From a2d3e42529b4ba1c919b8af3c32c1c5455dae5d7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 17 Apr 2023 09:58:05 +0200 Subject: [PATCH] drop queue-5.15/ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch --- ...bounds-access-in-decode_preauth_ctxt.patch | 68 ------------------- queue-5.15/series | 1 - 2 files changed, 69 deletions(-) delete mode 100644 queue-5.15/ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch diff --git a/queue-5.15/ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch b/queue-5.15/ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch deleted file mode 100644 index b04eb778dbb..00000000000 --- a/queue-5.15/ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch +++ /dev/null @@ -1,68 +0,0 @@ -From e7067a446264a7514fa1cfaa4052cdb6803bc6a2 Mon Sep 17 00:00:00 2001 -From: David Disseldorp -Date: Thu, 13 Apr 2023 23:49:57 +0900 -Subject: ksmbd: avoid out of bounds access in decode_preauth_ctxt() - -From: David Disseldorp - -commit e7067a446264a7514fa1cfaa4052cdb6803bc6a2 upstream. - -Confirm that the accessed pneg_ctxt->HashAlgorithms address sits within -the SMB request boundary; deassemble_neg_contexts() only checks that the -eight byte smb2_neg_context header + (client controlled) DataLength are -within the packet boundary, which is insufficient. - -Checking for sizeof(struct smb2_preauth_neg_context) is overkill given -that the type currently assumes SMB311_SALT_SIZE bytes of trailing Salt. - -Signed-off-by: David Disseldorp -Acked-by: Namjae Jeon -Cc: -Signed-off-by: Steve French -Signed-off-by: Greg Kroah-Hartman ---- - fs/ksmbd/smb2pdu.c | 23 ++++++++++++++--------- - 1 file changed, 14 insertions(+), 9 deletions(-) - ---- a/fs/ksmbd/smb2pdu.c -+++ b/fs/ksmbd/smb2pdu.c -@@ -880,17 +880,21 @@ static void assemble_neg_contexts(struct - } - - static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn, -- struct smb2_preauth_neg_context *pneg_ctxt) -+ struct smb2_preauth_neg_context *pneg_ctxt, -+ int len_of_ctxts) - { -- __le32 err = STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP; -+ /* -+ * sizeof(smb2_preauth_neg_context) assumes SMB311_SALT_SIZE Salt, -+ * which may not be present. Only check for used HashAlgorithms[1]. -+ */ -+ if (len_of_ctxts < MIN_PREAUTH_CTXT_DATA_LEN) -+ return STATUS_INVALID_PARAMETER; - -- if (pneg_ctxt->HashAlgorithms == SMB2_PREAUTH_INTEGRITY_SHA512) { -- conn->preauth_info->Preauth_HashId = -- SMB2_PREAUTH_INTEGRITY_SHA512; -- err = STATUS_SUCCESS; -- } -+ if (pneg_ctxt->HashAlgorithms != SMB2_PREAUTH_INTEGRITY_SHA512) -+ return STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP; - -- return err; -+ conn->preauth_info->Preauth_HashId = SMB2_PREAUTH_INTEGRITY_SHA512; -+ return STATUS_SUCCESS; - } - - static void decode_encrypt_ctxt(struct ksmbd_conn *conn, -@@ -1018,7 +1022,8 @@ static __le32 deassemble_neg_contexts(st - break; - - status = decode_preauth_ctxt(conn, -- (struct smb2_preauth_neg_context *)pctx); -+ (struct smb2_preauth_neg_context *)pctx, -+ len_of_ctxts); - if (status != STATUS_SUCCESS) - break; - } else if (pctx->ContextType == SMB2_ENCRYPTION_CAPABILITIES) { diff --git a/queue-5.15/series b/queue-5.15/series index ee08ebe6572..1e5f4649230 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -54,7 +54,6 @@ tracing-add-trace_array_puts-to-write-into-instance.patch tracing-have-tracing_snapshot_instance_cond-write-er.patch i915-perf-replace-drm_debug-with-driver-specific-drm.patch drm-i915-fix-race-condition-uaf-in-i915_perf_add_con.patch -ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch riscv-do-not-set-initial_boot_params-to-the-linear-address-of-the-dtb.patch riscv-no-need-to-relocate-the-dtb-as-it-lies-in-the-fixmap-region.patch riscv-add-icache-flush-for-nommu-sigreturn-trampoline.patch -- 2.47.3