5.15-stable patches

added patches:
	cifs-fix-off-by-one-in-smb2_query_info_init.patch

diff --git a/queue-5.15/cifs-fix-off-by-one-in-smb2_query_info_init.patch b/queue-5.15/cifs-fix-off-by-one-in-smb2_query_info_init.patch
new file mode 100644 (file)
index 0000000..ca7e6ae
--- /dev/null
+++ b/queue-5.15/cifs-fix-off-by-one-in-smb2_query_info_init.patch
@@ -0,0 +1,58 @@
+From harshit.m.mogalapalli@oracle.com  Sun Jan 28 09:13:27 2024
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Date: Sun, 28 Jan 2024 09:07:58 -0800
+Subject: cifs: fix off-by-one in SMB2_query_info_init()
+To: stable@vger.kernel.org
+Cc: kovalev@altlinux.org, --cc=abuehaze@amazon.com, smfrench@gmail.com, greg@kroah.com, linux-cifs@vger.kernel.org, keescook@chromium.org, darren.kenny@oracle.com, pc@manguebit.com, nspmangalore@gmail.com, vegard.nossum@oracle.com, Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Message-ID: <20240128170759.2432089-1-harshit.m.mogalapalli@oracle.com>
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+Bug: After mounting the cifs fs, it complains with Resource temporarily
+unavailable messages.
+
+[root@vm1 xfstests-dev]# ./check -g quick -s smb3
+TEST_DEV=//<SERVER_IP>/TEST is mounted but not a type cifs filesystem
+[root@vm1 xfstests-dev]# df
+df: /mnt/test: Resource temporarily unavailable
+
+Paul's analysis of the bug:
+
+       Bug is related to an off-by-one in smb2_set_next_command() when
+       the client attempts to pad SMB2_QUERY_INFO request -- since it isn't
+       8 byte aligned -- even though smb2_query_info_compound() doesn't
+       provide an extra iov for such padding.
+
+       v5.15.y doesn't have
+
+        eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")
+
+       and the commit does
+
+               if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) ||
+                            len > CIFSMaxBufSize))
+                       return -EINVAL;
+
+       so sizeof(*req) will wrongly include the extra byte from
+       smb2_query_info_req::Buffer making @len unaligned and therefore causing
+       OOB in smb2_set_next_command().
+
+Fixes: bfd18c0f570e4 ("smb: client: fix OOB in SMB2_query_info_init()")
+Suggested-by: Paulo Alcantara <pc@manguebit.com>
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2pdu.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -3448,7 +3448,7 @@ SMB2_query_info_init(struct cifs_tcon *t
+ 
+       iov[0].iov_base = (char *)req;
+       /* 1 for Buffer */
+-      iov[0].iov_len = len;
++      iov[0].iov_len = len - 1;
+       return 0;
+ }
+ 

diff --git a/queue-5.15/series b/queue-5.15/series
index da351e1ded393c84919e6c46ebf3e10ec9585ef3..f7ef070625015f49367576c621f3b81068f021ae 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -94,3 +94,4 @@ drm-don-t-unref-the-same-fb-many-times-by-mistake-due-to-deadlock-handling.patch
 drm-bridge-nxp-ptn3460-fix-i2c_master_send-error-checking.patch
 drm-tidss-fix-atomic_flush-check.patch
 drm-bridge-nxp-ptn3460-simplify-some-error-checking.patch
+cifs-fix-off-by-one-in-smb2_query_info_init.patch