From: Greg Kroah-Hartman Date: Sun, 28 Jan 2024 17:14:31 +0000 (-0800) Subject: 5.15-stable patches X-Git-Tag: v6.1.76~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=633da32d78f708ab0ab390bc6fe60b3a1988f9d7;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: cifs-fix-off-by-one-in-smb2_query_info_init.patch --- diff --git a/queue-5.15/cifs-fix-off-by-one-in-smb2_query_info_init.patch b/queue-5.15/cifs-fix-off-by-one-in-smb2_query_info_init.patch new file mode 100644 index 00000000000..ca7e6aedf54 --- /dev/null +++ b/queue-5.15/cifs-fix-off-by-one-in-smb2_query_info_init.patch @@ -0,0 +1,58 @@ +From harshit.m.mogalapalli@oracle.com Sun Jan 28 09:13:27 2024 +From: Harshit Mogalapalli +Date: Sun, 28 Jan 2024 09:07:58 -0800 +Subject: cifs: fix off-by-one in SMB2_query_info_init() +To: stable@vger.kernel.org +Cc: kovalev@altlinux.org, --cc=abuehaze@amazon.com, smfrench@gmail.com, greg@kroah.com, linux-cifs@vger.kernel.org, keescook@chromium.org, darren.kenny@oracle.com, pc@manguebit.com, nspmangalore@gmail.com, vegard.nossum@oracle.com, Harshit Mogalapalli +Message-ID: <20240128170759.2432089-1-harshit.m.mogalapalli@oracle.com> + +From: Harshit Mogalapalli + +Bug: After mounting the cifs fs, it complains with Resource temporarily +unavailable messages. + +[root@vm1 xfstests-dev]# ./check -g quick -s smb3 +TEST_DEV=///TEST is mounted but not a type cifs filesystem +[root@vm1 xfstests-dev]# df +df: /mnt/test: Resource temporarily unavailable + +Paul's analysis of the bug: + + Bug is related to an off-by-one in smb2_set_next_command() when + the client attempts to pad SMB2_QUERY_INFO request -- since it isn't + 8 byte aligned -- even though smb2_query_info_compound() doesn't + provide an extra iov for such padding. + + v5.15.y doesn't have + + eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays") + + and the commit does + + if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) || + len > CIFSMaxBufSize)) + return -EINVAL; + + so sizeof(*req) will wrongly include the extra byte from + smb2_query_info_req::Buffer making @len unaligned and therefore causing + OOB in smb2_set_next_command(). + +Fixes: bfd18c0f570e4 ("smb: client: fix OOB in SMB2_query_info_init()") +Suggested-by: Paulo Alcantara +Signed-off-by: Harshit Mogalapalli +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -3448,7 +3448,7 @@ SMB2_query_info_init(struct cifs_tcon *t + + iov[0].iov_base = (char *)req; + /* 1 for Buffer */ +- iov[0].iov_len = len; ++ iov[0].iov_len = len - 1; + return 0; + } + diff --git a/queue-5.15/series b/queue-5.15/series index da351e1ded3..f7ef0706250 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -94,3 +94,4 @@ drm-don-t-unref-the-same-fb-many-times-by-mistake-due-to-deadlock-handling.patch drm-bridge-nxp-ptn3460-fix-i2c_master_send-error-checking.patch drm-tidss-fix-atomic_flush-check.patch drm-bridge-nxp-ptn3460-simplify-some-error-checking.patch +cifs-fix-off-by-one-in-smb2_query_info_init.patch