Unverified Commit 62cc7977 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!12553 Fix CVE-2024-49996 

Merge Pull Request from: @ci-robot 
 
PR sync from: Long Li <leo.lilong@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/6WYXCQDZNUPWKI7ZX6ZTK7B5CNWJJ6BR/ 
This patch set fix CVE-2024-49996.

Pali Rohár (1):
  cifs: Fix buffer overflow when parsing NFS reparse points

Paulo Alcantara (1):
  smb: client: fix parsing of device numbers


-- 
2.39.2
 
https://gitee.com/src-openeuler/kernel/issues/IAYRA3 
 
Link:https://gitee.com/openeuler/kernel/pulls/12553

 

Reviewed-by: default avatarZhang Peng <zhangpeng362@huawei.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents c2866e29 6a7d6b4c

fs/smb/client/reparse.c

+17 −4
Original line number Diff line number Diff line
@@ -320,9 +320,16 @@ static int parse_reparse_posix(struct reparse_posix_data *buf, 
	unsigned int len;

	u64 type;



	len = le16_to_cpu(buf->ReparseDataLength);

	if (len < sizeof(buf->InodeType)) {

		cifs_dbg(VFS, "srv returned malformed nfs buffer\n");

		return -EIO;

	}



	len -= sizeof(buf->InodeType);



	switch ((type = le64_to_cpu(buf->InodeType))) {

	case NFS_SPECFILE_LNK:

		len = le16_to_cpu(buf->ReparseDataLength);

		data->symlink_target = cifs_strndup_from_utf16(buf->DataBuffer,

							       len, true,

							       cifs_sb->local_nls);
@@ -468,7 +475,7 @@ static void wsl_to_fattr(struct cifs_open_info_data *data, 
		else if (!strncmp(name, SMB2_WSL_XATTR_MODE, nlen))

			fattr->cf_mode = (umode_t)le32_to_cpu(*(__le32 *)v);

		else if (!strncmp(name, SMB2_WSL_XATTR_DEV, nlen))

			fattr->cf_rdev = wsl_mkdev(v);

			fattr->cf_rdev = reparse_mkdev(v);

	} while (next);

out:

	fattr->cf_dtype = S_DT(fattr->cf_mode);
@@ -482,14 +489,20 @@ bool cifs_reparse_point_to_fattr(struct cifs_sb_info *cifs_sb, 
	u32 tag = data->reparse.tag;



	if (tag == IO_REPARSE_TAG_NFS && buf) {

		if (le16_to_cpu(buf->ReparseDataLength) < sizeof(buf->InodeType))

			return false;

		switch (le64_to_cpu(buf->InodeType)) {

		case NFS_SPECFILE_CHR:

			if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8)

				return false;

			fattr->cf_mode |= S_IFCHR;

			fattr->cf_rdev = reparse_nfs_mkdev(buf);

			fattr->cf_rdev = reparse_mkdev(buf->DataBuffer);

			break;

		case NFS_SPECFILE_BLK:

			if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8)

				return false;

			fattr->cf_mode |= S_IFBLK;

			fattr->cf_rdev = reparse_nfs_mkdev(buf);

			fattr->cf_rdev = reparse_mkdev(buf->DataBuffer);

			break;

		case NFS_SPECFILE_FIFO:

			fattr->cf_mode |= S_IFIFO;

fs/smb/client/reparse.h

+1 −8
Original line number Diff line number Diff line
@@ -18,14 +18,7 @@ 
 */

#define IO_REPARSE_TAG_INTERNAL ((__u32)~0U)



static inline dev_t reparse_nfs_mkdev(struct reparse_posix_data *buf)

{

	u64 v = le64_to_cpu(*(__le64 *)buf->DataBuffer);



	return MKDEV(v >> 32, v & 0xffffffff);

}



static inline dev_t wsl_mkdev(void *ptr)

static inline dev_t reparse_mkdev(void *ptr)

{

	u64 v = le64_to_cpu(*(__le64 *)ptr);