From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 30 Jun 2025 13:19:42 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eb4a84e11105cf1333d99896c67ef2a8a8a665b5;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	ksmbd-remove-unsafe_memcpy-use-in-session-setup.patch
	ksmbd-use-unsafe_memcpy-for-ntlm_negotiate.patch
---

diff --git a/queue-6.1/ksmbd-remove-unsafe_memcpy-use-in-session-setup.patch b/queue-6.1/ksmbd-remove-unsafe_memcpy-use-in-session-setup.patch
new file mode 100644
index 0000000000..5316188f6a
--- /dev/null
+++ b/queue-6.1/ksmbd-remove-unsafe_memcpy-use-in-session-setup.patch
@@ -0,0 +1,55 @@
+From d782d6e1d9078d6b82f8468dd6421050165e7d75 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Mon, 23 Sep 2024 22:39:11 +0900
+Subject: ksmbd: remove unsafe_memcpy use in session setup
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit d782d6e1d9078d6b82f8468dd6421050165e7d75 upstream.
+
+Kees pointed out to just use directly ->Buffer instead of pointing
+->Buffer using offset not to use unsafe_memcpy().
+
+Suggested-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c |   12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1356,8 +1356,7 @@ static int ntlm_negotiate(struct ksmbd_w
+ 		return rc;
+ 
+ 	sz = le16_to_cpu(rsp->SecurityBufferOffset);
+-	chgblob =
+-		(struct challenge_message *)((char *)&rsp->hdr.ProtocolId + sz);
++	chgblob = (struct challenge_message *)rsp->Buffer;
+ 	memset(chgblob, 0, sizeof(struct challenge_message));
+ 
+ 	if (!work->conn->use_spnego) {
+@@ -1390,9 +1389,7 @@ static int ntlm_negotiate(struct ksmbd_w
+ 		goto out;
+ 	}
+ 
+-	sz = le16_to_cpu(rsp->SecurityBufferOffset);
+-	unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len,
+-			/* alloc is larger than blob, see smb2_allocate_rsp_buf() */);
++	memcpy(rsp->Buffer, spnego_blob, spnego_blob_len);
+ 	rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len);
+ 
+ out:
+@@ -1474,10 +1471,7 @@ static int ntlm_authenticate(struct ksmb
+ 		if (rc)
+ 			return -ENOMEM;
+ 
+-		sz = le16_to_cpu(rsp->SecurityBufferOffset);
+-		unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob,
+-				spnego_blob_len,
+-				/* alloc is larger than blob, see smb2_allocate_rsp_buf() */);
++		memcpy(rsp->Buffer, spnego_blob, spnego_blob_len);
+ 		rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len);
+ 		kfree(spnego_blob);
+ 	}
diff --git a/queue-6.1/ksmbd-use-unsafe_memcpy-for-ntlm_negotiate.patch b/queue-6.1/ksmbd-use-unsafe_memcpy-for-ntlm_negotiate.patch
new file mode 100644
index 0000000000..22ca150c93
--- /dev/null
+++ b/queue-6.1/ksmbd-use-unsafe_memcpy-for-ntlm_negotiate.patch
@@ -0,0 +1,42 @@
+From dfd046d0ced19b6ff5f11ec4ceab0a83de924771 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 15 Aug 2024 08:56:35 +0900
+Subject: ksmbd: Use unsafe_memcpy() for ntlm_negotiate
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit dfd046d0ced19b6ff5f11ec4ceab0a83de924771 upstream.
+
+rsp buffer is allocated larger than spnego_blob from
+smb2_allocate_rsp_buf().
+
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1391,7 +1391,8 @@ static int ntlm_negotiate(struct ksmbd_w
+ 	}
+ 
+ 	sz = le16_to_cpu(rsp->SecurityBufferOffset);
+-	memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len);
++	unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len,
++			/* alloc is larger than blob, see smb2_allocate_rsp_buf() */);
+ 	rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len);
+ 
+ out:
+@@ -1474,7 +1475,9 @@ static int ntlm_authenticate(struct ksmb
+ 			return -ENOMEM;
+ 
+ 		sz = le16_to_cpu(rsp->SecurityBufferOffset);
+-		memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len);
++		unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob,
++				spnego_blob_len,
++				/* alloc is larger than blob, see smb2_allocate_rsp_buf() */);
+ 		rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len);
+ 		kfree(spnego_blob);
+ 	}
diff --git a/queue-6.1/series b/queue-6.1/series
index 9505122f22..b1ffc6ffb6 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -114,3 +114,5 @@ drm-amd-display-add-null-pointer-check-for-get_first_active_display.patch
 drm-amdgpu-amdgpu_vram_mgr_new-clamp-lpfn-to-total-vram.patch
 drm-i915-gem-allow-exec_capture-on-recoverable-contexts-on-dg1.patch
 drm-amdgpu-add-kicker-device-detection.patch
+ksmbd-use-unsafe_memcpy-for-ntlm_negotiate.patch
+ksmbd-remove-unsafe_memcpy-use-in-session-setup.patch