From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 23 Apr 2024 16:55:15 +0000 (-0700)
Subject: 6.1-stable patches
X-Git-Tag: v5.15.157~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b5597802897012cf7f1de322881f4565c4182db3;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch
	ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch
	ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch
	ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch
---

diff --git a/queue-6.1/ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch b/queue-6.1/ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch
new file mode 100644
index 00000000000..ebc2977c21a
--- /dev/null
+++ b/queue-6.1/ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch
@@ -0,0 +1,43 @@
+From 4973b04d3ea577db80c501c5f14e68ec69fe1794 Mon Sep 17 00:00:00 2001
+From: Marios Makassikis <mmakassikis@freebox.fr>
+Date: Mon, 15 Apr 2024 15:12:48 +0200
+Subject: ksmbd: clear RENAME_NOREPLACE before calling vfs_rename
+
+From: Marios Makassikis <mmakassikis@freebox.fr>
+
+commit 4973b04d3ea577db80c501c5f14e68ec69fe1794 upstream.
+
+File overwrite case is explicitly handled, so it is not necessary to
+pass RENAME_NOREPLACE to vfs_rename.
+
+Clearing the flag fixes rename operations when the share is a ntfs-3g
+mount. The latter uses an older version of fuse with no support for
+flags in the ->rename op.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/smb/server/vfs.c
++++ b/fs/smb/server/vfs.c
+@@ -746,10 +746,15 @@ retry:
+ 		goto out4;
+ 	}
+ 
++	/*
++	 * explicitly handle file overwrite case, for compatibility with
++	 * filesystems that may not support rename flags (e.g: fuse)
++	 */
+ 	if ((flags & RENAME_NOREPLACE) && d_is_positive(new_dentry)) {
+ 		err = -EEXIST;
+ 		goto out4;
+ 	}
++	flags &= ~(RENAME_NOREPLACE);
+ 
+ 	if (old_child == trap) {
+ 		err = -EINVAL;
diff --git a/queue-6.1/ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch b/queue-6.1/ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch
new file mode 100644
index 00000000000..42fb3d40861
--- /dev/null
+++ b/queue-6.1/ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch
@@ -0,0 +1,35 @@
+From 0268a7cc7fdc47d90b6c18859de7718d5059f6f1 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 19 Apr 2024 23:46:34 +0900
+Subject: ksmbd: common: use struct_group_attr instead of struct_group for network_open_info
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 0268a7cc7fdc47d90b6c18859de7718d5059f6f1 upstream.
+
+4byte padding cause the connection issue with the applications of MacOS.
+smb2_close response size increases by 4 bytes by padding, And the smb
+client of MacOS check it and stop the connection. This patch use
+struct_group_attr instead of struct_group for network_open_info to use
+ __packed to avoid padding.
+
+Fixes: 0015eb6e1238 ("smb: client, common: fix fortify warnings")
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/common/smb2pdu.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/smb/common/smb2pdu.h
++++ b/fs/smb/common/smb2pdu.h
+@@ -699,7 +699,7 @@ struct smb2_close_rsp {
+ 	__le16 StructureSize; /* 60 */
+ 	__le16 Flags;
+ 	__le32 Reserved;
+-	struct_group(network_open_info,
++	struct_group_attr(network_open_info, __packed,
+ 		__le64 CreationTime;
+ 		__le64 LastAccessTime;
+ 		__le64 LastWriteTime;
diff --git a/queue-6.1/ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch b/queue-6.1/ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch
new file mode 100644
index 00000000000..45c4eec5d7c
--- /dev/null
+++ b/queue-6.1/ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch
@@ -0,0 +1,53 @@
+From c119f4ede3fa90a9463f50831761c28f989bfb20 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 11 Apr 2024 23:02:15 +0900
+Subject: ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit c119f4ede3fa90a9463f50831761c28f989bfb20 upstream.
+
+If ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size
+validation could be skipped. if request size is smaller than
+sizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in
+smb2_allocate_rsp_buf(). This patch allocate response buffer after
+decrypting transform request. smb3_decrypt_req() will validate transform
+request size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().
+
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/server.c |   13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/fs/smb/server/server.c
++++ b/fs/smb/server/server.c
+@@ -167,20 +167,17 @@ static void __handle_ksmbd_work(struct k
+ 	int rc;
+ 	bool is_chained = false;
+ 
+-	if (conn->ops->allocate_rsp_buf(work))
+-		return;
+-
+ 	if (conn->ops->is_transform_hdr &&
+ 	    conn->ops->is_transform_hdr(work->request_buf)) {
+ 		rc = conn->ops->decrypt_req(work);
+-		if (rc < 0) {
+-			conn->ops->set_rsp_status(work, STATUS_DATA_ERROR);
+-			goto send;
+-		}
+-
++		if (rc < 0)
++			return;
+ 		work->encrypted = true;
+ 	}
+ 
++	if (conn->ops->allocate_rsp_buf(work))
++		return;
++
+ 	rc = conn->ops->init_rsp_hdr(work);
+ 	if (rc) {
+ 		/* either uid or tid is not correct */
diff --git a/queue-6.1/ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch b/queue-6.1/ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch
new file mode 100644
index 00000000000..e71cc557334
--- /dev/null
+++ b/queue-6.1/ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch
@@ -0,0 +1,35 @@
+From 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 12 Apr 2024 09:45:00 +0900
+Subject: ksmbd: validate request buffer size in smb2_allocate_rsp_buf()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a upstream.
+
+The response buffer should be allocated in smb2_allocate_rsp_buf
+before validating request. But the fields in payload as well as smb2 header
+is used in smb2_allocate_rsp_buf(). This patch add simple buffer size
+validation to avoid potencial out-of-bounds in request buffer.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -534,6 +534,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_w
+ 	if (cmd == SMB2_QUERY_INFO_HE) {
+ 		struct smb2_query_info_req *req;
+ 
++		if (get_rfc1002_len(work->request_buf) <
++		    offsetof(struct smb2_query_info_req, OutputBufferLength))
++			return -EINVAL;
++
+ 		req = smb2_get_msg(work->request_buf);
+ 		if ((req->InfoType == SMB2_O_INFO_FILE &&
+ 		     (req->FileInfoClass == FILE_FULL_EA_INFORMATION ||
diff --git a/queue-6.1/series b/queue-6.1/series
index 8a63c3c5c05..8ba8f7bfcad 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -136,3 +136,7 @@ net-dsa-mt7530-set-all-cpu-ports-in-mt7531_cpu_pmap.patch
 net-dsa-introduce-preferred_default_local_cpu_port-and-use-on-mt7530.patch
 net-dsa-mt7530-fix-improper-frames-on-all-25mhz-and-40mhz-xtal-mt7530.patch
 net-dsa-mt7530-fix-enabling-eee-on-mt7531-switch-on-all-boards.patch
+ksmbd-fix-slab-out-of-bounds-in-smb2_allocate_rsp_buf.patch
+ksmbd-validate-request-buffer-size-in-smb2_allocate_rsp_buf.patch
+ksmbd-clear-rename_noreplace-before-calling-vfs_rename.patch
+ksmbd-common-use-struct_group_attr-instead-of-struct_group-for-network_open_info.patch