From patchwork Fri Oct 19 19:58:15 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Layton X-Patchwork-Id: 1619521 Return-Path: X-Original-To: patchwork-cifs-client@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork1.kernel.org (Postfix) with ESMTP id 065793FD9C for ; Fri, 19 Oct 2012 19:58:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755025Ab2JST6W (ORCPT ); Fri, 19 Oct 2012 15:58:22 -0400 Received: from mail-gg0-f174.google.com ([209.85.161.174]:44180 "EHLO mail-gg0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754850Ab2JST6V (ORCPT ); Fri, 19 Oct 2012 15:58:21 -0400 Received: by mail-gg0-f174.google.com with SMTP id k5so154780ggd.19 for ; Fri, 19 Oct 2012 12:58:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=sender:from:to:cc:subject:date:message-id:x-mailer :x-gm-message-state; bh=NPhjFFuzvagV0Y7wBUWCWmq8qDA6DGRDU31WlWzDr4E=; b=bJ42GmUOhwcs5wF4U0RIn/k/SDrsCb76nRK2DuW0IpmLU1pk0aLdQ44JQXegKUuwiJ x8Y4joAjTZmI3aBE3pbE/uRJpmVeuUUChg6xdM0LVHJpsGFWke5MZFELcvBnkgJSoDu0 znFPAfmwrUfWwPTf4EA2poyoGPmXruOwddeNl9dUwOQW5Ga/dLtqcVTdP86yM7uvz1Wj 0xCc+gPd0+gcFbIEY1GIpbxMTJ6XUbV3uPGFoC2zXoxv4GD0FI5cGSXYYdWlsu+8bpqI km8JsrMPRtSWR1/xKp9gZ738lARsk6babMBY5CBpXZcbRFcYQhvynGcdomUtNz4HU760 gN7w== Received: by 10.236.173.9 with SMTP id u9mr2170314yhl.129.1350676700966; Fri, 19 Oct 2012 12:58:20 -0700 (PDT) Received: from salusa.poochiereds.net (cpe-107-015-110-129.nc.res.rr.com. [107.15.110.129]) by mx.google.com with ESMTPS id m51sm2249992yhh.16.2012.10.19.12.58.19 (version=SSLv3 cipher=OTHER); Fri, 19 Oct 2012 12:58:20 -0700 (PDT) From: Jeff Layton To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org, shirishpargaonkar@gmail.com Subject: [PATCH 10/9] cifs: extra sanity checking for cifs.idmap keys Date: Fri, 19 Oct 2012 15:58:15 -0400 Message-Id: <1350676695-8444-1-git-send-email-jlayton@redhat.com> X-Mailer: git-send-email 1.7.11.7 X-Gm-Message-State: ALoCoQlWUrWZGqO2f9o1+ArKyh8ekz21MS/5hr8Ys4tK16Zb8OHn4itI1XRpxJPZYyMOscc7LKgD Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Now that we aren't so rigid about the length of the key being passed in, we need to be a bit more rigorous about checking the length of the actual data against the claimed length (a'la num_subauths field). Check for the case where userspace sends us a seemingly valid key with a num_subauths field that goes beyond the end of the array. If that happens, return -EIO and invalidate the key. Also change the other places where we check for malformed keys in this code to invalidate the key as well. Signed-off-by: Jeff Layton --- fs/cifs/cifsacl.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c index 0c0a594..bd18723 100644 --- a/fs/cifs/cifsacl.c +++ b/fs/cifs/cifsacl.c @@ -197,6 +197,8 @@ id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid) { int rc; struct key *sidkey; + struct cifs_sid *ksid; + unsigned int ksid_size; char desc[3 + 10 + 1]; /* 3 byte prefix + 10 bytes for value + NULL */ const struct cred *saved_cred; @@ -217,15 +219,28 @@ id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid) rc = -EIO; cFYI(1, "%s: Downcall contained malformed key " "(datalen=%hu)", __func__, sidkey->datalen); - goto out_key_put; + goto invalidate_key; } - cifs_copy_sid(ssid, (struct cifs_sid *)sidkey->payload.data); + + ksid = (struct cifs_sid *)sidkey->payload.data; + ksid_size = CIFS_SID_BASE_SIZE + (ksid->num_subauth * sizeof(__le32)); + if (ksid_size > sidkey->datalen) { + rc = -EIO; + cFYI(1, "%s: Downcall contained malformed key (datalen=%hu, " + "ksid_size=%u)", __func__, sidkey->datalen, ksid_size); + goto invalidate_key; + } + cifs_copy_sid(ssid, ksid); key_set_timeout(sidkey, cifs_idmap_cache_timeout); out_key_put: key_put(sidkey); out_revert_creds: revert_creds(saved_cred); return rc; + +invalidate_key: + key_invalidate(sidkey); + goto out_key_put; } static int @@ -271,6 +286,7 @@ sid_to_id(struct cifs_sb_info *cifs_sb, struct cifs_sid *psid, rc = -EIO; cFYI(1, "%s: Downcall contained malformed key " "(datalen=%hu)", __func__, sidkey->datalen); + key_invalidate(sidkey); goto out_key_put; }