diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-23 09:56:04 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-23 09:56:04 -0700 |
commit | a95de64f6f0e714d1814bc7cd33793b65c7e3d30 (patch) | |
tree | 8548099f632be454b92adac3bffce605a9d2dd2b | |
parent | a5fc89d7b23ae1e7838b2feb24b58b670c314cd1 (diff) | |
download | stable-queue-a95de64f6f0e714d1814bc7cd33793b65c7e3d30.tar.gz |
6.8-stable patches
added patches:
ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch
ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch
ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch
ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch
5 files changed, 170 insertions, 0 deletions
diff --git a/queue-6.8/ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch b/queue-6.8/ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch new file mode 100644 index 0000000000..6185105ab9 --- /dev/null +++ b/queue-6.8/ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch @@ -0,0 +1,43 @@ +From 4973b04d3ea577db80c501c5f14e68ec69fe1794 Mon Sep 17 00:00:00 2001 +From: Marios Makassikis <mmakassikis@freebox.fr> +Date: Mon, 15 Apr 2024 15:12:48 +0200 +Subject: ksmbd: clear RENAME_NOREPLACE before calling vfs_rename + +From: Marios Makassikis <mmakassikis@freebox.fr> + +commit 4973b04d3ea577db80c501c5f14e68ec69fe1794 upstream. + +File overwrite case is explicitly handled, so it is not necessary to +pass RENAME_NOREPLACE to vfs_rename. + +Clearing the flag fixes rename operations when the share is a ntfs-3g +mount. The latter uses an older version of fuse with no support for +flags in the ->rename op. + +Cc: stable@vger.kernel.org +Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr> +Acked-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/server/vfs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -754,10 +754,15 @@ retry: + goto out4; + } + ++ /* ++ * explicitly handle file overwrite case, for compatibility with ++ * filesystems that may not support rename flags (e.g: fuse) ++ */ + if ((flags & RENAME_NOREPLACE) && d_is_positive(new_dentry)) { + err = -EEXIST; + goto out4; + } ++ flags &= ~(RENAME_NOREPLACE); + + if (old_child == trap) { + err = -EINVAL; diff --git a/queue-6.8/ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch b/queue-6.8/ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch new file mode 100644 index 0000000000..62f80dc49d --- /dev/null +++ b/queue-6.8/ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch @@ -0,0 +1,35 @@ +From 0268a7cc7fdc47d90b6c18859de7718d5059f6f1 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon <linkinjeon@kernel.org> +Date: Fri, 19 Apr 2024 23:46:34 +0900 +Subject: ksmbd: common: use struct_group_attr instead of struct_group for network_open_info + +From: Namjae Jeon <linkinjeon@kernel.org> + +commit 0268a7cc7fdc47d90b6c18859de7718d5059f6f1 upstream. + +4byte padding cause the connection issue with the applications of MacOS. +smb2_close response size increases by 4 bytes by padding, And the smb +client of MacOS check it and stop the connection. This patch use +struct_group_attr instead of struct_group for network_open_info to use + __packed to avoid padding. + +Fixes: 0015eb6e1238 ("smb: client, common: fix fortify warnings") +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/common/smb2pdu.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/common/smb2pdu.h ++++ b/fs/smb/common/smb2pdu.h +@@ -702,7 +702,7 @@ struct smb2_close_rsp { + __le16 StructureSize; /* 60 */ + __le16 Flags; + __le32 Reserved; +- struct_group(network_open_info, ++ struct_group_attr(network_open_info, __packed, + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; diff --git a/queue-6.8/ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch b/queue-6.8/ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch new file mode 100644 index 0000000000..45c4eec5d7 --- /dev/null +++ b/queue-6.8/ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch @@ -0,0 +1,53 @@ +From c119f4ede3fa90a9463f50831761c28f989bfb20 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon <linkinjeon@kernel.org> +Date: Thu, 11 Apr 2024 23:02:15 +0900 +Subject: ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf + +From: Namjae Jeon <linkinjeon@kernel.org> + +commit c119f4ede3fa90a9463f50831761c28f989bfb20 upstream. + +If ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size +validation could be skipped. if request size is smaller than +sizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in +smb2_allocate_rsp_buf(). This patch allocate response buffer after +decrypting transform request. smb3_decrypt_req() will validate transform +request size and avoid slab-out-of-bound in smb2_allocate_rsp_buf(). + +Reported-by: Norbert Szetei <norbert@doyensec.com> +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/server/server.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/fs/smb/server/server.c ++++ b/fs/smb/server/server.c +@@ -167,20 +167,17 @@ static void __handle_ksmbd_work(struct k + int rc; + bool is_chained = false; + +- if (conn->ops->allocate_rsp_buf(work)) +- return; +- + if (conn->ops->is_transform_hdr && + conn->ops->is_transform_hdr(work->request_buf)) { + rc = conn->ops->decrypt_req(work); +- if (rc < 0) { +- conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); +- goto send; +- } +- ++ if (rc < 0) ++ return; + work->encrypted = true; + } + ++ if (conn->ops->allocate_rsp_buf(work)) ++ return; ++ + rc = conn->ops->init_rsp_hdr(work); + if (rc) { + /* either uid or tid is not correct */ diff --git a/queue-6.8/ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch b/queue-6.8/ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch new file mode 100644 index 0000000000..5a690d21a8 --- /dev/null +++ b/queue-6.8/ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch @@ -0,0 +1,35 @@ +From 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a Mon Sep 17 00:00:00 2001 +From: Namjae Jeon <linkinjeon@kernel.org> +Date: Fri, 12 Apr 2024 09:45:00 +0900 +Subject: ksmbd: validate request buffer size in smb2_allocate_rsp_buf() + +From: Namjae Jeon <linkinjeon@kernel.org> + +commit 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a upstream. + +The response buffer should be allocated in smb2_allocate_rsp_buf +before validating request. But the fields in payload as well as smb2 header +is used in smb2_allocate_rsp_buf(). This patch add simple buffer size +validation to avoid potencial out-of-bounds in request buffer. + +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/server/smb2pdu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -535,6 +535,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_w + if (cmd == SMB2_QUERY_INFO_HE) { + struct smb2_query_info_req *req; + ++ if (get_rfc1002_len(work->request_buf) < ++ offsetof(struct smb2_query_info_req, OutputBufferLength)) ++ return -EINVAL; ++ + req = smb2_get_msg(work->request_buf); + if ((req->InfoType == SMB2_O_INFO_FILE && + (req->FileInfoClass == FILE_FULL_EA_INFORMATION || diff --git a/queue-6.8/series b/queue-6.8/series index dbd5bf1f0f..1d7b553279 100644 --- a/queue-6.8/series +++ b/queue-6.8/series @@ -150,3 +150,7 @@ nilfs2-fix-oob-in-nilfs_set_de_type.patch fork-defer-linking-file-vma-until-vma-is-fully-initialized.patch net-dsa-mt7530-fix-improper-frames-on-all-25mhz-and-40mhz-xtal-mt7530.patch net-dsa-mt7530-fix-enabling-eee-on-mt7531-switch-on-all-boards.patch +ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch +ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch +ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch +ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch |