From patchwork Mon Jan 29 21:49:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1892514 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TP25p45RVz23g2 for ; Tue, 30 Jan 2024 08:50:06 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rUZVs-00049H-UG; Mon, 29 Jan 2024 21:49:57 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rUZVn-00044r-Dp for kernel-team@lists.ubuntu.com; Mon, 29 Jan 2024 21:49:51 +0000 Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id DA8FA3F131 for ; Mon, 29 Jan 2024 21:49:50 +0000 (UTC) Received: by mail-ed1-f72.google.com with SMTP id 4fb4d7f45d1cf-558fe4c0c46so2040524a12.1 for ; Mon, 29 Jan 2024 13:49:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706564990; x=1707169790; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=a9/zcXXd7FkCGvwk3PwWA45o8S0KFNDTVu4dyUXHswQ=; b=cj4SmZHqDGjpBgGzaTDU7USBtfp9RYZaV4u8itSXtMro2EDg8aja1G81ckj935Fw/f Xssmiv55NErpOg5TZocrYX15OHRlwwHlmPZYlnsG2BLA2joStvhOixku2ax+nK+/G/M+ B5uwRUZigHwIJhVz/4OHOyuiYpika4OzDAI4qFD/KGfw5cjMANNd/PvaEB6WwNwRfPy8 lXlLNOLK7CseeV5wXfpEIaWyAmK/bGPQXp8+Hexo+f/3CR1B3WDhWrylY+55/qR7+QFz I5qjLQwdTBHLjn9bfwMnSVArodUmUwTP2d4yH1QgOmb5l3x+iQJITwpkNEAQoRKNNwym 42qA== X-Gm-Message-State: AOJu0YzZDG0OQ+wpfA1Wg5cEUq46lNyag6P3zSDtJVQUhp9PW4ExF8gR s1uRV/B4xUhFafme19HZrTInKChcoXMTCOAQwnzxwliePJBUef3OKsSCZxeOCKdG4xL4ysQAASL uhfGiNEgG1WdiEfEnqvhf5h5mXe9RJsW7kk7qxkgsLL7e3yypjigONV0OO2NwDu6waZSFiwxnhs aZUnUx8fcoxNRj X-Received: by 2002:aa7:d619:0:b0:55f:6b8:b2fc with SMTP id c25-20020aa7d619000000b0055f06b8b2fcmr2250652edr.2.1706564990241; Mon, 29 Jan 2024 13:49:50 -0800 (PST) X-Google-Smtp-Source: AGHT+IF/unATWv56Y7WpbgyW4WmA/qPhNZaE1i3CGfAAf7Ygd2KXF0Jga8SKkRZjotMZXadyOSZSOQ== X-Received: by 2002:aa7:d619:0:b0:55f:6b8:b2fc with SMTP id c25-20020aa7d619000000b0055f06b8b2fcmr2250638edr.2.1706564989617; Mon, 29 Jan 2024 13:49:49 -0800 (PST) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id fd12-20020a056402388c00b00557d839727esm4175954edb.7.2024.01.29.13.49.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 13:49:48 -0800 (PST) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Focal/Jammy][PATCH 1/1] smb: client: fix OOB in receive_encrypted_standard() Date: Mon, 29 Jan 2024 16:49:41 -0500 Message-Id: <20240129214942.75557-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240129214942.75557-1-yuxuan.luo@canonical.com> References: <20240129214942.75557-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Paulo Alcantara Fix potential OOB in receive_encrypted_standard() if server returned a large shdr->NextCommand that would end up writing off the end of @next_buffer. Fixes: b24df3e30cbf ("cifs: update receive_encrypted_standard to handle compounded responses") Cc: stable@vger.kernel.org Reported-by: Robert Morris Signed-off-by: Paulo Alcantara (SUSE) Signed-off-by: Steve French (backported from commit eec04ea119691e65227a97ce53c0da6b9b74b0b7) [yuxuan.luo: There exists a prerequisite commit 0d35e382e4e9 (“cifs: Create a new shared file holding smb2 pdu definitions“). Although the bottom half of the struct smb2_sync_hdr definition has been modified, this CVE relevant part remains untouched. It is acceptable to skip this patch and ignore the struct conflict. ] CVE-2024-0565 Signed-off-by: Yuxuan Luo --- fs/cifs/smb2ops.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index df200497aa5b9..bacbe8eaebfba 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -4381,6 +4381,7 @@ receive_encrypted_standard(struct TCP_Server_Info *server, struct smb2_sync_hdr *shdr; unsigned int pdu_length = server->pdu_size; unsigned int buf_size; + unsigned int next_cmd; struct mid_q_entry *mid_entry; int next_is_large; char *next_buffer = NULL; @@ -4409,14 +4410,15 @@ receive_encrypted_standard(struct TCP_Server_Info *server, next_is_large = server->large_buf; one_more: shdr = (struct smb2_sync_hdr *)buf; - if (shdr->NextCommand) { + next_cmd = le32_to_cpu(shdr->NextCommand); + if (next_cmd) { + if (WARN_ON_ONCE(next_cmd > pdu_length)) + return -1; if (next_is_large) next_buffer = (char *)cifs_buf_get(); else next_buffer = (char *)cifs_small_buf_get(); - memcpy(next_buffer, - buf + le32_to_cpu(shdr->NextCommand), - pdu_length - le32_to_cpu(shdr->NextCommand)); + memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd); } mid_entry = smb2_find_mid(server, buf); @@ -4440,8 +4442,8 @@ receive_encrypted_standard(struct TCP_Server_Info *server, else ret = cifs_handle_standard(server, mid_entry); - if (ret == 0 && shdr->NextCommand) { - pdu_length -= le32_to_cpu(shdr->NextCommand); + if (ret == 0 && next_cmd) { + pdu_length -= next_cmd; server->large_buf = next_is_large; if (next_is_large) server->bigbuf = buf = next_buffer;