From patchwork Wed Jul 17 20:13:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Guilherme G. Piccoli" X-Patchwork-Id: 1133412 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45ppP20F6Mz9sNH; Thu, 18 Jul 2019 06:13:25 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1hnqIh-00085B-G7; Wed, 17 Jul 2019 20:13:19 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1hnqIf-00084u-Fx for kernel-team@lists.ubuntu.com; Wed, 17 Jul 2019 20:13:17 +0000 Received: from mail-qt1-f198.google.com ([209.85.160.198]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1hnqIf-00086e-2j for kernel-team@lists.ubuntu.com; Wed, 17 Jul 2019 20:13:17 +0000 Received: by mail-qt1-f198.google.com with SMTP id l16so15563173qtq.16 for ; Wed, 17 Jul 2019 13:13:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=r9XCS+1MaTySfRmkVrrQDAy1buKM9kEQQQrlFFl5S0M=; b=BiqCDkTaR/VFsMK9wDoUofUPrAv2CXC2jHARX1gjWBlhjh9RKdMRFqm2L1CcwcFMrb 2LoE0PLQUsNqtxXayI/M7eALsnFqhJz/9yQj0E1iLiYcTVb/7tNKqrGtbqACFYP10MTk xT2jmZVruALuUZQEtj5lGweK5JaT/QqF5vGHM+w+gE0uNYt8TosPc4+6quOL2jX4nJup Et9+tQ0QZvgFjE2bRDIgkNvxQ38AhmNUAt7K0r/rcdNBB3KZ/zVPaW3VXd+Jrt+A+JDn Xlhwa44hNG5cWIQCwMFJJMFCEQej9AjYFByRxCADHe4DMEcR8D/0E07spYg6ltfbLyv/ 2e9Q== X-Gm-Message-State: APjAAAWIZKaTEHK89BoZkNh55RIbKwVE/LRIUTZG5zj8C23U+A42Hi1g IeHPG1HDkrDRaGdejLz4K3j1PysvSh6/czlnMPRKGeHRWsN9nyy2IvhC+GnevGa3zJmEcyyGwnc 6KeLNsJIm5M2quQSW5cJWuBl7WmUxAVcuEu6PZhyYTQ== X-Received: by 2002:a05:620a:5a7:: with SMTP id q7mr28389386qkq.477.1563394395803; Wed, 17 Jul 2019 13:13:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqyYjYYzMKxEeqCN8+Sel/rQa4BTjcfen16X8zkUsjlAwYRm0StRvtcM4pjjJVRmkrsFtHvKFQ== X-Received: by 2002:a05:620a:5a7:: with SMTP id q7mr28389375qkq.477.1563394395649; Wed, 17 Jul 2019 13:13:15 -0700 (PDT) Received: from localhost (201-42-108-61.dsl.telesp.net.br. [201.42.108.61]) by smtp.gmail.com with ESMTPSA id x23sm10374215qtp.37.2019.07.17.13.13.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Jul 2019 13:13:14 -0700 (PDT) From: "Guilherme G. Piccoli" To: kernel-team@lists.ubuntu.com Subject: [SRU B/D][PATCH 1/1] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() Date: Wed, 17 Jul 2019 17:13:09 -0300 Message-Id: <20190717201309.15162-2-gpiccoli@canonical.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190717201309.15162-1-gpiccoli@canonical.com> References: <20190717201309.15162-1-gpiccoli@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: gpiccoli@canonical.com Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Christoph Probst BugLink: https://bugs.launchpad.net/bugs/1824981 Change strcat to strncpy in the "None" case to fix a buffer overflow when cinode->oplock is reset to 0 by another thread accessing the same cinode. It is never valid to append "None" to any other message. Consolidate multiple writes to cinode->oplock to reduce raciness. Signed-off-by: Christoph Probst Reviewed-by: Pavel Shilovsky Signed-off-by: Steve French CC: Stable (cherry picked from commit 6a54b2e002c9d00b398d35724c79f9fe0d9b38fb) Signed-off-by: Guilherme G. Piccoli Acked-by: Stefan Bader Acked-by: Marcelo Henrique Cerri --- fs/cifs/smb2ops.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index f5eeecb5cbc3..24835e002941 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -1933,26 +1933,28 @@ smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, unsigned int epoch, bool *purge_cache) { char message[5] = {0}; + unsigned int new_oplock = 0; oplock &= 0xFF; if (oplock == SMB2_OPLOCK_LEVEL_NOCHANGE) return; - cinode->oplock = 0; if (oplock & SMB2_LEASE_READ_CACHING_HE) { - cinode->oplock |= CIFS_CACHE_READ_FLG; + new_oplock |= CIFS_CACHE_READ_FLG; strcat(message, "R"); } if (oplock & SMB2_LEASE_HANDLE_CACHING_HE) { - cinode->oplock |= CIFS_CACHE_HANDLE_FLG; + new_oplock |= CIFS_CACHE_HANDLE_FLG; strcat(message, "H"); } if (oplock & SMB2_LEASE_WRITE_CACHING_HE) { - cinode->oplock |= CIFS_CACHE_WRITE_FLG; + new_oplock |= CIFS_CACHE_WRITE_FLG; strcat(message, "W"); } - if (!cinode->oplock) - strcat(message, "None"); + if (!new_oplock) + strncpy(message, "None", sizeof(message)); + + cinode->oplock = new_oplock; cifs_dbg(FYI, "%s Lease granted on inode %p\n", message, &cinode->vfs_inode); }