arch/x86/entry/entry_64.S:304 Signed-off-by: Namjae Jeon --- fs/smb/server/smb2pdu.c | 2 +- fs/smb/server/smb2pdu.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 2d4b8efaf19f..d12d995f52d7 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -4335,7 +4335,7 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp, if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) name_len -= XATTR_USER_PREFIX_LEN; - ptr = (char *)(&eainfo->name + name_len + 1); + ptr = eainfo->name + name_len + 1; buf_free_len -= (offsetof(struct smb2_ea_info, name) + name_len + 1); /* bailout if xattr can't fit in buf_free_len */ diff --git a/fs/smb/server/smb2pdu.h b/fs/smb/server/smb2pdu.h index 2767c08a534a..d12cfd3b0927 100644 --- a/fs/smb/server/smb2pdu.h +++ b/fs/smb/server/smb2pdu.h @@ -361,7 +361,7 @@ struct smb2_ea_info { __u8 Flags; __u8 EaNameLength; __le16 EaValueLength; - char name[1]; + char name[]; /* optionally followed by value */ } __packed; /* level 15 Query */