Commit 08b8f587 authored by Namjae Jeon's avatar Namjae Jeon Committed by ZhaoLong Wang
Browse files

ksmbd: validate payload size in ipc response 

stable inclusion
from stable-v5.15.157
commit 88b7f1143b15b29cccb8392b4f38e75b7bb3e300
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9EYBG
CVE: CVE-2024-26811

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=88b7f1143b15b29cccb8392b4f38e75b7bb3e300



--------------------------------

[ Upstream commit a677ebd8ca2f2632ccdecbad7b87641274e15aac ]

If installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc
response to ksmbd kernel server. ksmbd should validate payload size of
ipc response from ksmbd.mountd to avoid memory overrun or
slab-out-of-bounds. This patch validate 3 ipc response that has payload.

Cc: stable@vger.kernel.org
Reported-by: default avatarChao Ma <machao2019@gmail.com>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Conflicts:
    fs/ksmbd/ksmbd_netlink.h
Signed-off-by: default avatarZhaoLong Wang <wangzhaolong1@huawei.com>
parent 3a4c6550

fs/ksmbd/ksmbd_netlink.h

+2 −1
Original line number Diff line number Diff line
@@ -162,7 +162,8 @@ struct ksmbd_share_config_response { 
	__u16	force_directory_mode;

	__u16	force_uid;

	__u16	force_gid;

	__u32	reserved[128];		/* Reserved room */

	__u32	reserved[127];		/* Reserved room */

	__u32	payload_sz;

	__u32	veto_list_sz;

	__s8	____payload[];

};

fs/ksmbd/mgmt/share_config.c

+6 −1
Original line number Diff line number Diff line
@@ -139,7 +139,12 @@ static struct ksmbd_share_config *share_config_request(char *name) 
	share->name = kstrdup(name, GFP_KERNEL);



	if (!test_share_config_flag(share, KSMBD_SHARE_FLAG_PIPE)) {

		share->path = kstrdup(ksmbd_share_config_path(resp),

		int path_len = PATH_MAX;



		if (resp->payload_sz)

			path_len = resp->payload_sz - resp->veto_list_sz;



		share->path = kstrndup(ksmbd_share_config_path(resp), path_len,

				      GFP_KERNEL);

		if (share->path)

			share->path_sz = strlen(share->path);

fs/ksmbd/transport_ipc.c

+37 −0
Original line number Diff line number Diff line
@@ -64,6 +64,7 @@ struct ipc_msg_table_entry { 
	struct hlist_node	ipc_table_hlist;



	void			*response;

	unsigned int		msg_sz;

};



static struct delayed_work ipc_timer_work;
@@ -273,6 +274,7 @@ static int handle_response(int type, void *payload, size_t sz) 
		}



		memcpy(entry->response, payload, sz);

		entry->msg_sz = sz;

		wake_up_interruptible(&entry->wait);

		ret = 0;

		break;
@@ -446,6 +448,34 @@ static int ipc_msg_send(struct ksmbd_ipc_msg *msg) 
	return ret;

}



static int ipc_validate_msg(struct ipc_msg_table_entry *entry)

{

	unsigned int msg_sz = entry->msg_sz;



	if (entry->type == KSMBD_EVENT_RPC_REQUEST) {

		struct ksmbd_rpc_command *resp = entry->response;



		msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz;

	} else if (entry->type == KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST) {

		struct ksmbd_spnego_authen_response *resp = entry->response;



		msg_sz = sizeof(struct ksmbd_spnego_authen_response) +

				resp->session_key_len + resp->spnego_blob_len;

	} else if (entry->type == KSMBD_EVENT_SHARE_CONFIG_REQUEST) {

		struct ksmbd_share_config_response *resp = entry->response;



		if (resp->payload_sz) {

			if (resp->payload_sz < resp->veto_list_sz)

				return -EINVAL;



			msg_sz = sizeof(struct ksmbd_share_config_response) +

					resp->payload_sz;

		}

	}



	return entry->msg_sz != msg_sz ? -EINVAL : 0;

}



static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, unsigned int handle)

{

	struct ipc_msg_table_entry entry;
@@ -470,6 +500,13 @@ static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, unsigned int handle 
	ret = wait_event_interruptible_timeout(entry.wait,

					       entry.response != NULL,

					       IPC_WAIT_TIMEOUT);

	if (entry.response) {

		ret = ipc_validate_msg(&entry);

		if (ret) {

			kvfree(entry.response);

			entry.response = NULL;

		}

	}

out:

	down_write(&ipc_msg_table_lock);

	hash_del(&entry.ipc_table_hlist);