--- /dev/null
+From d782d6e1d9078d6b82f8468dd6421050165e7d75 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Mon, 23 Sep 2024 22:39:11 +0900
+Subject: ksmbd: remove unsafe_memcpy use in session setup
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit d782d6e1d9078d6b82f8468dd6421050165e7d75 upstream.
+
+Kees pointed out to just use directly ->Buffer instead of pointing
+->Buffer using offset not to use unsafe_memcpy().
+
+Suggested-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1345,8 +1345,7 @@ static int ntlm_negotiate(struct ksmbd_w
+ return rc;
+
+ sz = le16_to_cpu(rsp->SecurityBufferOffset);
+- chgblob =
+- (struct challenge_message *)((char *)&rsp->hdr.ProtocolId + sz);
++ chgblob = (struct challenge_message *)rsp->Buffer;
+ memset(chgblob, 0, sizeof(struct challenge_message));
+
+ if (!work->conn->use_spnego) {
+@@ -1379,9 +1378,7 @@ static int ntlm_negotiate(struct ksmbd_w
+ goto out;
+ }
+
+- sz = le16_to_cpu(rsp->SecurityBufferOffset);
+- unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len,
+- /* alloc is larger than blob, see smb2_allocate_rsp_buf() */);
++ memcpy(rsp->Buffer, spnego_blob, spnego_blob_len);
+ rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len);
+
+ out:
+@@ -1463,10 +1460,7 @@ static int ntlm_authenticate(struct ksmb
+ if (rc)
+ return -ENOMEM;
+
+- sz = le16_to_cpu(rsp->SecurityBufferOffset);
+- unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob,
+- spnego_blob_len,
+- /* alloc is larger than blob, see smb2_allocate_rsp_buf() */);
++ memcpy(rsp->Buffer, spnego_blob, spnego_blob_len);
+ rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len);
+ kfree(spnego_blob);
+ }
--- /dev/null
+From dfd046d0ced19b6ff5f11ec4ceab0a83de924771 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 15 Aug 2024 08:56:35 +0900
+Subject: ksmbd: Use unsafe_memcpy() for ntlm_negotiate
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit dfd046d0ced19b6ff5f11ec4ceab0a83de924771 upstream.
+
+rsp buffer is allocated larger than spnego_blob from
+smb2_allocate_rsp_buf().
+
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1380,7 +1380,8 @@ static int ntlm_negotiate(struct ksmbd_w
+ }
+
+ sz = le16_to_cpu(rsp->SecurityBufferOffset);
+- memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len);
++ unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len,
++ /* alloc is larger than blob, see smb2_allocate_rsp_buf() */);
+ rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len);
+
+ out:
+@@ -1463,7 +1464,9 @@ static int ntlm_authenticate(struct ksmb
+ return -ENOMEM;
+
+ sz = le16_to_cpu(rsp->SecurityBufferOffset);
+- memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len);
++ unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob,
++ spnego_blob_len,
++ /* alloc is larger than blob, see smb2_allocate_rsp_buf() */);
+ rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len);
+ kfree(spnego_blob);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
