From: Greg Kroah-Hartman Date: Wed, 21 Jun 2023 20:07:02 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v4.14.320~65 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fc8ae3456156a75248148bdbc9ba28ae3cbb3e88;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: ksmbd-fix-out-of-bound-read-in-smb2_write.patch ksmbd-validate-command-payload-size.patch ksmbd-validate-session-id-and-tree-id-in-the-compound-request.patch tick-common-align-tick-period-during-sched_timer-setup.patch --- diff --git a/queue-6.1/ksmbd-fix-out-of-bound-read-in-smb2_write.patch b/queue-6.1/ksmbd-fix-out-of-bound-read-in-smb2_write.patch new file mode 100644 index 00000000000..f41a8c22273 --- /dev/null +++ b/queue-6.1/ksmbd-fix-out-of-bound-read-in-smb2_write.patch @@ -0,0 +1,44 @@ +From 5fe7f7b78290638806211046a99f031ff26164e1 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Thu, 15 Jun 2023 22:04:40 +0900 +Subject: ksmbd: fix out-of-bound read in smb2_write + +From: Namjae Jeon + +commit 5fe7f7b78290638806211046a99f031ff26164e1 upstream. + +ksmbd_smb2_check_message doesn't validate hdr->NextCommand. If +->NextCommand is bigger than Offset + Length of smb2 write, It will +allow oversized smb2 write length. It will cause OOB read in smb2_write. + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21164 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2misc.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/ksmbd/smb2misc.c ++++ b/fs/ksmbd/smb2misc.c +@@ -351,10 +351,16 @@ int ksmbd_smb2_check_message(struct ksmb + int command; + __u32 clc_len; /* calculated length */ + __u32 len = get_rfc1002_len(work->request_buf); +- __u32 req_struct_size; ++ __u32 req_struct_size, next_cmd = le32_to_cpu(hdr->NextCommand); + +- if (le32_to_cpu(hdr->NextCommand) > 0) +- len = le32_to_cpu(hdr->NextCommand); ++ if ((u64)work->next_smb2_rcv_hdr_off + next_cmd > len) { ++ pr_err("next command(%u) offset exceeds smb msg size\n", ++ next_cmd); ++ return 1; ++ } ++ ++ if (next_cmd > 0) ++ len = next_cmd; + else if (work->next_smb2_rcv_hdr_off) + len -= work->next_smb2_rcv_hdr_off; + diff --git a/queue-6.1/ksmbd-validate-command-payload-size.patch b/queue-6.1/ksmbd-validate-command-payload-size.patch new file mode 100644 index 00000000000..385070a8181 --- /dev/null +++ b/queue-6.1/ksmbd-validate-command-payload-size.patch @@ -0,0 +1,86 @@ +From 2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Mon, 5 Jun 2023 01:57:34 +0900 +Subject: ksmbd: validate command payload size + +From: Namjae Jeon + +commit 2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d upstream. + +->StructureSize2 indicates command payload size. ksmbd should validate +this size with rfc1002 length before accessing it. +This patch remove unneeded check and add the validation for this. + +[ 8.912583] BUG: KASAN: slab-out-of-bounds in ksmbd_smb2_check_message+0x12a/0xc50 +[ 8.913051] Read of size 2 at addr ffff88800ac7d92c by task kworker/0:0/7 +... +[ 8.914967] Call Trace: +[ 8.915126] +[ 8.915267] dump_stack_lvl+0x33/0x50 +[ 8.915506] print_report+0xcc/0x620 +[ 8.916558] kasan_report+0xae/0xe0 +[ 8.917080] kasan_check_range+0x35/0x1b0 +[ 8.917334] ksmbd_smb2_check_message+0x12a/0xc50 +[ 8.917935] ksmbd_verify_smb_message+0xae/0xd0 +[ 8.918223] handle_ksmbd_work+0x192/0x820 +[ 8.918478] process_one_work+0x419/0x760 +[ 8.918727] worker_thread+0x2a2/0x6f0 +[ 8.919222] kthread+0x187/0x1d0 +[ 8.919723] ret_from_fork+0x1f/0x30 +[ 8.919954] + +Cc: stable@vger.kernel.org +Reported-by: Chih-Yen Chang +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2misc.