AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
f9a6661009
kernel_optimize_test/fs/cifs
History
Paulo Alcantara edefc4b2a8 cifs: fix NULL ptr dereference in smb2_ioctl_query_info() 
commit d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 upstream.

When calling smb2_ioctl_query_info() with invalid
smb_query_info::flags, a NULL ptr dereference is triggered when trying
to kfree() uninitialised rqst[n].rq_iov array.

This also fixes leaked paths that are created in SMB2_open_init()
which required SMB2_open_free() to properly free them.

Here is a small C reproducer that triggers it

	#include <stdio.h>
	#include <stdlib.h>
	#include <stdint.h>
	#include <unistd.h>
	#include <fcntl.h>
	#include <sys/ioctl.h>

	#define die(s) perror(s), exit(1)
	#define QUERY_INFO 0xc018cf07

	int main(int argc, char *argv[])
	{
		int fd;

		if (argc < 2)
			exit(1);
		fd = open(argv[1], O_RDONLY);
		if (fd == -1)
			die("open");
		if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
			die("ioctl");
		close(fd);
		return 0;
	}

	mount.cifs //srv/share /mnt -o ...
	gcc repro.c && ./a.out /mnt/f0

	[ 1832.124468] CIFS: VFS: \\w22-dc.zelda.test\test Invalid passthru query flags: 0x4
	[ 1832.125043] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
	[ 1832.125764] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
	[ 1832.126241] CPU: 3 PID: 1133 Comm: a.out Not tainted 5.17.0-rc8 #2
	[ 1832.126630] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
	[ 1832.127322] RIP: 0010:smb2_ioctl_query_info+0x7a3/0xe30 [cifs]
	[ 1832.127749] Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 6c 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 74 24 28 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 cb 04 00 00 49 8b 3e e8 bb fc fa ff 48 89 da 48
	[ 1832.128911] RSP: 0018:ffffc90000957b08 EFLAGS: 00010256
	[ 1832.129243] RAX: dffffc0000000000 RBX: ffff888117e9b850 RCX: ffffffffa020580d
	[ 1832.129691] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a2c0
	[ 1832.130137] RBP: ffff888117e9b878 R08: 0000000000000001 R09: 0000000000000003
	[ 1832.130585] R10: fffffbfff4087458 R11: 0000000000000001 R12: ffff888117e9b800
	[ 1832.131037] R13: 00000000ffffffea R14: 0000000000000000 R15: ffff888117e9b8a8
	[ 1832.131485] FS:  00007fcee9900740(0000) GS:ffff888151a00000(0000) knlGS:0000000000000000
	[ 1832.131993] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 1832.132354] CR2: 00007fcee9a1ef5e CR3: 0000000114cd2000 CR4: 0000000000350ee0
	[ 1832.132801] Call Trace:
	[ 1832.132962]  <TASK>
	[ 1832.133104]  ? smb2_query_reparse_tag+0x890/0x890 [cifs]
	[ 1832.133489]  ? cifs_mapchar+0x460/0x460 [cifs]
	[ 1832.133822]  ? rcu_read_lock_sched_held+0x3f/0x70
	[ 1832.134125]  ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
	[ 1832.134502]  ? lock_downgrade+0x6f0/0x6f0
	[ 1832.134760]  ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
	[ 1832.135170]  ? smb2_check_message+0x1080/0x1080 [cifs]
	[ 1832.135545]  cifs_ioctl+0x1577/0x3320 [cifs]
	[ 1832.135864]  ? lock_downgrade+0x6f0/0x6f0
	[ 1832.136125]  ? cifs_readdir+0x2e60/0x2e60 [cifs]
	[ 1832.136468]  ? rcu_read_lock_sched_held+0x3f/0x70
	[ 1832.136769]  ? __rseq_handle_notify_resume+0x80b/0xbe0
	[ 1832.137096]  ? __up_read+0x192/0x710
	[ 1832.137327]  ? __ia32_sys_rseq+0xf0/0xf0
	[ 1832.137578]  ? __x64_sys_openat+0x11f/0x1d0
	[ 1832.137850]  __x64_sys_ioctl+0x127/0x190
	[ 1832.138103]  do_syscall_64+0x3b/0x90
	[ 1832.138378]  entry_SYSCALL_64_after_hwframe+0x44/0xae
	[ 1832.138702] RIP: 0033:0x7fcee9a253df
	[ 1832.138937] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
	[ 1832.140107] RSP: 002b:00007ffeba94a8a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
	[ 1832.140606] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcee9a253df
	[ 1832.141058] RDX: 00007ffeba94a910 RSI: 00000000c018cf07 RDI: 0000000000000003
	[ 1832.141503] RBP: 00007ffeba94a930 R08: 00007fcee9b24db0 R09: 00007fcee9b45c4e
	[ 1832.141948] R10: 00007fcee9918d40 R11: 0000000000000246 R12: 00007ffeba94aa48
	[ 1832.142396] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007fcee9b78000
	[ 1832.142851]  </TASK>
	[ 1832.142994] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload [last unloaded: cifs]

Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-04-08 14:39:53 +02:00
..
asn1.c cifs: remove bogus debug code 2020-10-22 12:17:52 -05:00
cache.c
cifs_debug.c
cifs_debug.h
cifs_dfs_ref.c cifs: prevent NULL deref in cifs_compose_mount_options() 2021-07-25 14:36:17 +02:00
cifs_fs_sb.h
cifs_ioctl.h
cifs_spnego.c
cifs_spnego.h
cifs_unicode.c CIFS: Fix a potencially linear read overflow 2021-09-15 09:50:43 +02:00
cifs_unicode.h
cifs_uniupr.h
cifsacl.c cifs: fix a memleak with modefromsid 2020-11-15 23:05:33 -06:00
cifsacl.h
cifsencrypt.c
cifsfs.c cifs: fix double free race when mount fails in cifs_get_root() 2022-03-08 19:09:29 +01:00
cifsfs.h cifs: update internal module version number 2020-10-23 23:41:49 -05:00
cifsglob.h cifs: fix missing spinlock around update to ses->status 2021-07-14 16:56:01 +02:00
cifspdu.h cifs: Adjust key sizes and key generation routines for AES256 encryption 2021-03-30 14:32:07 +02:00
cifsproto.h SMB3.1.1: Fix ids returned in POSIX query dir 2020-10-20 11:51:24 -05:00
cifsroot.c
cifssmb.c
connect.c cifs: fix incorrect check for null pointer in header_assemble 2021-09-30 10:10:59 +02:00
dfs_cache.c cifs: check pointer before freeing 2021-01-19 18:27:19 +01:00
dfs_cache.h
dir.c cifs: report error instead of invalid when revalidating a dentry fails 2021-02-10 09:29:17 +01:00
dns_resolve.c
dns_resolve.h
export.c
file.c smb3: do not error on fsync when readonly 2021-12-01 09:19:08 +01:00
fs_context.c cifs: move smb version mount options into fs_context.c 2020-10-22 12:17:31 -05:00
fs_context.h cifs: move smb version mount options into fs_context.c 2020-10-22 12:17:31 -05:00
fscache.c
fscache.h
inode.c new helper: inode_wrong_type() 2021-09-08 08:49:01 +02:00
ioctl.c
Kconfig
link.c
Makefile cifs: add files to host new mount api 2020-10-22 12:16:24 -05:00
misc.c
netmisc.c
nterr.c
nterr.h
ntlmssp.h
readdir.c SMB3: add support for recognizing WSL reparse tags 2020-10-22 12:17:59 -05:00
rfc1002pdu.h
sess.c cifs: fix wrong release in sess_alloc_buffer() failed path 2021-09-18 13:40:32 +02:00
smb1ops.c
smb2file.c
smb2glob.h cifs: Adjust key sizes and key generation routines for AES256 encryption 2021-03-30 14:32:07 +02:00
smb2inode.c cifs: do not send close in compound create+close requests 2021-03-17 17:06:28 +01:00
smb2maperror.c cifs: map STATUS_ACCOUNT_LOCKED_OUT to -EACCES 2020-10-15 23:58:14 -05:00
smb2misc.c cifs: Silently ignore unknown oplock break handle 2021-04-10 13:36:10 +02:00
smb2ops.c cifs: fix NULL ptr dereference in smb2_ioctl_query_info() 2022-04-08 14:39:53 +02:00
smb2pdu.c smb3: correct smb3 ACL security descriptor 2021-10-09 14:40:57 +02:00
smb2pdu.h smb3: Fix out-of-bounds bug in SMB2_negotiate() 2021-02-10 09:29:17 +01:00
smb2proto.h cifs: do not send close in compound create+close requests 2021-03-17 17:06:28 +01:00
smb2status.h
smb2transport.c cifs: Adjust key sizes and key generation routines for AES256 encryption 2021-03-30 14:32:07 +02:00
smbdirect.c
smbdirect.h
smbencrypt.c
smberr.h
smbfsctl.h smb3: add some missing definitions from MS-FSCC 2020-10-23 15:38:10 -05:00
trace.c
trace.h smb3: add dynamic trace point to trace when credits obtained 2020-10-20 11:50:42 -05:00
transport.c cifs: change noisy error message to FYI 2021-03-30 14:31:50 +02:00
winucase.c
xattr.c