From patchwork Mon Sep 10 11:12:07 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 10593933 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3E3B3109C for ; Mon, 10 Sep 2018 11:12:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2C3DA28E53 for ; Mon, 10 Sep 2018 11:12:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2013A28E5A; Mon, 10 Sep 2018 11:12:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C941928E53 for ; Mon, 10 Sep 2018 11:12:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727840AbeIJQGI (ORCPT ); Mon, 10 Sep 2018 12:06:08 -0400 Received: from userp2130.oracle.com ([156.151.31.86]:34204 "EHLO userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727674AbeIJQGI (ORCPT ); Mon, 10 Sep 2018 12:06:08 -0400 Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w8AB9KOv185731; Mon, 10 Sep 2018 11:12:16 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : mime-version : content-type : in-reply-to; s=corp-2018-07-02; bh=xbHb/VrG4VTPvGoANAl2olI3Ta6e5u+okHoV2RAHiww=; b=WvRI8UUqC0zo/FDVzrFzmB5wSupHSvZVpHzWjpjWsrtQdDE3yQ4PX8qj5u9flW/kHj3o aBHSJ4jCDuIa5fJ5cHdG7WWIdGB/AVamIvCOELdW4Y31RDAehJF5XRsvT7SH7r0ZGopr nnYe5cTz6z9K4VL2ZzFzNDicELka3urdjIQd555YknTH+3afJezzGi4crq9MQklSYQ1X ZGZ/LqtEg/SMa1cc6NYcDR+zbB1Tvp8DaIlgGTP4HLu1nW7zj4TtLy3u3YuDqh/9VsXE hOFbnQCN8yigzxEnHggjGrH714AuJMrCJAn8kVMeam2onv0oilEbznqYJ/0kbTF2pG+o pQ== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2130.oracle.com with ESMTP id 2mc5ut5dbw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 10 Sep 2018 11:12:15 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w8ABCFdu029457 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 10 Sep 2018 11:12:15 GMT Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w8ABCEtC029873; Mon, 10 Sep 2018 11:12:14 GMT Received: from kili.mountain (/197.232.248.111) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 10 Sep 2018 04:12:14 -0700 Date: Mon, 10 Sep 2018 14:12:07 +0300 From: Dan Carpenter To: Steve French Cc: linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, kernel-janitors@vger.kernel.org, YueHaibing Subject: [PATCH] cifs: integer overflow in in SMB2_ioctl() Message-ID: <20180910111207.r2uqce4ie7ee7fsh@kili.mountain> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1536543186-182076-1-git-send-email-yuehaibing@huawei.com> X-Mailer: git-send-email haha only kidding User-Agent: NeoMutt/20170113 (1.7.2) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9011 signatures=668708 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1809100116 Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and wrap around to a smaller value which looks like it would lead to an information leak. Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function") Signed-off-by: Dan Carpenter diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index c08acfc77abc..8b54cd282d9c 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -2459,14 +2459,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, /* We check for obvious errors in the output buffer length and offset */ if (*plen == 0) goto ioctl_exit; /* server returned no data */ - else if (*plen > 0xFF00) { + else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) { cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen); *plen = 0; rc = -EIO; goto ioctl_exit; } - if (rsp_iov.iov_len < le32_to_cpu(rsp->OutputOffset) + *plen) { + if (rsp_iov.iov_len - *plen < le32_to_cpu(rsp->OutputOffset)) { cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen, le32_to_cpu(rsp->OutputOffset)); *plen = 0;