lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <4B489C2C-5463-4776-8182-F878BAD1754A@linux.dev>
Date: Tue, 24 Sep 2024 22:56:50 +0200
From: Thorsten Blum <thorsten.blum@...ux.dev>
To: Tom Talpey <tom@...pey.com>
Cc: Namjae Jeon <linkinjeon@...nel.org>,
 Steve French <sfrench@...ba.org>,
 Sergey Senozhatsky <senozhatsky@...omium.org>,
 Kees Cook <kees@...nel.org>,
 "Gustavo A. R. Silva" <gustavoars@...nel.org>,
 linux-cifs@...r.kernel.org,
 linux-kernel@...r.kernel.org,
 linux-hardening@...r.kernel.org
Subject: Re: [PATCH] ksmbd: Annotate struct copychunk_ioctl_req with
 __counted_by_le()

On 24. Sep 2024, at 21:33, Thorsten Blum <thorsten.blum@...ux.dev> wrote:
>> On 24. Sep 2024, at 20:05, Tom Talpey <tom@...pey.com> wrote:
>> On 9/24/2024 6:22 AM, Thorsten Blum wrote:
>>> Add the __counted_by_le compiler attribute to the flexible array member
>>> Chunks to improve access bounds-checking via CONFIG_UBSAN_BOUNDS and
>>> CONFIG_FORTIFY_SOURCE.
>>> Read Chunks[0] after checking that ChunkCount is not 0.
>>> Compile-tested only.
>>> Signed-off-by: Thorsten Blum <thorsten.blum@...ux.dev>
>>> ---
>>> fs/smb/server/smb2pdu.c | 2 +-
>>> fs/smb/server/smb2pdu.h | 2 +-
>>> 2 files changed, 2 insertions(+), 2 deletions(-)
>>> diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
>>> index 461c4fc682ac..0670bdf3e167 100644
>>> --- a/fs/smb/server/smb2pdu.c
>>> +++ b/fs/smb/server/smb2pdu.c
>>> @@ -7565,7 +7565,6 @@ static int fsctl_copychunk(struct ksmbd_work *work,
>>>  ci_rsp->TotalBytesWritten =
>>>  cpu_to_le32(ksmbd_server_side_copy_max_total_size());
>>> - chunks = (struct srv_copychunk *)&ci_req->Chunks[0];
>>>  chunk_count = le32_to_cpu(ci_req->ChunkCount);
>>>  if (chunk_count == 0)
>>>  goto out;
>>> @@ -7579,6 +7578,7 @@ static int fsctl_copychunk(struct ksmbd_work *work,
>>>  return -EINVAL;
>>>  }
>>> + chunks = (struct srv_copychunk *)&ci_req->Chunks[0];
>>>  for (i = 0; i < chunk_count; i++) {
>>>  if (le32_to_cpu(chunks[i].Length) == 0 ||
>>>     le32_to_cpu(chunks[i].Length) > ksmbd_server_side_copy_max_chunk_size())
>>> diff --git a/fs/smb/server/smb2pdu.h b/fs/smb/server/smb2pdu.h
>>> index 73aff20e22d0..f01121dbf358 100644
>>> --- a/fs/smb/server/smb2pdu.h
>>> +++ b/fs/smb/server/smb2pdu.h
>>> @@ -194,7 +194,7 @@ struct copychunk_ioctl_req {
>>>  __le64 ResumeKey[3];
>>>  __le32 ChunkCount;
>>>  __le32 Reserved;
>>> - __u8 Chunks[]; /* array of srv_copychunk */
>>> + __u8 Chunks[] __counted_by_le(ChunkCount); /* array of srv_copychunk */
>>> } __packed;
>>> 
>> 
>> This isn't correct. The u8 is just a raw buffer, copychunk structs are
>> marshaled into it, and they're 24 bytes each.
> 
> Hm, I see.
> 
> How does this for-loop work then? It iterates over ci_req->ChunkCount
> and expects a srv_copychunk at each ci_req->Chunks[i]?
> 
> for (i = 0; i < chunk_count; i++) {
> if (le32_to_cpu(chunks[i].Length) == 0 ||
>     le32_to_cpu(chunks[i].Length) > ksmbd_server_side_copy_max_chunk_size())
> break;
> total_size_written += le32_to_cpu(chunks[i].Length);
> }

Never mind, I just realized that the pointer arithmetic takes the array
offset into account.

A srv_copychunk takes up 24 bytes and therefore 24 __u8[] slots. The
__counted_by annotation is essentially off by a factor of 24.

Thanks,
Thorsten

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