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/fs/ksmbd/smb2misc.c ++++ b/fs/ksmbd/smb2misc.c +@@ -351,6 +351,7 @@ int ksmbd_smb2_check_message(struct ksmb + int command; + __u32 clc_len; /* calculated length */ + __u32 len = get_rfc1002_len(work->request_buf); ++ __u32 req_struct_size; + + if (le32_to_cpu(hdr->NextCommand) > 0) + len = le32_to_cpu(hdr->NextCommand); +@@ -373,17 +374,9 @@ int ksmbd_smb2_check_message(struct ksmb + } + + if (smb2_req_struct_sizes[command] != pdu->StructureSize2) { +- if (command != SMB2_OPLOCK_BREAK_HE && +- (hdr->Status == 0 || pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE)) { +- /* error packets have 9 byte structure size */ +- ksmbd_debug(SMB, +- "Illegal request size %u for command %d\n", +- le16_to_cpu(pdu->StructureSize2), command); +- return 1; +- } else if (command == SMB2_OPLOCK_BREAK_HE && +- hdr->Status == 0 && +- le16_to_cpu(pdu->StructureSize2) != OP_BREAK_STRUCT_SIZE_20 && +- le16_to_cpu(pdu->StructureSize2) != OP_BREAK_STRUCT_SIZE_21) { ++ if (command == SMB2_OPLOCK_BREAK_HE && ++ le16_to_cpu(pdu->StructureSize2) != OP_BREAK_STRUCT_SIZE_20 && ++ le16_to_cpu(pdu->StructureSize2) != OP_BREAK_STRUCT_SIZE_21) { + /* special case for SMB2.1 lease break message */ + ksmbd_debug(SMB, + "Illegal request size %d for oplock break\n", +@@ -392,6 +385,14 @@ int ksmbd_smb2_check_message(struct ksmb + } + } + ++ req_struct_size = le16_to_cpu(pdu->StructureSize2) + ++ __SMB2_HEADER_STRUCTURE_SIZE; ++ if (command == SMB2_LOCK_HE) ++ req_struct_size -= sizeof(struct smb2_lock_element); ++ ++ if (req_struct_size > len + 1) ++ return 1; ++ + if (smb2_calc_size(hdr, &clc_len)) + return 1; + diff --git a/queue-6.1/ksmbd-validate-session-id-and-tree-id-in-the-compound-request.patch b/queue-6.1/ksmbd-validate-session-id-and-tree-id-in-the-compound-request.patch new file mode 100644 index 00000000000..c37142917aa --- /dev/null +++ b/queue-6.1/ksmbd-validate-session-id-and-tree-id-in-the-compound-request.patch @@ -0,0 +1,156 @@ +From 5005bcb4219156f1bf7587b185080ec1da08518e Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Thu, 15 Jun 2023 22:05:29 +0900 +Subject: ksmbd: validate session id and tree id in the compound request + +From: Namjae Jeon + +commit 5005bcb4219156f1bf7587b185080ec1da08518e upstream. + +This patch validate session id and tree id in compound request. +If first operation in the compound is SMB2 ECHO request, ksmbd bypass +session and tree validation. So work->sess and work->tcon could be NULL. +If secound request in the compound access work->sess or tcon, It cause +NULL pointer dereferecing error. + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21165 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/server.c | 33 ++++++++++++++++++++------------- + fs/ksmbd/smb2pdu.c | 44 +++++++++++++++++++++++++++++++++++++++----- + 2 files changed, 59 insertions(+), 18 deletions(-) + +--- a/fs/ksmbd/server.c ++++ b/fs/ksmbd/server.c +@@ -185,24 +185,31 @@ static void __handle_ksmbd_work(struct k + goto send; + } + +- if (conn->ops->check_user_session) { +- rc = conn->ops->check_user_session(work); +- if (rc < 0) { +- command = conn->ops->get_cmd_val(work); +- conn->ops->set_rsp_status(work, +- STATUS_USER_SESSION_DELETED); +- goto send; +- } else if (rc > 0) { +- rc = conn->ops->get_ksmbd_tcon(work); ++ do { ++ if (conn->ops->check_user_session) { ++ rc = conn->ops->check_user_session(work); + if (rc < 