729c0c9dd5
smb{2,3}_create_lease_buf() store a lease key in the lease
context for later usage on a lease break.
In most paths, the key is currently sourced from data that
happens to be on the stack near local variables for oplock in
SMB2_open() callers, e.g. from open_shroot(), whereas
smb2_open_file() properly allocates space on its stack for it.
The address of those local variables holding the oplock is then
passed to create_lease_buf handlers via SMB2_open(), and 16
bytes near oplock are used. This causes a stack out-of-bounds
access as reported by KASAN on SMB2.1 and SMB3 mounts (first
out-of-bounds access is shown here):
[ 111.528823] BUG: KASAN: stack-out-of-bounds in smb3_create_lease_buf+0x399/0x3b0 [cifs]
[ 111.530815] Read of size 8 at addr ffff88010829f249 by task mount.cifs/985
[ 111.532838] CPU: 3 PID: 985 Comm: mount.cifs Not tainted 4.18.0-rc3+ #91
[ 111.534656] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 111.536838] Call Trace:
[ 111.537528] dump_stack+0xc2/0x16b
[ 111.540890] print_address_description+0x6a/0x270
[ 111.542185] kasan_report+0x258/0x380
[ 111.544701] smb3_create_lease_buf+0x399/0x3b0 [cifs]
[ 111.546134] SMB2_open+0x1ef8/0x4b70 [cifs]
[ 111.575883] open_shroot+0x339/0x550 [cifs]
[ 111.591969] smb3_qfs_tcon+0x32c/0x1e60 [cifs]
[ 111.617405] cifs_mount+0x4f3/0x2fc0 [cifs]
[ 111.674332] cifs_smb3_do_mount+0x263/0xf10 [cifs]
[ 111.677915] mount_fs+0x55/0x2b0
[ 111.679504] vfs_kern_mount.part.22+0xaa/0x430
[ 111.684511] do_mount+0xc40/0x2660
[ 111.698301] ksys_mount+0x80/0xd0
[ 111.701541] do_syscall_64+0x14e/0x4b0
[ 111.711807] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 111.713665] RIP: 0033:0x7f372385b5fa
[ 111.715311] Code: 48 8b 0d 99 78 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 66 78 2c 00 f7 d8 64 89 01 48
[ 111.720330] RSP: 002b:00007ffff27049d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[ 111.722601] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f372385b5fa
[ 111.724842] RDX: 000055c2ecdc73b2 RSI: 000055c2ecdc73f9 RDI: 00007ffff270580f
[ 111.727083] RBP: 00007ffff2705804 R08: 000055c2ee976060 R09: 0000000000001000
[ 111.729319] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f3723f4d000
[ 111.731615] R13: 000055c2ee976060 R14: 00007f3723f4f90f R15: 0000000000000000
[ 111.735448] The buggy address belongs to the page:
[ 111.737420] page:ffffea000420a7c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[ 111.739890] flags: 0x17ffffc0000000()
[ 111.741750] raw: 0017ffffc0000000 0000000000000000 dead000000000200 0000000000000000
[ 111.744216] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 111.746679] page dumped because: kasan: bad access detected
[ 111.750482] Memory state around the buggy address:
[ 111.752562] ffff88010829f100: 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
[ 111.754991] ffff88010829f180: 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
[ 111.757401] >ffff88010829f200: 00 00 00 00 00 f1 f1 f1 f1 01 f2 f2 f2 f2 f2 f2
[ 111.759801] ^
[ 111.762034] ffff88010829f280: f2 02 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00
[ 111.764486] ffff88010829f300: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 111.766913] ==================================================================
Lease keys are however already generated and stored in fid data
on open and create paths: pass them down to the lease context
creation handlers and use them.
