lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAH2r5mswCDw+rk-f5Tcd1niTz2prPNxbOfwyG_XSL5xRwRsbeg@mail.gmail.com>
Date: Sat, 12 Oct 2024 23:21:43 -0500
From: Steve French <smfrench@...il.com>
To: Pali Rohár <pali@...nel.org>
Cc: Steve French <sfrench@...ba.org>, Paulo Alcantara <pc@...guebit.com>, 
	Ronnie Sahlberg <ronniesahlberg@...il.com>, linux-cifs@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 5/6] cifs: Validate content of native symlink

This looks like one of the more important of the fixes of this series
- let me know if any thoughts or Reviewed-by/Acked-by on it.  I may
try to send this earlier than the others

Pali,
Let me know if I missed dependencies that this patch depends on

On Sat, Oct 5, 2024 at 9:03 AM Pali Rohár <pali@...nel.org> wrote:
>
> Check that path buffer has correct length (it is non-zero and in UNICODE
> mode it has even number of bytes) and check that buffer does not contain
> null character (UTF-16 null codepoint in UNICODE mode or null byte in
> non-unicode mode) because Linux cannot process symlink with null byte.
>
> Signed-off-by: Pali Rohár <pali@...nel.org>
> ---
>  fs/smb/client/reparse.c | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
>
> diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
> index 0d1cea64ab6e..fb1d16b17f38 100644
> --- a/fs/smb/client/reparse.c
> +++ b/fs/smb/client/reparse.c
> @@ -544,6 +544,25 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len,
>         int rc;
>         int i;
>
> +       /* Check that length it valid for unicode/non-unicode mode */
> +       if (!len || (unicode && (len % 2))) {
> +               cifs_dbg(VFS, "srv returned malformed symlink buffer\n");
> +               rc = -EIO;
> +               goto out;
> +       }
> +
> +       /*
> +        * Check that buffer does not contain UTF-16 null codepoint in unicode
> +        * mode or null byte in non-unicode mode because Linux cannot process
> +        * symlink with null byte.
> +        */
> +       if ((unicode && UniStrnlen((wchar_t *)buf, len/2) != len/2) ||
> +           (!unicode && strnlen(buf, len) != len)) {
> +               cifs_dbg(VFS, "srv returned null byte in native symlink target location\n");
> +               rc = -EIO;
> +               goto out;
> +       }
> +
>         smb_target = cifs_strndup_from_utf16(buf, len, unicode, cifs_sb->local_nls);
>         if (!smb_target) {
>                 rc = -ENOMEM;
> --
> 2.20.1
>
>


-- 
Thanks,

Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