lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Oct 2022 00:39:43 +0800 From: Hawkins Jiawei <yin31149@...il.com> To: yin31149@...il.com, Steve French <sfrench@...ba.org>, Paulo Alcantara <pc@....nz>, Ronnie Sahlberg <lsahlber@...hat.com>, Shyam Prasad N <sprasad@...rosoft.com>, Tom Talpey <tom@...pey.com> Cc: 18801353760@....com, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-cifs@...r.kernel.org, samba-technical@...ts.samba.org Subject: [PATCH -next 1/5] smb3: fix possible null-ptr-deref when parsing param According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length. Yet the problem is that, smb3_fs_context_parse_param() will dereferences the param->string, without checking whether it is a null pointer, which may trigger a null-ptr-deref bug. This patch solves it by adding sanity check on param->string in smb3_fs_context_parse_param(). Signed-off-by: Hawkins Jiawei <yin31149@...il.com> --- fs/cifs/fs_context.c | 58 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c index 45119597c765..7832e5d6bbb0 100644 --- a/fs/cifs/fs_context.c +++ b/fs/cifs/fs_context.c @@ -858,7 +858,8 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, * fs_parse can not handle string options with an empty value so * we will need special handling of them. */ - if (param->type == fs_value_is_string && param->string[0] == 0) { + if ((param->type == fs_value_is_string && param->string[0] == 0) || + param->type == fs_value_is_empty) { if (!strcmp("pass", param->key) || !strcmp("password", param->key)) { skip_parsing = true; opt = Opt_pass; @@ -1124,6 +1125,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, case Opt_source: kfree(ctx->UNC); ctx->UNC = NULL; + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } switch (smb3_parse_devname(param->string, ctx)) { case 0: break; @@ -1181,6 +1187,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, } break; case Opt_ip: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (strlen(param->string) == 0) { ctx->got_ip = false; break; @@ -1194,6 +1205,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, ctx->got_ip = true; break; case Opt_domain: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (strnlen(param->string, CIFS_MAX_DOMAINNAME_LEN) == CIFS_MAX_DOMAINNAME_LEN) { pr_warn("domain name too long\n"); @@ -1209,6 +1225,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, cifs_dbg(FYI, "Domain name set\n"); break; case Opt_srcaddr: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (!cifs_convert_address( (struct sockaddr *)&ctx->srcaddr, param->string, strlen(param->string))) { @@ -1218,6 +1239,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, } break; case Opt_iocharset: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (strnlen(param->string, 1024) >= 65) { pr_warn("iocharset name too long\n"); goto cifs_parse_mount_err; @@ -1237,6 +1263,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, cifs_dbg(FYI, "iocharset set to %s\n", ctx->iocharset); break; case Opt_netbiosname: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } memset(ctx->source_rfc1001_name, 0x20, RFC1001_NAME_LEN); /* @@ -1257,6 +1288,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, pr_warn("netbiosname longer than 15 truncated\n"); break; case Opt_servern: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } /* last byte, type, is 0x20 for servr type */ memset(ctx->target_rfc1001_name, 0x20, RFC1001_NAME_LEN_WITH_NULL); @@ -1277,6 +1313,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, pr_warn("server netbiosname longer than 15 truncated\n"); break; case Opt_ver: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } /* version of mount userspace tools, not dialect */ /* If interface changes in mount.cifs bump to new ver */ if (strncasecmp(param->string, "1", 1) == 0) { @@ -1292,16 +1333,31 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, pr_warn("Invalid mount helper version specified\n"); goto cifs_parse_mount_err; case Opt_vers: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } /* protocol version (dialect) */ if (cifs_parse_smb_version(fc, param->string, ctx, is_smb3) != 0) goto cifs_parse_mount_err; ctx->got_version = true; break; case Opt_sec: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (cifs_parse_security_flavors(fc, param->string, ctx) != 0) goto cifs_parse_mount_err; break; case Opt_cache: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (cifs_parse_cache_flavor(fc, param->string, ctx) != 0) goto cifs_parse_mount_err; break; -- 2.25.1
Powered by blists - more mailing lists