From patchwork Tue Aug 10 23:10:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 12429603 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 35C16C4338F for ; Tue, 10 Aug 2021 23:10:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1A61860462 for ; Tue, 10 Aug 2021 23:10:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235306AbhHJXLK (ORCPT ); Tue, 10 Aug 2021 19:11:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43906 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235206AbhHJXLJ (ORCPT ); Tue, 10 Aug 2021 19:11:09 -0400 Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DF8FEC061765 for ; Tue, 10 Aug 2021 16:10:46 -0700 (PDT) Received: by mail-lf1-x12d.google.com with SMTP id x27so1351128lfu.5 for ; Tue, 10 Aug 2021 16:10:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=n4rahVjOdZUHAow8MRrIr8U8KIu9qnwt4IylDlFM9eg=; b=iCIra1pSjVTqIrhhhjEfzmU5LvrKXjjRUN7C2syVzC/J+JP7rfjfo/ak5baTfviLki WsAhflFLcSvlH7p06yEtKgitBu775F5G3xdHclzNi916L+QcDoe4w02lSOCfSJCWZCMy bUVcSVU15k3TCcd266Mq/keu9msQvoWDvm23s257KGaff0sV7zGXXZ2aP1QZnWofCrw+ iziKGKnSzfxzgZSndJu8vUWw95dwnZ5lzZ/u8e6uupvAVtnzIzpiL7CFFz/qCe9Y92Qw opPXvmJPtNt+uC3jHfcewzpm4O5PULwyDralnlYHwpYjccQn/XotC9BOiKEMwHFGx3zg fKhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=n4rahVjOdZUHAow8MRrIr8U8KIu9qnwt4IylDlFM9eg=; b=cadDzK52mLKlFaZfYRFI/SmM78EJJtG6V1P5rmdufN9n1iGKTtA445b4L/5R75Kbfs q1LUiKL0sqiOUC2T/rT5sYf3kPsBAghkqU+hdWdqFojMWw1U4e21sbDYeggtZTPhbwkj pFKTnrg8fqiRhjRdjC5RUD31QNe1FzY/nv/EIXHnpyym4kblfSRKNySj2u979OkLhZZK 60v9c1wxF5yZ1o9H9adQNJR1HhgnF0qNGlNg7uOSN1WkRpLHumZziX8rCTn68yRrWfmS AOdYkc8o5qy2CFDq/YMQ6uzyAYYBcY73IlAW4Dkj28Y8AuOzDhlpZBA+umImK2fBRWOD 2g5w== X-Gm-Message-State: AOAM533Age5zgwyFwfPZXEpPG6UsuUqAzZh0gbFBHfdAY97puyG44OaP eIz1qHXUpVRIRdzUEl0IwqdOEvynPbN6DPQ8jr+0PN0j3uMJiQ== X-Google-Smtp-Source: ABdhPJwjtQSFJJFgn0JLeCGf2lV0WuGG4oDyB3Ghs1X4KHwRTgfSlAFDaSqr67M0ZonuxwfuEXpedkjDAYRVZ1HEXH0= X-Received: by 2002:a05:6512:e9a:: with SMTP id bi26mr21859278lfb.282.1628637045024; Tue, 10 Aug 2021 16:10:45 -0700 (PDT) MIME-Version: 1.0 From: Steve French Date: Tue, 10 Aug 2021 18:10:34 -0500 Message-ID: Subject: [PATCH] cifs: fix signed integer overflow when fl_end is OFFSET_MAX To: Paulo Alcantara Cc: ronnie sahlberg , CIFS Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org How about the following minor change to the recent patch from Paulo - handling the case where we are doing a whole file lock (BSD lock, flock) - in which case the original patch would send length of 0 (but we went to send a byte range lock of the whole file)? +static inline u64 cifs_flock_len(struct file_lock *fl) +{ + return fl->fl_end == OFFSET_MAX ? fl->fl_end - fl->fl_start: fl->fl_end - fl->fl_start + 1; +} instead of Paulo's original patch +static inline u64 cifs_flock_len(struct file_lock *fl) +{ + return fl->fl_end == OFFSET_MAX ? 0: fl->fl_end - fl->fl_start + 1; +} From 57bbe088e3c98d05f1341adaf480c6d91a574a4e Mon Sep 17 00:00:00 2001 From: Paulo Alcantara Date: Tue, 10 Aug 2021 13:10:44 -0300 Subject: [PATCH 1/2] cifs: fix signed integer overflow when fl_end is OFFSET_MAX This fixes the following when running xfstests generic/504: [ 134.394698] CIFS: Attempting to mount \\win16.vm.test\Share [ 134.420905] CIFS: VFS: generate_smb3signingkey: dumping generated AES session keys [ 134.420911] CIFS: VFS: Session Id 05 00 00 00 00 c4 00 00 [ 134.420914] CIFS: VFS: Cipher type 1 [ 134.420917] CIFS: VFS: Session Key ea 0b d9 22 2e af 01 69 30 1b 15 74 bf 87 41 11 [ 134.420920] CIFS: VFS: Signing Key 59 28 43 5c f0 b6 b1 6f f5 7b 65 f2 9f 9e 58 7d [ 134.420923] CIFS: VFS: ServerIn Key eb aa 58 c8 95 01 9a f7 91 98 e4 fa bc d8 74 f1 [ 134.420926] CIFS: VFS: ServerOut Key 08 5b 21 e5 2e 4e 86 f6 05 c2 58 e0 af 53 83 e7 [ 134.771946] ================================================================================ [ 134.771953] UBSAN: signed-integer-overflow in fs/cifs/file.c:1706:19 [ 134.771957] 9223372036854775807 + 1 cannot be represented in type 'long long int' [ 134.771960] CPU: 4 PID: 2773 Comm: flock Not tainted 5.11.22 #1 [ 134.771964] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 [ 134.771966] Call Trace: [ 134.771970] dump_stack+0x8d/0xb5 [ 134.771981] ubsan_epilogue+0x5/0x50 [ 134.771988] handle_overflow+0xa3/0xb0 [ 134.771997] ? lockdep_hardirqs_on_prepare+0xe8/0x1b0 [ 134.772006] cifs_setlk+0x63c/0x680 [cifs] [ 134.772085] ? _get_xid+0x5f/0xa0 [cifs] [ 134.772085] cifs_flock+0x131/0x400 [cifs] [ 134.772085] __x64_sys_flock+0xfc/0x120 [ 134.772085] do_syscall_64+0x33/0x40 [ 134.772085] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 134.772085] RIP: 0033:0x7fea4f83b3fb [ 134.772085] Code: ff 48 8b 15 8f 1a 0d 00 f7 d8 64 89 02 b8 ff ff ff ff eb da e8 16 0b 02 00 66 0f 1f 44 00 00 f3 0f 1e fa b8 49 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5d 1a 0d 00 f7 d8 64 89 01 48 Signed-off-by: Paulo Alcantara (SUSE) Reviewed-by: Ronnie Sahlberg Signed-off-by: Steve French --- fs/cifs/cifsglob.h | 5 +++++ fs/cifs/cifssmb.c | 3 ++- fs/cifs/file.c | 8 ++++---- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index c0bfc2f01030..f7bdf865f439 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h @@ -1964,4 +1964,9 @@ static inline bool is_tcon_dfs(struct cifs_tcon *tcon) tcon->share_flags & (SHI1005_FLAGS_DFS | SHI1005_FLAGS_DFS_ROOT); } +static inline u64 cifs_flock_len(struct file_lock *fl) +{ + return fl->fl_end == OFFSET_MAX ? fl->fl_end - fl->fl_start: fl->fl_end - fl->fl_start + 1; +} + #endif /* _CIFS_GLOB_H */ diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c index 65d1a65bfc37..6ab6cf669438 100644 --- a/fs/cifs/cifssmb.c +++ b/fs/cifs/cifssmb.c @@ -2607,7 +2607,8 @@ CIFSSMBPosixLock(const unsigned int xid, struct cifs_tcon *tcon, pLockData->fl_start = le64_to_cpu(parm_data->start); pLockData->fl_end = pLockData->fl_start + - le64_to_cpu(parm_data->length) - 1; + (le64_to_cpu(parm_data->length) ? + le64_to_cpu(parm_data->length) - 1 : 0); pLockData->fl_pid = -le32_to_cpu(parm_data->pid); } } diff --git a/fs/cifs/file.c b/fs/cifs/file.c index 0a72840a88f1..e1cfd50996a0 100644 --- a/fs/cifs/file.c +++ b/fs/cifs/file.c @@ -1385,7 +1385,7 @@ cifs_push_posix_locks(struct cifsFileInfo *cfile) cifs_dbg(VFS, "Can't push all brlocks!\n"); break; } - length = 1 + flock->fl_end - flock->fl_start; + length = cifs_flock_len(flock); if (flock->fl_type == F_RDLCK || flock->fl_type == F_SHLCK) type = CIFS_RDLCK; else @@ -1501,7 +1501,7 @@ cifs_getlk(struct file *file, struct file_lock *flock, __u32 type, bool wait_flag, bool posix_lck, unsigned int xid) { int rc = 0; - __u64 length = 1 + flock->fl_end - flock->fl_start; + __u64 length = cifs_flock_len(flock); struct cifsFileInfo *cfile = (struct cifsFileInfo *)file->private_data; struct cifs_tcon *tcon = tlink_tcon(cfile->tlink); struct TCP_Server_Info *server = tcon->ses->server; @@ -1599,7 +1599,7 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock, struct cifs_tcon *tcon = tlink_tcon(cfile->tlink); struct cifsInodeInfo *cinode = CIFS_I(d_inode(cfile->dentry)); struct cifsLockInfo *li, *tmp; - __u64 length = 1 + flock->fl_end - flock->fl_start; + __u64 length = cifs_flock_len(flock); struct list_head tmp_llist; INIT_LIST_HEAD(&tmp_llist); @@ -1703,7 +1703,7 @@ cifs_setlk(struct file *file, struct file_lock *flock, __u32 type, unsigned int xid) { int rc = 0; - __u64 length = 1 + flock->fl_end - flock->fl_start; + __u64 length = cifs_flock_len(flock); struct cifsFileInfo *cfile = (struct cifsFileInfo *)file->private_data; struct cifs_tcon *tcon = tlink_tcon(cfile->tlink); struct TCP_Server_Info *server = tcon->ses->server; -- 2.30.2