Commit 7006d14f authored Dec 31, 2024 by Jordy Zomer Committed by Long Li Dec 31, 2024

ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read

mainline inclusion
from mainline-v6.10-rc2
commit fc342cf86e2dc4d2edb0fc2ff5e28b6c7845adb9
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAPD
CVE: CVE-2024-56627

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fc342cf86e2dc4d2edb0fc2ff5e28b6c7845adb9



--------------------------------

An offset from client could be a negative value, It could lead
to an out-of-bounds read from the stream_buf.
Note that this issue is coming when setting
'vfs objects = streams_xattr parameter' in ksmbd.conf.

Cc: stable@vger.kernel.org # v5.15+
Reported-by: Jordy Zomer <jordyzomer@google.com>
Signed-off-by: Jordy Zomer <jordyzomer@google.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Long Li <leo.lilong@huawei.com>

parent 1e531b83

fs/smb/server/smb2pdu.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -6653,6 +6653,10 @@ int smb2_read(struct ksmbd_work *work)
		}

		offset = le64_to_cpu(req->Offset);
		if (offset < 0) {
		err = -EINVAL;
		goto out;
		}
		length = le32_to_cpu(req->Length);
		mincount = le32_to_cpu(req->MinimumCount);