| Message ID | 20210919021315.642856-5-linkinjeon@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2,1/4] ksmbd: add request buffer validation in smb2_set_info | expand |
Hi Namjae, thanks! One nitpick below. Am 19.09.21 um 04:13 schrieb Namjae Jeon: > From: Hyunchul Lee <hyc.lee@gmail.com> > > Add buffer validation for SMB2_CREATE_CONTEXT. > > Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> > Cc: Ralph Böhme <slow@samba.org> > Cc: Steve French <smfrench@gmail.com> > Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com> > Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> > --- > fs/ksmbd/oplock.c | 35 +++++++++++++++++++++++++---------- > fs/ksmbd/smb2pdu.c | 25 ++++++++++++++++++++++++- > fs/ksmbd/smbacl.c | 9 ++++++++- > 3 files changed, 57 insertions(+), 12 deletions(-) > > diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c > index 16b6236d1bd2..3fd2713f2282 100644 > --- a/fs/ksmbd/oplock.c > +++ b/fs/ksmbd/oplock.c > @@ -1451,26 +1451,41 @@ struct lease_ctx_info *parse_lease_state(void *open_req) > */ > struct create_context *smb2_find_context_vals(void *open_req, const char *tag) > { > - char *data_offset; > + struct smb2_create_req *req = (struct smb2_create_req *)open_req; > struct create_context *cc; > - unsigned int next = 0; > + char *data_offset, *data_end; > char *name; > - struct smb2_create_req *req = (struct smb2_create_req *)open_req; > + unsigned int next = 0; > + unsigned int name_off, name_len, value_off, value_len; > > data_offset = (char *)req + 4 + le32_to_cpu(req->CreateContextsOffset); > + data_end = data_offset + le32_to_cpu(req->CreateContextsLength); > cc = (struct create_context *)data_offset; > do { > - int val; > - > cc = (struct create_context *)((char *)cc + next); > - name = le16_to_cpu(cc->NameOffset) + (char *)cc; > - val = le16_to_cpu(cc->NameLength); > - if (val < 4) > + if ((char *)cc + offsetof(struct create_context, Buffer) > > + data_end) > return ERR_PTR(-EINVAL); > > - if (memcmp(name, tag, val) == 0) > - return cc; > next = le32_to_cpu(cc->Next); > + name_off = le16_to_cpu(cc->NameOffset); > + name_len = le16_to_cpu(cc->NameLength); > + value_off = le16_to_cpu(cc->DataOffset); > + value_len = le32_to_cpu(cc->DataLength); > + > + if ((char *)cc + name_off + name_len > data_end || > + (value_len && (char *)cc + value_off + value_len > data_end)) > + return ERR_PTR(-EINVAL); > + else if (next && (next < name_off + name_len || > + (value_len && next < value_off + value_len))) > + return ERR_PTR(-EINVAL); The else is a bit confusing and not needed. Also, Samba has a few additional checks, I wonder whether we should add those two: if ((next & 0x7) != 0 || next > remaining || name_offset != 16 || name_length < 4 || name_offset + name_length > remaining || (data_offset & 0x7) != 0 || (data_offset && (data_offset < name_offset + name_length)) || (data_offset > remaining) || (data_offset + (uint64_t)data_length > remaining)) { return NT_STATUS_INVALID_PARAMETER; } Other then that lgtm. Thanks! -slow
2021-09-21 17:32 GMT+09:00, Ralph Boehme <slow@samba.org>: > Hi Namjae, > > thanks! One nitpick below. > > Am 19.09.21 um 04:13 schrieb Namjae Jeon: >> From: Hyunchul Lee <hyc.lee@gmail.com> >> >> Add buffer validation for SMB2_CREATE_CONTEXT. >> >> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> >> Cc: Ralph Böhme <slow@samba.org> >> Cc: Steve French <smfrench@gmail.com> >> Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com> >> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> >> --- >> fs/ksmbd/oplock.c | 35 +++++++++++++++++++++++++---------- >> fs/ksmbd/smb2pdu.c | 