0) { +- conn->ops->set_rsp_status(work, +- STATUS_NETWORK_NAME_DELETED); ++ if (rc == -EINVAL) ++ conn->ops->set_rsp_status(work, ++ STATUS_INVALID_PARAMETER); ++ else ++ conn->ops->set_rsp_status(work, ++ STATUS_USER_SESSION_DELETED); + goto send; ++ } else if (rc > 0) { ++ rc = conn->ops->get_ksmbd_tcon(work); ++ if (rc < 0) { ++ if (rc == -EINVAL) ++ conn->ops->set_rsp_status(work, ++ STATUS_INVALID_PARAMETER); ++ else ++ conn->ops->set_rsp_status(work, ++ STATUS_NETWORK_NAME_DELETED); ++ goto send; ++ } + } + } +- } + +- do { + rc = __process_request(work, conn, &command); + if (rc == SERVER_HANDLER_ABORT) + break; +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -90,7 +90,6 @@ int smb2_get_ksmbd_tcon(struct ksmbd_wor + unsigned int cmd = le16_to_cpu(req_hdr->Command); + int tree_id; + +- work->tcon = NULL; + if (cmd == SMB2_TREE_CONNECT_HE || + cmd == SMB2_CANCEL_HE || + cmd == SMB2_LOGOFF_HE) { +@@ -104,10 +103,28 @@ int smb2_get_ksmbd_tcon(struct ksmbd_wor + } + + tree_id = le32_to_cpu(req_hdr->Id.SyncId.TreeId); ++ ++ /* ++ * If request is not the first in Compound request, ++ * Just validate tree id in header with work->tcon->id. ++ */ ++ if (work->next_smb2_rcv_hdr_off) { ++ if (!work->tcon) { ++ pr_err("The first operation in the compound does not have tcon\n"); ++ return -EINVAL; ++ } ++ if (work->tcon->id != tree_id) { ++ pr_err("tree id(%u) is different with id(%u) in first operation\n", ++ tree_id, work->tcon->id); ++ return -EINVAL; ++ } ++ return 1; ++ } ++ + work->tcon = ksmbd_tree_conn_lookup(work->sess, tree_id); + if (!work->tcon) { + pr_err("Invalid tid %d\n", tree_id); +- return -EINVAL; ++ return -ENOENT; + } + + return 1; +@@ -553,7 +570,6 @@ int smb2_check_user_session(struct ksmbd + unsigned int cmd = conn->ops->get_cmd_val(work); + unsigned long long sess_id; + +- work->sess = NULL; + /* + * SMB2_ECHO, SMB2_NEGOTIATE, SMB2_SESSION_SETUP command do not + * require a session id, so no need to validate user session's for +@@ -564,15 +580,33 @@ int smb2_check_user_session(struct ksmbd + return 0; + + if (!ksmbd_conn_good(conn)) +- return -EINVAL; ++ return -EIO; + + sess_id = le64_to_cpu(req_hdr->SessionId); ++ ++ /* ++ * If request is not the first in Compound request, ++ * Just validate session id in header with work->sess->id. ++ */ ++ if (work->next_smb2_rcv_hdr_off) { ++ if (!work->sess) { ++ pr_err("The first operation in the compound does not have sess\n"); ++ return -EINVAL; ++ } ++ if (work->sess->id != sess_id) { ++ pr_err("session id(%llu) is different with the first operation(%lld)\n", ++ sess_id, work->sess->id); ++ return -EINVAL; ++ } ++ return 1; ++ } ++ + /* Check for validity of user session */ + work->sess = ksmbd_session_lookup_all(conn, sess_id); + if (work->sess) + return 1; + ksmbd_debug(SMB, "Invalid user session, Uid %llu\n", sess_id); +- return -EINVAL; ++ return -ENOENT; + } + + static void destroy_previous_session(struct ksmbd_conn *conn, diff --git a/queue-6.1/series b/queue-6.1/series index 7421d40dfaa..817eb590436 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -7,3 +7,7 @@ ata-libata-scsi-avoid-deadlock-on-rescan-after-devic.patch mm-fix-copy_from_user_nofault.patch tpm-tpm_tis-claim-locality-in-interrupt-handler.patch tpm_crb-add-support-for-crb-devices-based-on-pluton.patch +ksmbd-validate-command-payload-size.patch +ksmbd-fix-out-of-bound-read-in-smb2_write.patch +ksmbd-validate-session-id-and-tree-id-in-the-compound-request.patch +tick-common-align-tick-period-during-sched_timer-setup.patch diff --git