From patchwork Fri Apr 20 17:37:32 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 10353379 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 43B3C600CC for ; Fri, 20 Apr 2018 17:37:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2D7B923794 for ; Fri, 20 Apr 2018 17:37:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1EEB42621D; Fri, 20 Apr 2018 17:37:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID, T_TVD_MIME_EPI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 530C923794 for ; Fri, 20 Apr 2018 17:37:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753335AbeDTRh4 (ORCPT ); Fri, 20 Apr 2018 13:37:56 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:39949 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752427AbeDTRhz (ORCPT ); Fri, 20 Apr 2018 13:37:55 -0400 Received: by mail-pf0-f194.google.com with SMTP id q17so145484pfh.7; Fri, 20 Apr 2018 10:37:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/+cwsov57JzbviThcVdRQjzMp0rrd7j5zjHmhRzlncA=; b=e2ZgeAXD4LuFZmsz6RwaMxUN0hDBx9kkWxVLtCh6Ma3G6ZXKjxVKlWO3g+AvI6eiO5 N7AoFfroHLCdjhIER41j3rx/oxMkm4YNYDTT1sQryNbC06wWg1XfjkAgtZsiWkmtOut2 slYMW6pGw9fYkdoQS5ocxylxoBfnRe3Z+8iApooj57j/sX6KJRz6K4kOfnSXCkpdyg5T kKL+80h8HSsaVsrn5Kl6IFJp1KD2fn6m0Hj3BOA6yP35yZDkd5uwnO4G7sbLEo7UNved xZia7iILaUCd3BrsDrO6iMXQpjEigzN9cxmYAQmqL3sVMH2dIBPIQfs7o29xwniqlnpL ZSqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/+cwsov57JzbviThcVdRQjzMp0rrd7j5zjHmhRzlncA=; b=g2degw7HxEKtMF86xwiEh0l+KTn8VWf+eNhwWFYNv5Q6guM1pKnEw18se4B1gUSwo4 mC1OXlcbT/iopyrrAnG0ZAG2sXj9HTKRaodd3v15DgzrOMKvNh9MV1gokH+XsXQib7AC 8+hAvndhNSOtve3mj/8m+Mgifi+dJVWjZthpr7TZ9Vwo9gojcdoZEm+1cRkRfHGLFvGS mVFlZ2FiNerGKLfAsaO3cxEVvVJtudm76EKLnJ6tnzikPzUlHAbmKoTsCPncHlYI12l8 8Vnw3P+olZ77skOZSOeQGFRLFYL5tzrZj4eeYzCtSmvyc8EsSRTeLotd4RZ0qc6Qefqz A8IA== X-Gm-Message-State: ALQs6tDm9hkZ4DxtHFctyez7ZQ4n8LMJeonQljUOb/xUdtW6ZEsvpvBn JrtkUm8eO7ZuxhZ0QgB09ekZAaxWMG0W54kunoA= X-Google-Smtp-Source: AIpwx48VrmKPDlwz8djSW4SkRAjk2EIXhSBbMYN9pL7EO5I+TLnGPXDIzqfB61VjK7X7Yk+DZTm07hksk/x/ZhlAgYs= X-Received: by 10.99.2.199 with SMTP id 190mr9489912pgc.11.1524245874359; Fri, 20 Apr 2018 10:37:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.152.97 with HTTP; Fri, 20 Apr 2018 10:37:32 -0700 (PDT) In-Reply-To: <20180420131919.GA1766@embeddedor.com> References: <20180420131919.GA1766@embeddedor.com> From: Steve French Date: Fri, 20 Apr 2018 12:37:32 -0500 Message-ID: Subject: Re: [PATCH] cifs: dir: fix memory leak in cifs_mknod To: "Gustavo A. R. Silva" , Colin King Cc: Ronnie Sahlberg , Steve French , CIFS , samba-technical , LKML , kernel-janitors Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP I noticed a similar problem with the tcon link leak on that (which Colin and Gustavo pointed out - thank you!) but also in another return statement, so updated the original patch of Ronnie's merging the fixes https://git.samba.org/sfrench/cifs-2.6.git/?p=sfrench/cifs-2.6.git;a=commit;h=167bc5de08dc97695f9d5c7069c3e69f409ff80b Let me know if you see any problems with it. On Fri, Apr 20, 2018 at 8:19 AM, Gustavo A. R. Silva wrote: > Free allocated memory for full_path and xid before return. > > Addresses-Coverity-ID: 1468029 ("Resource leak") > Fixes: 49162bfde140 ("cifs: do not allow creating sockets except with > SMB1 posix exensions") > Signed-off-by: Gustavo A. R. Silva > --- > fs/cifs/dir.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c > index f0a759d..71e32d9 100644 > --- a/fs/cifs/dir.c > +++ b/fs/cifs/dir.c > @@ -684,8 +684,11 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode, > goto mknod_out; > } > > - if (!S_ISCHR(mode) && !S_ISBLK(mode)) > + if (!S_ISCHR(mode) && !S_ISBLK(mode)) { > + kfree(full_path); > + free_xid(xid); > return -EPERM; > + } > > if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL)) > goto mknod_out; > -- > 2.7.4 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html Reviewed-by: Pavel Shilovsky From 167bc5de08dc97695f9d5c7069c3e69f409ff80b Mon Sep 17 00:00:00 2001 From: Steve French Date: Fri, 20 Apr 2018 12:19:07 -0500 Subject: [PATCH 1/2] cifs: do not allow creating sockets except with SMB1 posix exensions RHBZ: 1453123 Since at least the 3.10 kernel and likely a lot earlier we have not been able to create unix domain sockets in a cifs share when mounted using the SFU mount option (except when mounted with the cifs unix extensions to Samba e.g.) Trying to create a socket, for example using the af_unix command from xfstests will cause : BUG: unable to handle kernel NULL pointer dereference at 00000000 00000040 Since no one uses or depends on being able to create unix domains sockets on a cifs share the easiest fix to stop this vulnerability is to simply not allow creation of any other special files than char or block devices when sfu is used. Added update to Ronnie's patch to handle a tcon link leak, and to address a buf leak noticed by Gustavo and Colin. CC: Gustavo A. R. Silva CC: Colin Ian King Reported-by: Eryu Guan Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Cc: stable@vger.kernel.org --- fs/cifs/dir.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c index 81ba6e0d88d8..925844343038 100644 --- a/fs/cifs/dir.c +++ b/fs/cifs/dir.c @@ -684,6 +684,9 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode, goto mknod_out; } + if (!S_ISCHR(mode) && !S_ISBLK(mode)) + goto mknod_out; + if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL)) goto mknod_out; @@ -692,10 +695,8 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode, buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL); if (buf == NULL) { - kfree(full_path); rc = -ENOMEM; - free_xid(xid); - return rc; + goto mknod_out; } if (backup_cred(cifs_sb)) @@ -742,7 +743,7 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode, pdev->minor = cpu_to_le64(MINOR(device_number)); rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms, &bytes_written, iov, 1); - } /* else if (S_ISFIFO) */ + } tcon->ses->server->ops->close(xid, tcon, &fid); d_drop(direntry); -- 2.14.1