From patchwork Tue Jan  8 18:30:57 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ross Lagerwall <ross.lagerwall@citrix.com>
X-Patchwork-Id: 10752745
Return-Path: <linux-cifs-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E6EBC6C5
	for <patchwork-cifs-client@patchwork.kernel.org>;
 Tue,  8 Jan 2019 18:31:42 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D83FD28F45
	for <patchwork-cifs-client@patchwork.kernel.org>;
 Tue,  8 Jan 2019 18:31:42 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id CC56C28F6E; Tue,  8 Jan 2019 18:31:42 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EE21F28F6D
	for <patchwork-cifs-client@patchwork.kernel.org>;
 Tue,  8 Jan 2019 18:31:40 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729528AbfAHSbk (ORCPT
        <rfc822;patchwork-cifs-client@patchwork.kernel.org>);
        Tue, 8 Jan 2019 13:31:40 -0500
Received: from smtp03.citrix.com ([162.221.156.55]:23679 "EHLO
        SMTP03.CITRIX.COM" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728752AbfAHSbk (ORCPT
        <rfc822;linux-cifs@vger.kernel.org>); Tue, 8 Jan 2019 13:31:40 -0500
X-IronPort-AV: E=Sophos;i="5.56,455,1539648000";
   d="scan'208";a="75085435"
From: Ross Lagerwall <ross.lagerwall@citrix.com>
To: <linux-cifs@vger.kernel.org>
CC: Steve French <sfrench@samba.org>,
        Pavel Shilovsky <pshilov@microsoft.com>,
        Ross Lagerwall <ross.lagerwall@citrix.com>
Subject: [PATCH 2/2] cifs: Fix potential OOB access of lock element array
Date: Tue, 8 Jan 2019 18:30:57 +0000
Message-ID: <20190108183057.5981-2-ross.lagerwall@citrix.com>
X-Mailer: git-send-email 2.17.2
In-Reply-To: <20190108183057.5981-1-ross.lagerwall@citrix.com>
References: <20190108183057.5981-1-ross.lagerwall@citrix.com>
MIME-Version: 1.0
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-cifs.vger.kernel.org>
X-Mailing-List: linux-cifs@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

If maxBuf is small but non-zero, it could result in a zero sized lock
element array which we would then try and access OOB.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
---
 fs/cifs/file.c     | 8 ++++----
 fs/cifs/smb2file.c | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index 673f948e4760..5b6f8392d9db 100644
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -1132,10 +1132,10 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile)
 
 	/*
 	 * Accessing maxBuf is racy with cifs_reconnect - need to store value
-	 * and check it for zero before using.
+	 * and check it before using.
 	 */
 	max_buf = tcon->ses->server->maxBuf;
-	if (!max_buf) {
+	if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) {
 		free_xid(xid);
 		return -EINVAL;
 	}
@@ -1476,10 +1476,10 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
 
 	/*
 	 * Accessing maxBuf is racy with cifs_reconnect - need to store value
-	 * and check it for zero before using.
+	 * and check it before using.
 	 */
 	max_buf = tcon->ses->server->maxBuf;
-	if (!max_buf)
+	if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE)))
 		return -EINVAL;
 
 	BUILD_BUG_ON(sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE) >
diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c
index eff01ed6db0a..b204e84b87fb 100644
--- a/fs/cifs/smb2file.c
+++ b/fs/cifs/smb2file.c
@@ -122,10 +122,10 @@ smb2_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
 
 	/*
 	 * Accessing maxBuf is racy with cifs_reconnect - need to store value
-	 * and check it for zero before using.
+	 * and check it before using.
 	 */
 	max_buf = tcon->ses->server->maxBuf;
-	if (!max_buf)
+	if (max_buf < sizeof(struct smb2_lock_element))
 		return -EINVAL;
 
 	BUILD_BUG_ON(sizeof(struct smb2_lock_element) > PAGE_SIZE);