Commit fde64299 authored Jul 05, 2024 by Namjae Jeon Committed by Jinjiang Tu Jul 05, 2024

ksmbd: fix wrong DataOffset validation of create context

mainline inclusion
from mainline-v6.6-rc1
commit 17d5b135
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAAVBH
CVE: CVE-2023-4458

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=17d5b135bb720832364e8f55f6a887a3c7ec8fdb



--------------------------------

If ->DataOffset of create context is 0, DataBuffer size is not correctly
validated. This patch change wrong validation code and consider tag
length in request.

Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21824
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

Conflicts:
	fs/ksmbd/oplock.c
	fs/smb/server/oplock.c
[oplock.c hasn't moved from fs/ksmbd to fs/smb/server.]
Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>

parent a357694f

fs/ksmbd/oplock.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1488,7 +1488,7 @@ struct create_context smb2_find_context_vals(void open_req, const char *tag, i
		name_len < 4 \|\|
		name_off + name_len > cc_len \|\|
		(value_off & 0x7) != 0 \|\|
		(value_off && (value_off < name_off + name_len)) \|\|
		(value_len && value_off < name_off + (name_len < 8 ? 8 : name_len)) \|\|
		((u64)value_off + value_len > cc_len))
		return ERR_PTR(-EINVAL);

Original line number	Diff line number	Diff line
		@@ -1488,7 +1488,7 @@ struct create_context smb2_find_context_vals(void open_req, const char *tag, i
		name_len < 4 \|\|
		name_off + name_len > cc_len \|\|
		(value_off & 0x7) != 0 \|\|
		(value_off && (value_off < name_off + name_len)) \|\|
		(value_len && value_off < name_off + (name_len < 8 ? 8 : name_len)) \|\|
		((u64)value_off + value_len > cc_len))
		return ERR_PTR(-EINVAL);