25 ++++++++++++++++++++++++- >> fs/ksmbd/smbacl.c | 9 ++++++++- >> 3 files changed, 57 insertions(+), 12 deletions(-) >> >> diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c >> index 16b6236d1bd2..3fd2713f2282 100644 >> --- a/fs/ksmbd/oplock.c >> +++ b/fs/ksmbd/oplock.c >> @@ -1451,26 +1451,41 @@ struct lease_ctx_info *parse_lease_state(void >> *open_req) >> */ >> struct create_context *smb2_find_context_vals(void *open_req, const char >> *tag) >> { >> - char *data_offset; >> + struct smb2_create_req *req = (struct smb2_create_req *)open_req; >> struct create_context *cc; >> - unsigned int next = 0; >> + char *data_offset, *data_end; >> char *name; >> - struct smb2_create_req *req = (struct smb2_create_req *)open_req; >> + unsigned int next = 0; >> + unsigned int name_off, name_len, value_off, value_len; >> >> data_offset = (char *)req + 4 + >> le32_to_cpu(req->CreateContextsOffset); >> + data_end = data_offset + le32_to_cpu(req->CreateContextsLength); >> cc = (struct create_context *)data_offset; >> do { >> - int val; >> - >> cc = (struct create_context *)((char *)cc + next); >> - name = le16_to_cpu(cc->NameOffset) + (char *)cc; >> - val = le16_to_cpu(cc->NameLength); >> - if (val < 4) >> + if ((char *)cc + offsetof(struct create_context, Buffer) > >> + data_end) >> return ERR_PTR(-EINVAL); >> >> - if (memcmp(name, tag, val) == 0) >> - return cc; >> next = le32_to_cpu(cc->Next); >> + name_off = le16_to_cpu(cc->NameOffset); >> + name_len = le16_to_cpu(cc->NameLength); >> + value_off = le16_to_cpu(cc->DataOffset); >> + value_len = le32_to_cpu(cc->DataLength); >> + >> + if ((char *)cc + name_off + name_len > data_end || >> + (value_len && (char *)cc + value_off + value_len > data_end)) >> + return ERR_PTR(-EINVAL); >> + else if (next && (next < name_off + name_len || >> + (value_len && next < value_off + value_len))) >> + return ERR_PTR(-EINVAL); > > The else is a bit confusing and not needed. Also, Samba has a few > additional checks, I wonder whether we should add those two: > > if ((next & 0x7) != 0 || > next > remaining || > name_offset != 16 || > name_length < 4 || > name_offset + name_length > remaining || > (data_offset & 0x7) != 0 || > (data_offset && (data_offset < name_offset + > name_length)) || > (data_offset > remaining) || > (data_offset + (uint64_t)data_length > remaining)) { > return NT_STATUS_INVALID_PARAMETER; > } I will fix it on v2. Thank your review! > > Other then that lgtm. > > Thanks! > -slow > > -- > Ralph Boehme, Samba Team https://samba.org/ > SerNet Samba Team Lead https://sernet.de/en/team-samba > >
diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c index 16b6236d1bd2..3fd2713f2282 100644 --- a/fs/ksmbd/oplock.c +++ b/fs/ksmbd/oplock.c @@ -1451,26 +1451,41 @@ struct lease_ctx_info *parse_lease_state(void *open_req) */ struct create_context *smb2_find_context_vals(void *open_req, const char *tag) { - char *data_offset; + struct smb2_create_req *req = (struct smb2_create_req *)open_req; struct create_context *cc; - unsigned int next = 0; + char *data_offset, *data_end; char *name; - struct smb2_create_req *req = (struct smb2_create_req *)open_req; + unsigned int next = 0; + unsigned int name_off, name_len, value_off, value_len; data_offset = (char *)req + 4 + le32_to_cpu(req->CreateContextsOffset); + data_end = data_offset + le32_to_cpu(req->CreateContextsLength); cc = (struct create_context *)data_offset; do { - int val; - cc = (struct create_context *)((char *)cc + next); - name = le16_to_cpu(cc->NameOffset) + (char *)cc; - val = le16_to_cpu(cc->NameLength); - if (val < 4) + if ((char *)cc + offsetof(struct create_context, Buffer) > + data_end) return ERR_PTR(-EINVAL); - if (memcmp(name, tag, val) == 0) - return cc; next = le32_to_cpu(cc->Next); + name_off = le16_to_cpu(cc->NameOffset); + name_len = le16_to_cpu(cc->NameLength); + value_off = le16_to_cpu(cc->DataOffset); + value_len = le32_to_cpu(cc->DataLength); + + if ((char *)cc + name_off + name_len > data_end || + (value_len && (char *)cc + value_off + value_len > data_end)) + return ERR_PTR(-EINVAL); + else if (next && (next < name_off + name_len || + (value_len && next < value_off + value_len))) + return ERR_PTR(-EINVAL); + + name = (char *)cc + name_off; + if (name_len < 4) + return ERR_PTR(-EINVAL); + + if (memcmp(name, tag, name_len) == 0) + return cc; } while (next != 0); return NULL; diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 117cf242d9b8..6d57827320e3 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2393,6 +2393,10 @@ static int smb2_create_sd_buffer(struct ksmbd_work *work, ksmbd_debug(SMB, "Set ACLs using SMB2_CREATE_SD_BUFFER context\n"); sd_buf = (struct create_sd_buf_req *)context; + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_sd_buf_req)) + return -EINVAL; return set_info_sec(work->conn, work->tcon, path, &sd_buf->ntsd, le32_to_cpu(sd_buf->ccontext.DataLength), true); } @@ -2593,6 +2597,12 @@ int smb2_open(struct ksmbd_work *work) goto err_out1; } else if (context) { ea_buf = (struct create_ea_buf_req *)context; + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_ea_buf_req)) { + rc = -EINVAL; + goto err_out1; + } if (req->CreateOptions & FILE_NO_EA_KNOWLEDGE_LE) { rsp->hdr.Status = STATUS_ACCESS_DENIED; rc = -EACCES; @@ -2631,6 +2641,12 @@ int smb2_open(struct ksmbd_work *work) } else if (context) { struct create_posix *posix = (struct create_posix *)context; + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_posix)) { + rc = -EINVAL; + goto err_out1; + } ksmbd_debug(SMB, "get posix context\n"); posix_mode = le32_to_cpu(posix->Mode); @@ -3037,9 +3053,16 @@ int smb2_open(struct ksmbd_work *work) rc = PTR_ERR(az_req); goto err_out; } else if (az_req) { - loff_t alloc_size = le64_to_cpu(az_req->AllocationSize); + loff_t alloc_size; int err; + if (le16_to_cpu(az_req->ccontext.DataOffset) + + le32_to_cpu(az_req->ccontext.DataLength) < + sizeof(struct create_alloc_size_req)) { + rc = -EINVAL; + goto err_out; + } + alloc_size = le64_to_cpu(az_req->AllocationSize); ksmbd_debug(SMB, "request smb2 create allocate size : %llu\n", alloc_size); diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c index 0a95cdec8c80..f67567e1e178 100644 --- a/fs/ksmbd/smbacl.c +++ b/fs/ksmbd/smbacl.c @@ -392,7 +392,7 @@ static void parse_dacl(struct user_namespace *user_ns, return; /* validate that we do not go past end of acl */ - if (end_of_acl <= (char *)pdacl || + if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl) || end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) { pr_err("ACL too small to parse DACL\n"); return; @@ -434,6 +434,10 @@ static void parse_dacl(struct user_namespace *user_ns, ppace[i] = (struct smb_ace *)(acl_base + acl_size); acl_base = (char *)ppace[i]; acl_size = le16_to_cpu(ppace[i]->size); + + if (acl_base + acl_size > end_of_acl) + break; + ppace[i]->access_req = smb_map_generic_desired_access(ppace[i]->access_req); @@ -807,6 +811,9 @@ int parse_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd, if (!pntsd) return -EIO; + if (acl_len < sizeof(struct smb_ntsd)) + return -EINVAL; + owner_sid_ptr = (struct smb_sid *)((char *)pntsd + le32_to_cpu(pntsd->osidoffset)); group_sid_ptr = (struct smb_sid *)((char *)pntsd +