aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>2024-04-23 09:56:04 -0700
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2024-04-23 09:56:04 -0700
commita95de64f6f0e714d1814bc7cd33793b65c7e3d30 (patch)
tree8548099f632be454b92adac3bffce605a9d2dd2b
parenta5fc89d7b23ae1e7838b2feb24b58b670c314cd1 (diff)
downloadstable-queue-a95de64f6f0e714d1814bc7cd33793b65c7e3d30.tar.gz
6.8-stable patches
added patches: ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch
Diffstat
-rw-r--r--queue-6.8/ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch43
-rw-r--r--queue-6.8/ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch35
-rw-r--r--queue-6.8/ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch53
-rw-r--r--queue-6.8/ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch35
-rw-r--r--queue-6.8/series4
5 files changed, 170 insertions, 0 deletions
diff --git a/queue-6.8/ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch b/queue-6.8/ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch
new file mode 100644
index 0000000000..6185105ab9
--- /dev/null
+++ b/queue-6.8/ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch
@@ -0,0 +1,43 @@
+From 4973b04d3ea577db80c501c5f14e68ec69fe1794 Mon Sep 17 00:00:00 2001
+From: Marios Makassikis <mmakassikis@freebox.fr>
+Date: Mon, 15 Apr 2024 15:12:48 +0200
+Subject: ksmbd: clear RENAME_NOREPLACE before calling vfs_rename
+
+From: Marios Makassikis <mmakassikis@freebox.fr>
+
+commit 4973b04d3ea577db80c501c5f14e68ec69fe1794 upstream.
+
+File overwrite case is explicitly handled, so it is not necessary to
+pass RENAME_NOREPLACE to vfs_rename.
+
+Clearing the flag fixes rename operations when the share is a ntfs-3g
+mount. The latter uses an older version of fuse with no support for
+flags in the ->rename op.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/smb/server/vfs.c
++++ b/fs/smb/server/vfs.c
+@@ -754,10 +754,15 @@ retry:
+ goto out4;
+ }
+
++ /*
++ * explicitly handle file overwrite case, for compatibility with
++ * filesystems that may not support rename flags (e.g: fuse)
++ */
+ if ((flags & RENAME_NOREPLACE) && d_is_positive(new_dentry)) {
+ err = -EEXIST;
+ goto out4;
+ }
++ flags &= ~(RENAME_NOREPLACE);
+
+ if (old_child == trap) {
+ err = -EINVAL;
diff --git a/queue-6.8/ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch b/queue-6.8/ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch
new file mode 100644
index 0000000000..62f80dc49d
--- /dev/null
+++ b/queue-6.8/ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch
@@ -0,0 +1,35 @@
+From 0268a7cc7fdc47d90b6c18859de7718d5059f6f1 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 19 Apr 2024 23:46:34 +0900
+Subject: ksmbd: common: use struct_group_attr instead of struct_group for network_open_info
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 0268a7cc7fdc47d90b6c18859de7718d5059f6f1 upstream.
+
+4byte padding cause the connection issue with the applications of MacOS.
+smb2_close response size increases by 4 bytes by padding, And the smb
+client of MacOS check it and stop the connection. This patch use
+struct_group_attr instead of struct_group for network_open_info to use
+ __packed to avoid padding.
+
+Fixes: 0015eb6e1238 ("smb: client, common: fix fortify warnings")
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/common/smb2pdu.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/smb/common/smb2pdu.h
++++ b/fs/smb/common/smb2pdu.h
+@@ -702,7 +702,7 @@ struct smb2_close_rsp {
+ __le16 StructureSize; /* 60 */
+ __le16 Flags;
+ __le32 Reserved;
+- struct_group(network_open_info,
++ struct_group_attr(network_open_info, __packed,
+ __le64 CreationTime;
+ __le64 LastAccessTime;
+ __le64 LastWriteTime;
diff --git a/queue-6.8/ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch b/queue-6.8/ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch
new file mode 100644
index 0000000000..45c4eec5d7
--- /dev/null
+++ b/queue-6.8/ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch
@@ -0,0 +1,53 @@
+From c119f4ede3fa90a9463f50831761c28f989bfb20 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 11 Apr 2024 23:02:15 +0900
+Subject: ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit c119f4ede3fa90a9463f50831761c28f989bfb20 upstream.
+
+If ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size
+validation could be skipped. if request size is smaller than
+sizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in
+smb2_allocate_rsp_buf(). This patch allocate response buffer after
+decrypting transform request. smb3_decrypt_req() will validate transform
+request size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().
+
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/server.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/fs/smb/server/server.c
++++ b/fs/smb/server/server.c
+@@ -167,20 +167,17 @@ static void __handle_ksmbd_work(struct k
+ int rc;
+ bool is_chained = false;
+
+- if (conn->ops->allocate_rsp_buf(work))
+- return;
+-
+ if (conn->ops->is_transform_hdr &&
+ conn->ops->is_transform_hdr(work->request_buf)) {
+ rc = conn->ops->decrypt_req(work);
+- if (rc < 0) {
+- conn->ops->set_rsp_status(work, STATUS_DATA_ERROR);
+- goto send;
+- }
+-
++ if (rc < 0)
++ return;
+ work->encrypted = true;
+ }
+
++ if (conn->ops->allocate_rsp_buf(work))
++ return;
++
+ rc = conn->ops->init_rsp_hdr(work);
+ if (rc) {
+ /* either uid or tid is not correct */
diff --git a/queue-6.8/ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch b/queue-6.8/ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch
new file mode 100644
index 0000000000..5a690d21a8
--- /dev/null
+++ b/queue-6.8/ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch
@@ -0,0 +1,35 @@
+From 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 12 Apr 2024 09:45:00 +0900
+Subject: ksmbd: validate request buffer size in smb2_allocate_rsp_buf()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a upstream.
+
+The response buffer should be allocated in smb2_allocate_rsp_buf
+before validating request. But the fields in payload as well as smb2 header
+is used in smb2_allocate_rsp_buf(). This patch add simple buffer size
+validation to avoid potencial out-of-bounds in request buffer.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -535,6 +535,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_w
+ if (cmd == SMB2_QUERY_INFO_HE) {
+ struct smb2_query_info_req *req;
+
++ if (get_rfc1002_len(work->request_buf) <
++ offsetof(struct smb2_query_info_req, OutputBufferLength))
++ return -EINVAL;
++
+ req = smb2_get_msg(work->request_buf);
+ if ((req->InfoType == SMB2_O_INFO_FILE &&
+ (req->FileInfoClass == FILE_FULL_EA_INFORMATION ||
diff --git a/queue-6.8/series b/queue-6.8/series
index dbd5bf1f0f..1d7b553279 100644
--- a/queue-6.8/series
+++ b/queue-6.8/series
@@ -150,3 +150,7 @@ nilfs2-fix-oob-in-nilfs_set_de_type.patch
fork-defer-linking-file-vma-until-vma-is-fully-initialized.patch
net-dsa-mt7530-fix-improper-frames-on-all-25mhz-and-40mhz-xtal-mt7530.patch
net-dsa-mt7530-fix-enabling-eee-on-mt7531-switch-on-all-boards.patch
+ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch
+ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch
+ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch
+ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-16 13:02:47 +0000