[4/4] cifs: add validation check for the fields in smb_aces

Message ID	20250212124340.8034-4-linkinjeon@kernel.org (mailing list archive)
State	New, archived
Headers	show Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C2BC20D51A for <linux-cifs@vger.kernel.org>; Wed, 12 Feb 2025 12:45:05 +0000 (UTC) From: Namjae Jeon <linkinjeon@kernel.org> To: linux-cifs@vger.kernel.org Cc: smfrench@gmail.com, senozhatsky@chromium.org, tom@talpey.com, atteh.mailbox@gmail.com, pc@manguebit.com, ronniesahlberg@gmail.com, sprasad@microsoft.com, bharathsm@microsoft.com, Namjae Jeon <linkinjeon@kernel.org> Subject: [PATCH 4/4] cifs: add validation check for the fields in smb_aces Date: Wed, 12 Feb 2025 21:43:40 +0900 Message-Id: <20250212124340.8034-4-linkinjeon@kernel.org> In-Reply-To: <20250212124340.8034-1-linkinjeon@kernel.org> References: <20250212124340.8034-1-linkinjeon@kernel.org> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[1/4] smb: common: change the data type of num_aces to le16 \| expand [1/4] smb: common: change the data type of num_aces to le16 [2/4] ksmbd: fix incorrect validation for num_aces field of smb_acl [3/4] cifs: fix incorrect validation for num_aces field of smb_acl [4/4] cifs: add validation check for the fields in smb_aces

Message ID

20250212124340.8034-4-linkinjeon@kernel.org (mailing list archive)

State

New, archived

Headers

From: Namjae Jeon <linkinjeon@kernel.org>
To: linux-cifs@vger.kernel.org
Cc: smfrench@gmail.com,
	senozhatsky@chromium.org,
	tom@talpey.com,
	atteh.mailbox@gmail.com,
	pc@manguebit.com,
	ronniesahlberg@gmail.com,
	sprasad@microsoft.com,
	bharathsm@microsoft.com,
	Namjae Jeon <linkinjeon@kernel.org>
Subject: [PATCH 4/4] cifs: add validation check for the fields in smb_aces
Date: Wed, 12 Feb 2025 21:43:40 +0900
Message-Id: <20250212124340.8034-4-linkinjeon@kernel.org>
In-Reply-To: <20250212124340.8034-1-linkinjeon@kernel.org>
References: <20250212124340.8034-1-linkinjeon@kernel.org>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[1/4] smb: common: change the data type of num_aces to le16 | expand

Commit Message

Namjae Jeon Feb. 12, 2025, 12:43 p.m. UTC

cifs.ko is missing validation check when accessing smb_aces.
This patch add validation check for the fields in smb_aces.

Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
 fs/smb/client/cifsacl.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c
index 6b29a01a6e56..5c511b28dd77 100644
--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -811,7 +811,23 @@  static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
 			return;
 
 		for (i = 0; i < num_aces; ++i) {
+			if (end_of_acl - acl_base < acl_size)
+	                        break;
+
 			ppace[i] = (struct smb_ace *) (acl_base + acl_size);
+			acl_base = (char *)ppace[i];
+			acl_size = offsetof(struct smb_ace, sid) +
+				offsetof(struct smb_sid, sub_auth);
+
+			if (end_of_acl - acl_base < acl_size ||
+			    ppace[i]->sid.num_subauth == 0 ||
+			    ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||
+			    (end_of_acl - acl_base <
+			     acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||
+			    (le16_to_cpu(ppace[i]->size) <
+			     acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth))
+				break;
+
 #ifdef CONFIG_CIFS_DEBUG2
 			dump_ace(ppace[i], end_of_acl);
 #endif
@@ -855,7 +871,6 @@  static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
 				(void *)ppace[i],
 				sizeof(struct smb_ace)); */
 
-			acl_base = (char *)ppace[i];
 			acl_size = le16_to_cpu(ppace[i]->size);
 		}

[4/4] cifs: add validation check for the fields in smb_aces

Commit Message

Patch