From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 10 Jan 2023 16:01:03 +0000 (+0100)
Subject: 6.0-stable patches
X-Git-Tag: v5.15.87~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8e4eb5ef9a9ac3f89c65c8def4e677df92b36f9d;p=thirdparty%2Fkernel%2Fstable-queue.git

6.0-stable patches

added patches:
	ksmbd-check-nt_len-to-be-at-least-cifs_encpwd_size-in-ksmbd_decode_ntlmssp_auth_blob.patch
	ksmbd-fix-infinite-loop-in-ksmbd_conn_handler_loop.patch
	ksmbd-send-proper-error-response-in-smb2_tree_connect.patch
---

diff --git a/queue-6.0/ksmbd-check-nt_len-to-be-at-least-cifs_encpwd_size-in-ksmbd_decode_ntlmssp_auth_blob.patch b/queue-6.0/ksmbd-check-nt_len-to-be-at-least-cifs_encpwd_size-in-ksmbd_decode_ntlmssp_auth_blob.patch
new file mode 100644
index 00000000000..2ee6ef94cf9
--- /dev/null
+++ b/queue-6.0/ksmbd-check-nt_len-to-be-at-least-cifs_encpwd_size-in-ksmbd_decode_ntlmssp_auth_blob.patch
@@ -0,0 +1,41 @@
+From 797805d81baa814f76cf7bdab35f86408a79d707 Mon Sep 17 00:00:00 2001
+From: William Liu <will@willsroot.io>
+Date: Fri, 30 Dec 2022 13:03:15 +0900
+Subject: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: William Liu <will@willsroot.io>
+
+commit 797805d81baa814f76cf7bdab35f86408a79d707 upstream.
+
+"nt_len - CIFS_ENCPWD_SIZE" is passed directly from
+ksmbd_decode_ntlmssp_auth_blob to ksmbd_auth_ntlmv2. Malicious requests
+can set nt_len to less than CIFS_ENCPWD_SIZE, which results in a negative
+number (or large unsigned value) used for a subsequent memcpy in
+ksmbd_auth_ntlvm2 and can cause a panic.
+
+Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
+Cc: stable@vger.kernel.org
+Signed-off-by: William Liu <will@willsroot.io>
+Signed-off-by: Hrvoje MiÅ¡etiÄ <misetichrvoje@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/auth.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ksmbd/auth.c
++++ b/fs/ksmbd/auth.c
+@@ -322,7 +322,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struc
+ 	dn_off = le32_to_cpu(authblob->DomainName.BufferOffset);
+ 	dn_len = le16_to_cpu(authblob->DomainName.Length);
+ 
+-	if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len)
++	if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len ||
++	    nt_len < CIFS_ENCPWD_SIZE)
+ 		return -EINVAL;
+ 
+ 	/* TODO : use domain name that imported from configuration file */
diff --git a/queue-6.0/ksmbd-fix-infinite-loop-in-ksmbd_conn_handler_loop.patch b/queue-6.0/ksmbd-fix-infinite-loop-in-ksmbd_conn_handler_loop.patch
new file mode 100644
index 00000000000..f4a9bc77439
--- /dev/null
+++ b/queue-6.0/ksmbd-fix-infinite-loop-in-ksmbd_conn_handler_loop.patch
@@ -0,0 +1,69 @@
+From 83dcedd5540d4ac61376ddff5362f7d9f866a6ec Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sat, 31 Dec 2022 17:32:31 +0900
+Subject: ksmbd: fix infinite loop in ksmbd_conn_handler_loop()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 83dcedd5540d4ac61376ddff5362f7d9f866a6ec upstream.
+
+If kernel_recvmsg() return -EAGAIN in ksmbd_tcp_readv() and go round
+again, It will cause infinite loop issue. And all threads from next
+connections would be doing that. This patch add max retry count(2) to
+avoid it. kernel_recvmsg() will wait during 7sec timeout and try to
+retry two time if -EAGAIN is returned. And add flags of kvmalloc to
+__GFP_NOWARN and __GFP_NORETRY to disconnect immediately without
+retrying on memory alloation failure.
+
+Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
+Cc: stable@vger.kernel.org
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18259
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/connection.c    |    7 +++++--
