| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b00cd043-7e52-4462-8bb7-b067095bd5fd@stanley.mountain>
Date: Mon, 13 Jan 2025 09:17:48 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Namjae Jeon <linkinjeon@...nel.org>
Cc: Steve French <sfrench@...ba.org>,
Sergey Senozhatsky <senozhatsky@...omium.org>,
Tom Talpey <tom@...pey.com>, linux-cifs@...r.kernel.org,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: [PATCH RESEND] ksmbd: fix integer overflows on 32 bit systems
On 32bit systems the addition operations in ipc_msg_alloc() can
potentially overflow leading to memory corruption. Fix this using
size_add() which will ensure that the invalid allocations do not succeed.
In the callers, move the two constant values
"sizeof(struct ksmbd_rpc_command) + 1" onto the same side and use
size_add() for the user controlled values.
Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Cc: stable@...r.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
---
I sent this patch in Oct 2023 but it wasn't applied.
https://lore.kernel.org/all/205c4ec1-7c41-4f5d-8058-501fc1b5163c@moroto.mountain/
I reviewed this code again today and it is still an issue.
fs/smb/server/transport_ipc.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c
index befaf42b84cc..ec72c97b2f0b 100644
--- a/fs/smb/server/transport_ipc.c
+++ b/fs/smb/server/transport_ipc.c
@@ -242,7 +242,7 @@ static void ipc_update_last_active(void)
static struct ksmbd_ipc_msg *ipc_msg_alloc(size_t sz)
{
struct ksmbd_ipc_msg *msg;
- size_t msg_sz = sz + sizeof(struct ksmbd_ipc_msg);
+ size_t msg_sz = size_add(sz, sizeof(struct ksmbd_ipc_msg));
msg = kvzalloc(msg_sz, KSMBD_DEFAULT_GFP);
if (msg)
@@ -626,8 +626,8 @@ ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len)
struct ksmbd_spnego_authen_request *req;
struct ksmbd_spnego_authen_response *resp;
- msg = ipc_msg_alloc(sizeof(struct ksmbd_spnego_authen_request) +
- blob_len + 1);
+ msg = ipc_msg_alloc(size_add(sizeof(struct ksmbd_spnego_authen_request) + 1,
+ blob_len));
if (!msg)
return NULL;
@@ -805,7 +805,8 @@ struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, int handle
struct ksmbd_rpc_command *req;
struct ksmbd_rpc_command *resp;
- msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);
+ msg = ipc_msg_alloc(size_add(sizeof(struct ksmbd_rpc_command) + 1,
+ payload_sz));
if (!msg)
return NULL;
@@ -853,7 +854,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle
struct ksmbd_rpc_command *req;
struct ksmbd_rpc_command *resp;
- msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);
+ msg = ipc_msg_alloc(size_add(sizeof(struct ksmbd_rpc_command) + 1, payload_sz));
if (!msg)
return NULL;
@@ -878,7 +879,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, void *payloa
struct ksmbd_rpc_command *req;
struct ksmbd_rpc_command *resp;
- msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);
+ msg = ipc_msg_alloc(size_add(sizeof(struct ksmbd_rpc_command) + 1, payload_sz));
if (!msg)
return NULL;
--
2.45.2
Powered by blists - more mailing lists