Suggested-by: Aurélien Aptel <aaptel@suse.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Fixes: b8c32dbb0d
("CIFS: Request SMB2.1 leases")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
284 lines
7.5 KiB
C
284 lines
7.5 KiB
C
/*
|
|
* fs/cifs/smb2file.c
|
|
*
|
|
* Copyright (C) International Business Machines Corp., 2002, 2011
|
|
* Author(s): Steve French (sfrench@us.ibm.com),
|
|
* Pavel Shilovsky ((pshilovsky@samba.org) 2012
|
|
*
|
|
* This library is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published
|
|
* by the Free Software Foundation; either version 2.1 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
|
|
* the GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with this library; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
*/
|
|
#include <linux/fs.h>
|
|
#include <linux/stat.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/pagemap.h>
|
|
#include <asm/div64.h>
|
|
#include "cifsfs.h"
|
|
#include "cifspdu.h"
|
|
#include "cifsglob.h"
|
|
#include "cifsproto.h"
|
|
#include "cifs_debug.h"
|
|
#include "cifs_fs_sb.h"
|
|
#include "cifs_unicode.h"
|
|
#include "fscache.h"
|
|
#include "smb2proto.h"
|
|
|
|
int
|
|
smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms,
|
|
__u32 *oplock, FILE_ALL_INFO *buf)
|
|
{
|
|
int rc;
|
|
__le16 *smb2_path;
|
|
struct smb2_file_all_info *smb2_data = NULL;
|
|
__u8 smb2_oplock;
|
|
struct cifs_fid *fid = oparms->fid;
|
|
struct network_resiliency_req nr_ioctl_req;
|
|
|
|
smb2_path = cifs_convert_path_to_utf16(oparms->path, oparms->cifs_sb);
|
|
if (smb2_path == NULL) {
|
|
rc = -ENOMEM;
|
|
goto out;
|
|
}
|
|
|
|
smb2_data = kzalloc(sizeof(struct smb2_file_all_info) + PATH_MAX * 2,
|
|
GFP_KERNEL);
|
|
if (smb2_data == NULL) {
|
|
rc = -ENOMEM;
|
|
goto out;
|
|
}
|
|
|
|
oparms->desired_access |= FILE_READ_ATTRIBUTES;
|
|
smb2_oplock = SMB2_OPLOCK_LEVEL_BATCH;
|
|
|
|
rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL,
|
|
NULL);
|
|
if (rc)
|
|
goto out;
|
|
|
|
|
|
if (oparms->tcon->use_resilient) {
|
|
nr_ioctl_req.Timeout = 0; /* use server default (120 seconds) */
|
|
nr_ioctl_req.Reserved = 0;
|
|
rc = SMB2_ioctl(xid, oparms->tcon, fid->persistent_fid,
|
|
fid->volatile_fid, FSCTL_LMR_REQUEST_RESILIENCY,
|
|
true /* is_fsctl */,
|
|
(char *)&nr_ioctl_req, sizeof(nr_ioctl_req),
|
|
NULL, NULL /* no return info */);
|
|
if (rc == -EOPNOTSUPP) {
|
|
cifs_dbg(VFS,
|
|
"resiliency not supported by server, disabling\n");
|
|
oparms->tcon->use_resilient = false;
|
|
} else if (rc)
|
|
cifs_dbg(FYI, "error %d setting resiliency\n", rc);
|
|
|
|
rc = 0;
|
|
}
|
|
|
|
if (buf) {
|
|
/* open response does not have IndexNumber field - get it */
|
|
rc = SMB2_get_srv_num(xid, oparms->tcon, fid->persistent_fid,
|
|
fid->volatile_fid,
|
|
&smb2_data->IndexNumber);
|
|
if (rc) {
|
|
/* let get_inode_info disable server inode numbers */
|
|
smb2_data->IndexNumber = 0;
|
|
rc = 0;
|
|
}
|
|
move_smb2_info_to_cifs(buf, smb2_data);
|
|
}
|
|
|
|
*oplock = smb2_oplock;
|
|
out:
|
|
kfree(smb2_data);
|
|
kfree(smb2_path);
|
|
return rc;
|
|
}
|
|
|
|
int
|
|
smb2_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
|
|
const unsigned int xid)
|
|
{
|
|
int rc = 0, stored_rc;
|
|
unsigned int max_num, num = 0, max_buf;
|
|
struct smb2_lock_element *buf, *cur;
|
|
struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
|
|
struct cifsInodeInfo *cinode = CIFS_I(d_inode(cfile->dentry));
|
|
struct cifsLockInfo *li, *tmp;
|
|
__u64 length = 1 + flock->fl_end - flock->fl_start;
|
|
struct list_head tmp_llist;
|
|
|
|
INIT_LIST_HEAD(&tmp_llist);
|
|
|
|
/*
|
|
* Accessing maxBuf is racy with cifs_reconnect - need to store value
|
|
* and check it for zero before using.
|
|
*/
|
|
max_buf = tcon->ses->server->maxBuf;
|
|
if (!max_buf)
|
|
return -EINVAL;
|
|
|
|
max_num = max_buf / sizeof(struct smb2_lock_element);
|
|
buf = kcalloc(max_num, sizeof(struct smb2_lock_element), GFP_KERNEL);
|
|
if (!buf)
|
|
return -ENOMEM;
|
|
|
|
cur = buf;
|
|
|
|
down_write(&cinode->lock_sem);
|
|
list_for_each_entry_safe(li, tmp, &cfile->llist->locks, llist) {
|
|
if (flock->fl_start > li->offset ||
|
|
(flock->fl_start + length) <
|
|
(li->offset + li->length))
|
|
continue;
|
|
if (current->tgid != li->pid)
|
|
continue;
|
|
if (cinode->can_cache_brlcks) {
|
|
/*
|
|
* We can cache brlock requests - simply remove a lock
|
|
* from the file's list.
|
|
*/
|
|
list_del(&li->llist);
|
|
cifs_del_lock_waiters(li);
|
|
kfree(li);
|
|
continue;
|
|
}
|
|
cur->Length = cpu_to_le64(li->length);
|
|
cur->Offset = cpu_to_le64(li->offset);
|
|
cur->Flags = cpu_to_le32(SMB2_LOCKFLAG_UNLOCK);
|
|
/*
|
|
* We need to save a lock here to let us add it again to the
|
|
* file's list if the unlock range request fails on the server.
