From patchwork Fri Oct 2 03:49:50 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 7322491 Return-Path: X-Original-To: patchwork-cifs-client@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 21B0E9F302 for ; Sat, 3 Oct 2015 20:37:29 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 360C22078F for ; Sat, 3 Oct 2015 20:37:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0527220742 for ; Sat, 3 Oct 2015 20:37:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751123AbbJCUhZ (ORCPT ); Sat, 3 Oct 2015 16:37:25 -0400 Received: from mail-oi0-f46.google.com ([209.85.218.46]:34957 "EHLO mail-oi0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751034AbbJCUhX (ORCPT ); Sat, 3 Oct 2015 16:37:23 -0400 Received: by oiww128 with SMTP id w128so73853671oiw.2; Sat, 03 Oct 2015 13:37:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=Ek8arDSe9H8PzATcs/oPHvjk5N/fhKy4Im+I0nr6eOM=; b=1Crkjubk4HfLRbeTD2zF7sh7twdnOClX8F7gqtZqd54ljLCGcHlVMiTkvcNGVofIik 7GNMayOAijDKeS+2gyQj94qkdxfJxJPMd8588fy1EB0oDTilI4SfXVmXq1/UUDW8JZzp /AX17eNHpXm0Qm3pHm65Qi2MGr3xoBq+VHn6Nrl2NUltqhQIb+0rqFgmKH2U6f8QdzPV S+e/z1lTQlbzEmXwEr42moltBTsk2fQhmthMfGl+WIAR4ql0siVtgcB+woZGIjZGhBzU egJBhtfvkP0tu7mtaAW37QEu8WJ9AkiqTwXYwASKbDoxKNuz+GQVoU8TKGt4pWXWXgSb 4cKg== X-Received: by 10.202.50.215 with SMTP id y206mr12519693oiy.48.1443904642884; Sat, 03 Oct 2015 13:37:22 -0700 (PDT) Received: from localhost.localdomain (ip-64-134-151-96.public.wayport.net. [64.134.151.96]) by smtp.gmail.com with ESMTPSA id t207sm8137428oie.13.2015.10.03.13.37.21 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 03 Oct 2015 13:37:22 -0700 (PDT) From: Steve French To: linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Steve French , Steve French , Emese Revfy , Brad Spengler , Stable Subject: [PATCH] [SMB3] Do not fall back to SMBWriteX in set_file_size error cases Date: Thu, 1 Oct 2015 22:49:50 -0500 Message-Id: <1443757790-37055-1-git-send-email-smfrench@gmail.com> X-Mailer: git-send-email 1.9.1 Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00, DATE_IN_PAST_24_48, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_HI, T_DKIM_INVALID, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The error paths in set_file_size for cifs and smb3 are incorrect. In the unlikely event that a server did not support set file info of the file size, the code incorrectly falls back to trying SMBWriteX (note that only the original core SMB Write, used for example by DOS, can set the file size this way - this actually does not work for the more recent SMBWriteX). The idea was since the old DOS SMB Write could set the file size if you write zero bytes at that offset then use that if server rejects the normal set file info call. Fortunately the SMBWriteX will never be sent on the wire (except when file size is zero) since the length and offset fields were reversed in the two places in this function that call SMBWriteX causing the fall back path to return an error. It is also important to never call an SMB request from an SMB2/sMB3 session (which theoretically would be possible, and can cause a brief session drop, although the client recovers) so this should be fixed. In practice this path does not happen with modern servers but the error fall back to SMBWriteX is clearly wrong. Removing the calls to SMBWriteX in the error paths in cifs_set_file_size Pointed out by PaX/grsecurity team Signed-off-by: Steve French Reported-by: PaX Team CC: Emese Revfy CC: Brad Spengler CC: Stable --- fs/cifs/inode.c | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c index f621b44..6b66dd5 100644 --- a/fs/cifs/inode.c +++ b/fs/cifs/inode.c @@ -2034,7 +2034,6 @@ cifs_set_file_size(struct inode *inode, struct iattr *attrs, struct tcon_link *tlink = NULL; struct cifs_tcon *tcon = NULL; struct TCP_Server_Info *server; - struct cifs_io_parms io_parms; /* * To avoid spurious oplock breaks from server, in the case of @@ -2056,18 +2055,6 @@ cifs_set_file_size(struct inode *inode, struct iattr *attrs, rc = -ENOSYS; cifsFileInfo_put(open_file); cifs_dbg(FYI, "SetFSize for attrs rc = %d\n", rc); - if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) { - unsigned int bytes_written; - - io_parms.netfid = open_file->fid.netfid; - io_parms.pid = open_file->pid; - io_parms.tcon = tcon; - io_parms.offset = 0; - io_parms.length = attrs->ia_size; - rc = CIFSSMBWrite(xid, &io_parms, &bytes_written, - NULL, NULL, 1); - cifs_dbg(FYI, "Wrt seteof rc %d\n", rc); - } } else rc = -EINVAL; @@ -2093,28 +2080,7 @@ cifs_set_file_size(struct inode *inode, struct iattr *attrs, else rc = -ENOSYS; cifs_dbg(FYI, "SetEOF by path (setattrs) rc = %d\n", rc); - if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) { - __u16 netfid; - int oplock = 0; - rc = SMBLegacyOpen(xid, tcon, full_path, FILE_OPEN, - GENERIC_WRITE, CREATE_NOT_DIR, &netfid, - &oplock, NULL, cifs_sb->local_nls, - cifs_remap(cifs_sb)); - if (rc == 0) { - unsigned int bytes_written; - - io_parms.netfid = netfid; - io_parms.pid = current->tgid; - io_parms.tcon = tcon; - io_parms.offset = 0; - io_parms.length = attrs->ia_size; - rc = CIFSSMBWrite(xid, &io_parms, &bytes_written, NULL, - NULL, 1); - cifs_dbg(FYI, "wrt seteof rc %d\n", rc); - CIFSSMBClose(xid, tcon, netfid); - } - } if (tlink) cifs_put_tlink(tlink);