From patchwork Mon Sep 10 11:12:07 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Carpenter <dan.carpenter@oracle.com>
X-Patchwork-Id: 10593933
Return-Path: <linux-cifs-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3E3B3109C
	for <patchwork-cifs-client@patchwork.kernel.org>;
 Mon, 10 Sep 2018 11:12:37 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2C3DA28E53
	for <patchwork-cifs-client@patchwork.kernel.org>;
 Mon, 10 Sep 2018 11:12:37 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2013A28E5A; Mon, 10 Sep 2018 11:12:37 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C941928E53
	for <patchwork-cifs-client@patchwork.kernel.org>;
 Mon, 10 Sep 2018 11:12:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727840AbeIJQGI (ORCPT
        <rfc822;patchwork-cifs-client@patchwork.kernel.org>);
        Mon, 10 Sep 2018 12:06:08 -0400
Received: from userp2130.oracle.com ([156.151.31.86]:34204 "EHLO
        userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727674AbeIJQGI (ORCPT
        <rfc822;linux-cifs@vger.kernel.org>); Mon, 10 Sep 2018 12:06:08 -0400
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1])
        by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id
 w8AB9KOv185731;
        Mon, 10 Sep 2018 11:12:16 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
 h=date : from : to : cc
 : subject : message-id : mime-version : content-type : in-reply-to;
 s=corp-2018-07-02; bh=xbHb/VrG4VTPvGoANAl2olI3Ta6e5u+okHoV2RAHiww=;
 b=WvRI8UUqC0zo/FDVzrFzmB5wSupHSvZVpHzWjpjWsrtQdDE3yQ4PX8qj5u9flW/kHj3o
 aBHSJ4jCDuIa5fJ5cHdG7WWIdGB/AVamIvCOELdW4Y31RDAehJF5XRsvT7SH7r0ZGopr
 nnYe5cTz6z9K4VL2ZzFzNDicELka3urdjIQd555YknTH+3afJezzGi4crq9MQklSYQ1X
 ZGZ/LqtEg/SMa1cc6NYcDR+zbB1Tvp8DaIlgGTP4HLu1nW7zj4TtLy3u3YuDqh/9VsXE
 hOFbnQCN8yigzxEnHggjGrH714AuJMrCJAn8kVMeam2onv0oilEbznqYJ/0kbTF2pG+o pQ==
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74])
        by userp2130.oracle.com with ESMTP id 2mc5ut5dbw-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
 verify=OK);
        Mon, 10 Sep 2018 11:12:15 +0000
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235])
        by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w8ABCFdu029457
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
 verify=OK);
        Mon, 10 Sep 2018 11:12:15 GMT
Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9])
        by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w8ABCEtC029873;
        Mon, 10 Sep 2018 11:12:14 GMT
Received: from kili.mountain (/197.232.248.111)
        by default (Oracle Beehive Gateway v4.0)
        with ESMTP ; Mon, 10 Sep 2018 04:12:14 -0700
Date: Mon, 10 Sep 2018 14:12:07 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Steve French <sfrench@samba.org>
Cc: linux-cifs@vger.kernel.org, samba-technical@lists.samba.org,
        kernel-janitors@vger.kernel.org, YueHaibing <yuehaibing@huawei.com>
Subject: [PATCH] cifs: integer overflow in in SMB2_ioctl()
Message-ID: <20180910111207.r2uqce4ie7ee7fsh@kili.mountain>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1536543186-182076-1-git-send-email-yuehaibing@huawei.com>
X-Mailer: git-send-email haha only kidding
User-Agent: NeoMutt/20170113 (1.7.2)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9011
 signatures=668708
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0
 malwarescore=0
 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.0.1-1807170000 definitions=main-1809100116
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-cifs.vger.kernel.org>
X-Mailing-List: linux-cifs@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
wrap around to a smaller value which looks like it would lead to an
information leak.

Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index c08acfc77abc..8b54cd282d9c 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2459,14 +2459,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
 	/* We check for obvious errors in the output buffer length and offset */
 	if (*plen == 0)
 		goto ioctl_exit; /* server returned no data */
-	else if (*plen > 0xFF00) {
+	else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
 		cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
 		*plen = 0;
 		rc = -EIO;
 		goto ioctl_exit;
 	}
 
-	if (rsp_iov.iov_len < le32_to_cpu(rsp->OutputOffset) + *plen) {
+	if (rsp_iov.iov_len - *plen < le32_to_cpu(rsp->OutputOffset)) {
 		cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
 			le32_to_cpu(rsp->OutputOffset));
 		*plen = 0;