| Message ID | 20210416073530.GA21974@himera.home (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | cifs: fix out-of-bound memory access when calling smb3_notify() at mount point | expand |
Added: CC: <stable@vger.kernel.org> # v5.6+ and merged into cifs-2.6.git for-next On Fri, Apr 16, 2021 at 2:42 AM Eugene Korenevsky <ekorenevsky@astralinux.ru> wrote: > > If smb3_notify() is called at mount point of CIFS, build_path_from_dentry() > returns the pointer to kmalloc-ed memory with terminating zero (this is > empty FileName to be passed to SMB2 CREATE request). This pointer is assigned > to the `path` variable. > Then `path + 1` (to skip first backslash symbol) is passed to > cifs_convert_path_to_utf16(). This is incorrect for empty path and causes > out-of-bound memory access. > > Get rid of this "increase by one". cifs_convert_path_to_utf16() already > contains the check for leading backslash in the path. > > BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212693 > Signed-off-by: Eugene Korenevsky <ekorenevsky@astralinux.ru> > --- > fs/cifs/smb2ops.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c > index caa5432a5ed1..b13a8e3e1e24 100644 > --- a/fs/cifs/smb2ops.c > +++ b/fs/cifs/smb2ops.c > @@ -2264,7 +2264,7 @@ smb3_notify(const unsigned int xid, struct file *pfile, > goto notify_exit; > } > > - utf16_path = cifs_convert_path_to_utf16(path + 1, cifs_sb); > + utf16_path = cifs_convert_path_to_utf16(path, cifs_sb); > if (utf16_path == NULL) { > rc = -ENOMEM; > goto notify_exit; > -- > 2.20.1 >
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index caa5432a5ed1..b13a8e3e1e24 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -2264,7 +2264,7 @@ smb3_notify(const unsigned int xid, struct file *pfile, goto notify_exit; } - utf16_path = cifs_convert_path_to_utf16(path + 1, cifs_sb); + utf16_path = cifs_convert_path_to_utf16(path, cifs_sb); if (utf16_path == NULL) { rc = -ENOMEM; goto notify_exit;
If smb3_notify() is called at mount point of CIFS, build_path_from_dentry() returns the pointer to kmalloc-ed memory with terminating zero (this is empty FileName to be passed to SMB2 CREATE request). This pointer is assigned to the `path` variable. Then `path + 1` (to skip first backslash symbol) is passed to cifs_convert_path_to_utf16(). This is incorrect for empty path and causes out-of-bound memory access. Get rid of this "increase by one". cifs_convert_path_to_utf16() already contains the check for leading backslash in the path. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212693 Signed-off-by: Eugene Korenevsky <ekorenevsky@astralinux.ru> --- fs/cifs/smb2ops.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)