+ fs/ksmbd/transport_tcp.c |    5 ++++-
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/fs/ksmbd/connection.c
++++ b/fs/ksmbd/connection.c
+@@ -310,9 +310,12 @@ int ksmbd_conn_handler_loop(void *p)
+ 
+ 		/* 4 for rfc1002 length field */
+ 		size = pdu_size + 4;
+-		conn->request_buf = kvmalloc(size, GFP_KERNEL);
++		conn->request_buf = kvmalloc(size,
++					     GFP_KERNEL |
++					     __GFP_NOWARN |
++					     __GFP_NORETRY);
+ 		if (!conn->request_buf)
+-			continue;
++			break;
+ 
+ 		memcpy(conn->request_buf, hdr_buf, sizeof(hdr_buf));
+ 		if (!ksmbd_smb_request(conn))
+--- a/fs/ksmbd/transport_tcp.c
++++ b/fs/ksmbd/transport_tcp.c
+@@ -295,6 +295,7 @@ static int ksmbd_tcp_readv(struct tcp_tr
+ 	struct msghdr ksmbd_msg;
+ 	struct kvec *iov;
+ 	struct ksmbd_conn *conn = KSMBD_TRANS(t)->conn;
++	int max_retry = 2;
+ 
+ 	iov = get_conn_iovec(t, nr_segs);
+ 	if (!iov)
+@@ -321,9 +322,11 @@ static int ksmbd_tcp_readv(struct tcp_tr
+ 		} else if (conn->status == KSMBD_SESS_NEED_RECONNECT) {
+ 			total_read = -EAGAIN;
+ 			break;
+-		} else if (length == -ERESTARTSYS || length == -EAGAIN) {
++		} else if ((length == -ERESTARTSYS || length == -EAGAIN) &&
++			   max_retry) {
+ 			usleep_range(1000, 2000);
+ 			length = 0;
++			max_retry--;
+ 			continue;
+ 		} else if (length <= 0) {
+ 			total_read = -EAGAIN;
diff --git a/queue-6.0/ksmbd-send-proper-error-response-in-smb2_tree_connect.patch b/queue-6.0/ksmbd-send-proper-error-response-in-smb2_tree_connect.patch
new file mode 100644
index 00000000000..1826e216ef4
--- /dev/null
+++ b/queue-6.0/ksmbd-send-proper-error-response-in-smb2_tree_connect.patch
@@ -0,0 +1,53 @@
+From cdfb2fef522d0c3f9cf293db51de88e9b3d46846 Mon Sep 17 00:00:00 2001
+From: Marios Makassikis <mmakassikis@freebox.fr>
+Date: Fri, 23 Dec 2022 11:59:31 +0100
+Subject: ksmbd: send proper error response in smb2_tree_connect()
+
+From: Marios Makassikis <mmakassikis@freebox.fr>
+
+commit cdfb2fef522d0c3f9cf293db51de88e9b3d46846 upstream.
+
+Currently, smb2_tree_connect doesn't send an error response packet on
+error.
+
+This causes libsmb2 to skip the specific error code and fail with the
+following:
+ smb2_service failed with : Failed to parse fixed part of command
+ payload. Unexpected size of Error reply. Expected 9, got 8
+
+Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -1926,13 +1926,13 @@ int smb2_tree_connect(struct ksmbd_work
+ 	if (conn->posix_ext_supported)
+ 		status.tree_conn->posix_extensions = true;
+ 
+-out_err1:
+ 	rsp->StructureSize = cpu_to_le16(16);
++	inc_rfc1001_len(work->response_buf, 16);
++out_err1:
+ 	rsp->Capabilities = 0;
+ 	rsp->Reserved = 0;
+ 	/* default manual caching */
+ 	rsp->ShareFlags = SMB2_SHAREFLAG_MANUAL_CACHING;
+-	inc_rfc1001_len(work->response_buf, 16);
+ 
+ 	if (!IS_ERR(treename))
+ 		kfree(treename);
+@@ -1965,6 +1965,9 @@ out_err1:
+ 		rsp->hdr.Status = STATUS_ACCESS_DENIED;
+ 	}
+ 
++	if (status.ret != KSMBD_TREE_CONN_STATUS_OK)
++		smb2_set_err_rsp(work);
++
+ 	return rc;
+ }
+ 
diff --git a/queue-6.0/series b/queue-6.0/series
index 35a16499eb8..f9dda7781a9 100644
--- a/queue-6.0/series
+++ b/queue-6.0/series
@@ -140,3 +140,6 @@ drm-i915-gvt-fix-vgpu-debugfs-clean-in-remove.patch
 virtio-blk-use-a-helper-to-handle-request-queuing-er.patch
 virtio_blk-fix-signedness-bug-in-virtblk_prep_rq.patch
 btrfs-handle-case-when-repair-happens-with-dev-repla.patch
+ksmbd-fix-infinite-loop-in-ksmbd_conn_handler_loop.patch
+ksmbd-send-proper-error-response-in-smb2_tree_connect.patch
+ksmbd-check-nt_len-to-be-at-least-cifs_encpwd_size-in-ksmbd_decode_ntlmssp_auth_blob.patch