Commit 057fdc02 authored by Yongjian Sun's avatar Yongjian Sun
Browse files

ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write 

mainline inclusion
from mainline-v6.12-rc3
commit 313dab082289e460391c82d855430ec8a28ddf81
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAP7
CVE: CVE-2024-56626

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=313dab082289e460391c82d855430ec8a28ddf81



--------------------------------

An offset from client could be a negative value, It could allows
to write data outside the bounds of the allocated buffer.
Note that this issue is coming when setting
'vfs objects = streams_xattr parameter' in ksmbd.conf.

Cc: stable@vger.kernel.org # v5.15+
Reported-by: default avatarJordy Zomer <jordyzomer@google.com>
Signed-off-by: default avatarJordy Zomer <jordyzomer@google.com>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
Conflicts:
	fs/smb/server/smb2pdu.c
	fs/ksmbd/smb2pdu.c
[Location and context differences.]
Signed-off-by: default avatarYongjian Sun <sunyongjian1@huawei.com>
parent 1c1825ed

fs/ksmbd/smb2pdu.c

+5 −3
Original line number Diff line number Diff line
@@ -6535,6 +6535,11 @@ int smb2_write(struct ksmbd_work *work) 
		return smb2_write_pipe(work);

	}



	offset = le64_to_cpu(req->Offset);

	if (offset < 0)

		return -EINVAL;

	length = le32_to_cpu(req->Length);



	if (req->Channel == SMB2_CHANNEL_RDMA_V1 ||

	    req->Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE) {

		unsigned int ch_offset = le16_to_cpu(req->WriteChannelInfoOffset);
@@ -6573,9 +6578,6 @@ int smb2_write(struct ksmbd_work *work) 
		goto out;

	}



	offset = le64_to_cpu(req->Offset);

	length = le32_to_cpu(req->Length);



	if (length > work->conn->vals->max_write_size) {

		ksmbd_debug(SMB, "limiting write size to max size(%u)\n",

			    work->conn->vals->max_write_size);