From patchwork Mon Feb 5 20:34:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1895412 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TTJ9x0fVSz23gb for ; Tue, 6 Feb 2024 07:38:29 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rX5in-0004kB-08; Mon, 05 Feb 2024 20:37:46 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rX5fR-0004Gm-Tx for kernel-team@lists.ubuntu.com; Mon, 05 Feb 2024 20:34:19 +0000 Received: from mail-yb1-f197.google.com (mail-yb1-f197.google.com [209.85.219.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 217803FE49 for ; Mon, 5 Feb 2024 20:34:08 +0000 (UTC) Received: by mail-yb1-f197.google.com with SMTP id 3f1490d57ef6-dc6bad01539so5681131276.3 for ; Mon, 05 Feb 2024 12:34:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707165245; x=1707770045; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lwIWI50Dgrc/u5ZxgAj/wv0uKLMlVGksHRK7rmxAseo=; b=ZRXh2cK6WTVw/bCsdHslTmkIOXzR0GeFV9UEJEpyq1/Bh+lq13MJV2sVYGutiDKQaL 5TUWTaCHQ3l9pWayaSfC/hmNWAOxdIydRzwJBTff7HRyqBvXt4PX9Ej38LlM1jEDyGgF EuDqDqgYDbRPsS1eyrI8zgWV71iG7CYY5AhAKhfFrKM9uc1vS+X5kOqv4pH89QFUgQ9Y oi+bOWNdMWtTWyz0y8L07VGcD/HIQMtoIrXgk+X3Pt9Gmx2B03nHGnkYou/0d3T9Litd joES518uJwU8YrjsSWA9UEaXTqrC+Dw0s+ukNFceC6nYlBF2qGj/YKgU/uI17xF1fflY eQ6A== X-Gm-Message-State: AOJu0YxIbqQIlN6dwm3odHkfKCeixzsQmji7cGS5lKu4BNsC8IPwzVvd uaOnLA/IjoNy9ANJtFqPqXck3PG5QDKoNB9qPiaBoPceA2Njo6P/xz5tp1hTnsTgMQWcPZQAJdc zIiRMSmmZFBrYvCoOKjIzGrh9MUPaebKruMoAQGD3tfssfav9qTi19+GISye98Ihkzfkk41VKGI N0yyTW195NOw== X-Received: by 2002:a25:df93:0:b0:dc6:18d0:95b0 with SMTP id w141-20020a25df93000000b00dc618d095b0mr636597ybg.8.1707165244998; Mon, 05 Feb 2024 12:34:04 -0800 (PST) X-Google-Smtp-Source: AGHT+IFeQm+KbMEQ0PurwanUJ+AyU0UWrvDWeeAOFPA5ptAcSPO8VmX2GCpTB4YZY3tBgOY0FmkFHQ== X-Received: by 2002:a25:df93:0:b0:dc6:18d0:95b0 with SMTP id w141-20020a25df93000000b00dc618d095b0mr636558ybg.8.1707165244347; Mon, 05 Feb 2024 12:34:04 -0800 (PST) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id md6-20020a056214588600b00684225ef3a0sm308865qvb.93.2024.02.05.12.34.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Feb 2024 12:34:03 -0800 (PST) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][Mantic][PATCH 1/1] ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() Date: Mon, 5 Feb 2024 14:34:01 -0600 Message-Id: <20240205203402.28665-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240205203402.28665-1-bethany.jamison@canonical.com> References: <20240205203402.28665-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Namjae Jeon If ->NameOffset/Length is bigger than ->CreateContextsOffset/Length, ksmbd_check_message doesn't validate request buffer it correctly. So slab-out-of-bounds warning from calling smb_strndup_from_utf16() in smb2_open() could happen. If ->NameLength is non-zero, Set the larger of the two sums (Name and CreateContext size) as the offset and length of the data area. Reported-by: Yang Chaoming Cc: stable@vger.kernel.org Signed-off-by: Namjae Jeon Signed-off-by: Steve French (cherry picked from commit d10c77873ba1e9e6b91905018e29e196fd5f863d) CVE-2024-22705 Signed-off-by: Bethany Jamison --- fs/smb/server/smb2misc.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/fs/smb/server/smb2misc.c b/fs/smb/server/smb2misc.c index e881df1d10cbd..401e439c5fe96 100644 --- a/fs/smb/server/smb2misc.c +++ b/fs/smb/server/smb2misc.c @@ -106,16 +106,25 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len, break; case SMB2_CREATE: { + unsigned short int name_off = + le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset); + unsigned short int name_len = + le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength); + if (((struct smb2_create_req *)hdr)->CreateContextsLength) { *off = le32_to_cpu(((struct smb2_create_req *) hdr)->CreateContextsOffset); *len = le32_to_cpu(((struct smb2_create_req *) hdr)->CreateContextsLength); - break; + if (!name_len) + break; + + if (name_off + name_len < (u64)*off + *len) + break; } - *off = le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset); - *len = le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength); + *off = name_off; + *len = name_len; break; } case SMB2_QUERY_INFO: