From patchwork Mon Feb 5 20:34:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1895411 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TTJ8j2Z8wz23gb for ; Tue, 6 Feb 2024 07:37:25 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rX5hg-0004bF-IR; Mon, 05 Feb 2024 20:36:40 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rX5fS-0004Gn-50 for kernel-team@lists.ubuntu.com; Mon, 05 Feb 2024 20:34:19 +0000 Received: from mail-yw1-f200.google.com (mail-yw1-f200.google.com [209.85.128.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 4663E40305 for ; Mon, 5 Feb 2024 20:34:08 +0000 (UTC) Received: by mail-yw1-f200.google.com with SMTP id 00721157ae682-60449778b29so38921177b3.0 for ; Mon, 05 Feb 2024 12:34:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707165245; x=1707770045; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OoXIoGIXIOAqlBTaL6lhcAy177ujgIYu0vXSuY8ID1Q=; b=hNUTdpDzNquEaJvbuTD+uXGdN5EU+CpAvThedBsdIRqoMRGMYkBnSrfk6uh5DtfQAa HO6BOAVLUHBuzNKrsJxHZSDdp+tdBMYh/eC0Con07yttvcfjCwwD/rADQf7H5ykIfHiO K5kc+6eWmyvOlcbBiLCcvZ4fsZddRXgks7bADlWQgVabfkbuFG3zFa2JMiepRlvb2TUT xzAH10IareAuqm4Fc8fLIdWCCLZ62qCz+ssdQbBOg5Eh5VcZVQ5Gz7TCsfC+iVHMr6Yi 1osw4Xt/Rsge65x4S25ou24XdMgVstkCR09R1/jSTylljLrXHX+vzwjFleI+vX9KM49D bUrA== X-Gm-Message-State: AOJu0Yzw7k/evPHh6KPfvJqsP59lhCxBUF8LEggm34L/4eDwYltgb2Pj eN1Cp2pEA3TalFE5BU+rKHhFad5BCCtq4VRG8oZQXXpZLGC9UrYtrLq9SrF/00SgEWob3tP64Jp r1t40BEPFCrYSWxB+c4jF9eyUm+i4+vp8RJ9EOtSIseeaMqgrps9evUmloCLy8j9Z/BMT6amPBZ 4gTltooET/Sg== X-Received: by 2002:a25:e00b:0:b0:dc6:ff8e:90b3 with SMTP id x11-20020a25e00b000000b00dc6ff8e90b3mr550968ybg.7.1707165245366; Mon, 05 Feb 2024 12:34:05 -0800 (PST) X-Google-Smtp-Source: AGHT+IHq5fNjGHPIBpXjEKP49ASVOMmMCxOj4Qg/JbI0BowZhF1bFqFjyeiKeUe0wNdW4TFfrTGADg== X-Received: by 2002:a25:e00b:0:b0:dc6:ff8e:90b3 with SMTP id x11-20020a25e00b000000b00dc6ff8e90b3mr550951ybg.7.1707165244979; Mon, 05 Feb 2024 12:34:04 -0800 (PST) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id md6-20020a056214588600b00684225ef3a0sm308865qvb.93.2024.02.05.12.34.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Feb 2024 12:34:04 -0800 (PST) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][Jammy][PATCH 1/1] ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() Date: Mon, 5 Feb 2024 14:34:02 -0600 Message-Id: <20240205203402.28665-3-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240205203402.28665-1-bethany.jamison@canonical.com> References: <20240205203402.28665-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Namjae Jeon If ->NameOffset/Length is bigger than ->CreateContextsOffset/Length, ksmbd_check_message doesn't validate request buffer it correctly. So slab-out-of-bounds warning from calling smb_strndup_from_utf16() in smb2_open() could happen. If ->NameLength is non-zero, Set the larger of the two sums (Name and CreateContext size) as the offset and length of the data area. Reported-by: Yang Chaoming Cc: stable@vger.kernel.org Signed-off-by: Namjae Jeon Signed-off-by: Steve French (cherry picked from commit d10c77873ba1e9e6b91905018e29e196fd5f863d) CVE-2024-22705 Signed-off-by: Bethany Jamison --- fs/ksmbd/smb2misc.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 8ef9503c4ab90..97f687f7a1f52 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -107,16 +107,25 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len, break; case SMB2_CREATE: { + unsigned short int name_off = + le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset); + unsigned short int name_len = + le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength); + if (((struct smb2_create_req *)hdr)->CreateContextsLength) { *off = le32_to_cpu(((struct smb2_create_req *) hdr)->CreateContextsOffset); *len = le32_to_cpu(((struct smb2_create_req *) hdr)->CreateContextsLength); - break; + if (!name_len) + break; + + if (name_off + name_len < (u64)*off + *len) + break; } - *off = le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset); - *len = le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength); + *off = name_off; + *len = name_len; break; } case SMB2_QUERY_INFO: