| Message ID | 20221117154555.2973509-1-zhangxiaoxu5@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | cifs: Fix OOB read in parse_server_interfaces() | expand |
So, this only happens when the mount is over RDMA? Nov 17, 2022 9:45:35 AM Zhang Xiaoxu <zhangxiaoxu5@huawei.com>: > There is a OOB read in parse_server_interfaces when mount.cifs with rdma: > > BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x9ca/0xb80 > Read of size 4 at addr ffff8881711f2f98 by task mount.cifs/1402 > > CPU: 6 PID: 1402 Comm: mount.cifs Not tainted 6.1.0-rc5+ #69 > Call Trace: > <TASK> > dump_stack_lvl+0x34/0x44 > print_report+0x171/0x472 > kasan_report+0xad/0x130 > kasan_check_range+0x145/0x1a0 > parse_server_interfaces+0x9ca/0xb80 > SMB3_request_interfaces+0x174/0x1e0 > smb3_qfs_tcon+0x150/0x2a0 > mount_get_conns+0x218/0x750 > cifs_mount+0x103/0xd00 > cifs_smb3_do_mount+0x1dd/0xcb0 > smb3_get_tree+0x1d5/0x300 > vfs_get_tree+0x41/0xf0 > path_mount+0x9b3/0xdd0 > __x64_sys_mount+0x190/0x1d0 > do_syscall_64+0x35/0x80 > entry_SYSCALL_64_after_hwframe+0x46/0xb0 > > Allocated by task 1402: > kasan_save_stack+0x1e/0x40 > kasan_set_track+0x21/0x30 > __kasan_kmalloc+0x7a/0x90 > __kmalloc_node_track_caller+0x60/0x140 > kmemdup+0x22/0x50 > SMB2_ioctl+0x58d/0x5d0 > SMB3_request_interfaces+0xcd/0x1e0 > smb3_qfs_tcon+0x150/0x2a0 > mount_get_conns+0x218/0x750 > cifs_mount+0x103/0xd00 > cifs_smb3_do_mount+0x1dd/0xcb0 > smb3_get_tree+0x1d5/0x300 > vfs_get_tree+0x41/0xf0 > path_mount+0x9b3/0xdd0 > __x64_sys_mount+0x190/0x1d0 > do_syscall_64+0x35/0x80 > entry_SYSCALL_64_after_hwframe+0x46/0xb0 > > If all the interface decoded from message, should not check whether > has next one, otherwise there will be OOB read. > > Let's just check the bytes still not decode to determine whether > has next interface. > > Fixes: aa45dadd34e4 ("cifs: change iface_list from array to sorted linked list") > Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com> > --- > fs/cifs/smb2ops.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c > index 880cd494afea..39c7bee87556 100644 > --- a/fs/cifs/smb2ops.c > +++ b/fs/cifs/smb2ops.c > @@ -673,8 +673,7 @@ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf, > goto out; > } > > - /* Azure rounds the buffer size up 8, to a 16 byte boundary */ > - if ((bytes_left > 8) || p->Next) > + if (bytes_left > 0) > cifs_dbg(VFS, "%s: incomplete interface info\n", __func__); > > > -- > 2.31.1
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 880cd494afea..39c7bee87556 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -673,8 +673,7 @@ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf, goto out; } - /* Azure rounds the buffer size up 8, to a 16 byte boundary */ - if ((bytes_left > 8) || p->Next) + if (bytes_left > 0) cifs_dbg(VFS, "%s: incomplete interface info\n", __func__);
There is a OOB read in parse_server_interfaces when mount.cifs with rdma: BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x9ca/0xb80 Read of size 4 at addr ffff8881711f2f98 by task mount.cifs/1402 CPU: 6 PID: 1402 Comm: mount.cifs Not tainted 6.1.0-rc5+ #69 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report+0x171/0x472 kasan_report+0xad/0x130 kasan_check_range+0x145/0x1a0 parse_server_interfaces+0x9ca/0xb80 SMB3_request_interfaces+0x174/0x1e0 smb3_qfs_tcon+0x150/0x2a0 mount_get_conns+0x218/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Allocated by task 1402: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7a/0x90 __kmalloc_node_track_caller+0x60/0x140 kmemdup+0x22/0x50 SMB2_ioctl+0x58d/0x5d0 SMB3_request_interfaces+0xcd/0x1e0 smb3_qfs_tcon+0x150/0x2a0 mount_get_conns+0x218/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 If all the interface decoded from message, should not check whether has next one, otherwise there will be OOB read. Let's just check the bytes still not decode to determine whether has next interface. Fixes: aa45dadd34e4 ("cifs: change iface_list from array to sorted linked list") Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com> --- fs/cifs/smb2ops.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)