a/queue-6.1/tick-common-align-tick-period-during-sched_timer-setup.patch b/queue-6.1/tick-common-align-tick-period-during-sched_timer-setup.patch new file mode 100644 index 00000000000..26b077ef595 --- /dev/null +++ b/queue-6.1/tick-common-align-tick-period-during-sched_timer-setup.patch @@ -0,0 +1,95 @@ +From 13bb06f8dd42071cb9a49f6e21099eea05d4b856 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Thu, 15 Jun 2023 11:18:30 +0200 +Subject: tick/common: Align tick period during sched_timer setup + +From: Thomas Gleixner + +commit 13bb06f8dd42071cb9a49f6e21099eea05d4b856 upstream. + +The tick period is aligned very early while the first clock_event_device is +registered. At that point the system runs in periodic mode and switches +later to one-shot mode if possible. + +The next wake-up event is programmed based on the aligned value +(tick_next_period) but the delta value, that is used to program the +clock_event_device, is computed based on ktime_get(). + +With the subtracted offset, the device fires earlier than the exact time +frame. With a large enough offset the system programs the timer for the +next wake-up and the remaining time left is too small to make any boot +progress. The system hangs. + +Move the alignment later to the setup of tick_sched timer. At this point +the system switches to oneshot mode and a high resolution clocksource is +available. At this point it is safe to align tick_next_period because +ktime_get() will now return accurate (not jiffies based) time. + +[bigeasy: Patch description + testing]. + +Fixes: e9523a0d81899 ("tick/common: Align tick period with the HZ tick.") +Reported-by: Mathias Krause +Reported-by: "Bhatnagar, Rishabh" +Suggested-by: Mathias Krause +Signed-off-by: Thomas Gleixner +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Tested-by: Richard W.M. Jones +Tested-by: Mathias Krause +Acked-by: SeongJae Park +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/5a56290d-806e-b9a5-f37c-f21958b5a8c0@grsecurity.net +Link: https://lore.kernel.org/12c6f9a3-d087-b824-0d05-0d18c9bc1bf3@amazon.com +Link: https://lore.kernel.org/r/20230615091830.RxMV2xf_@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/tick-common.c | 13 +------------ + kernel/time/tick-sched.c | 13 ++++++++++++- + 2 files changed, 13 insertions(+), 13 deletions(-) + +--- a/kernel/time/tick-common.c ++++ b/kernel/time/tick-common.c +@@ -218,19 +218,8 @@ static void tick_setup_device(struct tic + * this cpu: + */ + if (tick_do_timer_cpu == TICK_DO_TIMER_BOOT) { +- ktime_t next_p; +- u32 rem; +- + tick_do_timer_cpu = cpu; +- +- next_p = ktime_get(); +- div_u64_rem(next_p, TICK_NSEC, &rem); +- if (rem) { +- next_p -= rem; +- next_p += TICK_NSEC; +- } +- +- tick_next_period = next_p; ++ tick_next_period = ktime_get(); + #ifdef CONFIG_NO_HZ_FULL + /* + * The boot CPU may be nohz_full, in which case set +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -161,8 +161,19 @@ static ktime_t tick_init_jiffy_update(vo + raw_spin_lock(&jiffies_lock); + write_seqcount_begin(&jiffies_seq); + /* Did we start the jiffies update yet ? */ +- if (last_jiffies_update == 0) ++ if (last_jiffies_update == 0) { ++ u32 rem; ++ ++ /* ++ * Ensure that the tick is aligned to a multiple of ++ * TICK_NSEC. ++ */ ++ div_u64_rem(tick_next_period, TICK_NSEC, &rem); ++ if (rem) ++ tick_next_period += TICK_NSEC - rem; ++ + last_jiffies_update = tick_next_period; ++ } + period = last_jiffies_update; + write_seqcount_end(&jiffies_seq); + raw_spin_unlock(&jiffies_lock);