|
|
*/
|
|
list_move(&li->llist, &tmp_llist);
|
|
if (++num == max_num) {
|
|
stored_rc = smb2_lockv(xid, tcon,
|
|
cfile->fid.persistent_fid,
|
|
cfile->fid.volatile_fid,
|
|
current->tgid, num, buf);
|
|
if (stored_rc) {
|
|
/*
|
|
* We failed on the unlock range request - add
|
|
* all locks from the tmp list to the head of
|
|
* the file's list.
|
|
*/
|
|
cifs_move_llist(&tmp_llist,
|
|
&cfile->llist->locks);
|
|
rc = stored_rc;
|
|
} else
|
|
/*
|
|
* The unlock range request succeed - free the
|
|
* tmp list.
|
|
*/
|
|
cifs_free_llist(&tmp_llist);
|
|
cur = buf;
|
|
num = 0;
|
|
} else
|
|
cur++;
|
|
}
|
|
if (num) {
|
|
stored_rc = smb2_lockv(xid, tcon, cfile->fid.persistent_fid,
|
|
cfile->fid.volatile_fid, current->tgid,
|
|
num, buf);
|
|
if (stored_rc) {
|
|
cifs_move_llist(&tmp_llist, &cfile->llist->locks);
|
|
rc = stored_rc;
|
|
} else
|
|
cifs_free_llist(&tmp_llist);
|
|
}
|
|
up_write(&cinode->lock_sem);
|
|
|
|
kfree(buf);
|
|
return rc;
|
|
}
|
|
|
|
static int
|
|
smb2_push_mand_fdlocks(struct cifs_fid_locks *fdlocks, const unsigned int xid,
|
|
struct smb2_lock_element *buf, unsigned int max_num)
|
|
{
|
|
int rc = 0, stored_rc;
|
|
struct cifsFileInfo *cfile = fdlocks->cfile;
|
|
struct cifsLockInfo *li;
|
|
unsigned int num = 0;
|
|
struct smb2_lock_element *cur = buf;
|
|
struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
|
|
|
|
list_for_each_entry(li, &fdlocks->locks, llist) {
|
|
cur->Length = cpu_to_le64(li->length);
|
|
cur->Offset = cpu_to_le64(li->offset);
|
|
cur->Flags = cpu_to_le32(li->type |
|
|
SMB2_LOCKFLAG_FAIL_IMMEDIATELY);
|
|
if (++num == max_num) {
|
|
stored_rc = smb2_lockv(xid, tcon,
|
|
cfile->fid.persistent_fid,
|
|
cfile->fid.volatile_fid,
|
|
current->tgid, num, buf);
|
|
if (stored_rc)
|
|
rc = stored_rc;
|
|
cur = buf;
|
|
num = 0;
|
|
} else
|
|
cur++;
|
|
}
|
|
if (num) {
|
|
stored_rc = smb2_lockv(xid, tcon,
|
|
cfile->fid.persistent_fid,
|
|
cfile->fid.volatile_fid,
|
|
current->tgid, num, buf);
|
|
if (stored_rc)
|
|
rc = stored_rc;
|
|
}
|
|
|
|
return rc;
|
|
}
|
|
|
|
int
|
|
smb2_push_mandatory_locks(struct cifsFileInfo *cfile)
|
|
{
|
|
int rc = 0, stored_rc;
|
|
unsigned int xid;
|
|
unsigned int max_num, max_buf;
|
|
struct smb2_lock_element *buf;
|
|
struct cifsInodeInfo *cinode = CIFS_I(d_inode(cfile->dentry));
|
|
struct cifs_fid_locks *fdlocks;
|
|
|
|
xid = get_xid();
|
|
|
|
/*
|
|
* Accessing maxBuf is racy with cifs_reconnect - need to store value
|
|
* and check it for zero before using.
|
|
*/
|
|
max_buf = tlink_tcon(cfile->tlink)->ses->server->maxBuf;
|
|
if (max_buf < sizeof(struct smb2_lock_element)) {
|
|
free_xid(xid);
|
|
return -EINVAL;
|
|
}
|
|
|
|
max_num = max_buf / sizeof(struct smb2_lock_element);
|
|
buf = kcalloc(max_num, sizeof(struct smb2_lock_element), GFP_KERNEL);
|
|
if (!buf) {
|
|
free_xid(xid);
|
|
return -ENOMEM;
|
|
}
|
|
|
|
list_for_each_entry(fdlocks, &cinode->llist, llist) {
|
|
stored_rc = smb2_push_mand_fdlocks(fdlocks, xid, buf, max_num);
|
|
if (stored_rc)
|
|
rc = stored_rc;
|
|
}
|
|
|
|
kfree(buf);
|
|
free_xid(xid);
|
|
return rc;
|
|
}
|