From patchwork Mon Jan 29 21:49:42 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1892515
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4TP25q2Y0vz23gZ
	for <incoming@patchwork.ozlabs.org>; Tue, 30 Jan 2024 08:50:07 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1rUZVu-0004Ay-9n; Mon, 29 Jan 2024 21:49:58 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <yuxuan.luo@canonical.com>)
 id 1rUZVo-00045e-PD
 for kernel-team@lists.ubuntu.com; Mon, 29 Jan 2024 21:49:52 +0000
Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com
 [209.85.208.72])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 0788B3F131
 for <kernel-team@lists.ubuntu.com>; Mon, 29 Jan 2024 21:49:52 +0000 (UTC)
Received: by mail-ed1-f72.google.com with SMTP id
 4fb4d7f45d1cf-55f1ded0054so576339a12.1
 for <kernel-team@lists.ubuntu.com>; Mon, 29 Jan 2024 13:49:52 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1706564991; x=1707169791;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=9/xY0LOBOFDBQhp5ycyUJRK7s4qm1J7uppKeRBEV4Co=;
 b=PSxsfZXXKSs9UcSyWqMtbHweQ/yuL2rc6bloV52AcKWrIT/1p87BfYE5YThbHEC9gU
 oXIV/ZZsYESUrp6CwIfmtnKFtw6/UTid1snkCm7GByrvxWr64metnwDbhcmtuXDWbVrl
 Kf8ZZlyewB0wAlIt05ZV5hDI3+A2Ww4r7lj9/ErV14AEGZBes6OHN6XWWNCpATTUF55x
 HIRFBKgzvalB4STE6SvntMGF0brbnSqCcrQk8NOyN/29zZbmRV16bVtR4/AHcCHhxA9X
 SWLAYnQjKavZNu6c6Cg0k7gkpKU5StVVZ7peO3jJoTls0/VXaDE1ea7oPc/+BJ/0Jvkv
 W1rg==
X-Gm-Message-State: AOJu0Yzv6Itg62a9vAjxTwkekxQ1/RHtaeZ0MiOZ/hg17Mhgq5OMSOXS
 69J9C26QyZT2IRjY1c+BWEGvMLmWJ5KvPrV+L36QPIkDR1epI9D1LPFhK66p6v9UHnZv2jtZcy2
 0tGD3pR7bVldTKjynbNQJj4f2JBPyoJWu0bzUw4RnHszAfE/8D7f4wLnGFsQCEFWXjMwz7APICQ
 c74aqnyczWNjS8
X-Received: by 2002:aa7:d1cc:0:b0:55e:eade:fcba with SMTP id
 g12-20020aa7d1cc000000b0055eeadefcbamr2700288edp.5.1706564990878;
 Mon, 29 Jan 2024 13:49:50 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGA92EmmAyUk7TNeFRxShhi7w/zAX4jvh5fy+YX/nJ4J6VwVERmKHf09oBUysqMQokuLOKeCQ==
X-Received: by 2002:aa7:d1cc:0:b0:55e:eade:fcba with SMTP id
 g12-20020aa7d1cc000000b0055eeadefcbamr2700283edp.5.1706564990514;
 Mon, 29 Jan 2024 13:49:50 -0800 (PST)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id
 fd12-20020a056402388c00b00557d839727esm4175954edb.7.2024.01.29.13.49.49
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 29 Jan 2024 13:49:50 -0800 (PST)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Mantic][PATCH 1/1] smb: client: fix OOB in
 receive_encrypted_standard()
Date: Mon, 29 Jan 2024 16:49:42 -0500
Message-Id: <20240129214942.75557-3-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240129214942.75557-1-yuxuan.luo@canonical.com>
References: <20240129214942.75557-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Paulo Alcantara <pc@manguebit.com>

Fix potential OOB in receive_encrypted_standard() if server returned a
large shdr->NextCommand that would end up writing off the end of
@next_buffer.

Fixes: b24df3e30cbf ("cifs: update receive_encrypted_standard to handle compounded responses")
Cc: stable@vger.kernel.org
Reported-by: Robert Morris <rtm@csail.mit.edu>
Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
(cherry picked from commit eec04ea119691e65227a97ce53c0da6b9b74b0b7)
CVE-2024-0565
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 fs/smb/client/smb2ops.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index c66074977dfcd..199e69c4d2e56 100644
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -5049,6 +5049,7 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
 	struct smb2_hdr *shdr;
 	unsigned int pdu_length = server->pdu_size;
 	unsigned int buf_size;
+	unsigned int next_cmd;
 	struct mid_q_entry *mid_entry;
 	int next_is_large;
 	char *next_buffer = NULL;
@@ -5077,14 +5078,15 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
 	next_is_large = server->large_buf;
 one_more:
 	shdr = (struct smb2_hdr *)buf;
-	if (shdr->NextCommand) {
+	next_cmd = le32_to_cpu(shdr->NextCommand);
+	if (next_cmd) {
+		if (WARN_ON_ONCE(next_cmd > pdu_length))
+			return -1;
 		if (next_is_large)
 			next_buffer = (char *)cifs_buf_get();
 		else
 			next_buffer = (char *)cifs_small_buf_get();
-		memcpy(next_buffer,
-		       buf + le32_to_cpu(shdr->NextCommand),
-		       pdu_length - le32_to_cpu(shdr->NextCommand));
+		memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd);
 	}
 
 	mid_entry = smb2_find_mid(server, buf);
@@ -5108,8 +5110,8 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
 	else
 		ret = cifs_handle_standard(server, mid_entry);
 
-	if (ret == 0 && shdr->NextCommand) {
-		pdu_length -= le32_to_cpu(shdr->NextCommand);
+	if (ret == 0 && next_cmd) {
+		pdu_length -= next_cmd;
 		server->large_buf = next_is_large;
 		if (next_is_large)
 			server->bigbuf = buf = next_buffer;