iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs
History
Paulo Alcantara ef748d4a62 smb: client: fix NULL deref in asn1_ber_decoder() 
commit 90d025c2e953c11974e76637977c473200593a46 upstream.

If server replied SMB2_NEGOTIATE with a zero SecurityBufferOffset,
smb2_get_data_area() sets @len to non-zero but return NULL, so
decode_negTokeninit() ends up being called with a NULL @security_blob:

  BUG: kernel NULL pointer dereference, address: 0000000000000000
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 0 P4D 0
  Oops: 0000 [#1] PREEMPT SMP NOPTI
  CPU: 2 PID: 871 Comm: mount.cifs Not tainted 6.7.0-rc4 #2
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
  RIP: 0010:asn1_ber_decoder+0x173/0xc80
  Code: 01 4c 39 2c 24 75 09 45 84 c9 0f 85 2f 03 00 00 48 8b 14 24 4c 29 ea 48 83 fa 01 0f 86 1e 07 00 00 48 8b 74 24 28 4d 8d 5d 01 <42> 0f b6 3c 2e 89 fa 40 88 7c 24 5c f7 d2 83 e2 1f 0f 84 3d 07 00
  RSP: 0018:ffffc9000063f950 EFLAGS: 00010202
  RAX: 0000000000000002 RBX: 0000000000000000 RCX: 000000000000004a
  RDX: 000000000000004a RSI: 0000000000000000 RDI: 0000000000000000
  RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000002 R11: 0000000000000001 R12: 0000000000000000
  R13: 0000000000000000 R14: 000000000000004d R15: 0000000000000000
  FS:  00007fce52b0fbc0(0000) GS:ffff88806ba00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000000 CR3: 000000001ae64000 CR4: 0000000000750ef0
  PKRU: 55555554
  Call Trace:
   <TASK>
   ? __die+0x23/0x70
   ? page_fault_oops+0x181/0x480
   ? __stack_depot_save+0x1e6/0x480
   ? exc_page_fault+0x6f/0x1c0
   ? asm_exc_page_fault+0x26/0x30
   ? asn1_ber_decoder+0x173/0xc80
   ? check_object+0x40/0x340
   decode_negTokenInit+0x1e/0x30 [cifs]
   SMB2_negotiate+0xc99/0x17c0 [cifs]
   ? smb2_negotiate+0x46/0x60 [cifs]
   ? srso_alias_return_thunk+0x5/0xfbef5
   smb2_negotiate+0x46/0x60 [cifs]
   cifs_negotiate_protocol+0xae/0x130 [cifs]
   cifs_get_smb_ses+0x517/0x1040 [cifs]
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? queue_delayed_work_on+0x5d/0x90
   cifs_mount_get_session+0x78/0x200 [cifs]
   dfs_mount_share+0x13a/0x9f0 [cifs]
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? lock_acquire+0xbf/0x2b0
   ? find_nls+0x16/0x80
   ? srso_alias_return_thunk+0x5/0xfbef5
   cifs_mount+0x7e/0x350 [cifs]
   cifs_smb3_do_mount+0x128/0x780 [cifs]
   smb3_get_tree+0xd9/0x290 [cifs]
   vfs_get_tree+0x2c/0x100
   ? capable+0x37/0x70
   path_mount+0x2d7/0xb80
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? _raw_spin_unlock_irqrestore+0x44/0x60
   __x64_sys_mount+0x11a/0x150
   do_syscall_64+0x47/0xf0
   entry_SYSCALL_64_after_hwframe+0x6f/0x77
  RIP: 0033:0x7fce52c2ab1e

Fix this by setting @len to zero when @off == 0 so callers won't
attempt to dereference non-existing data areas.

Reported-by: Robert Morris <rtm@csail.mit.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-12-20 17:02:05 +01:00
..
9p
9p: v9fs_listxattr: fix %s null argument warning
2023-11-28 17:19:46 +00:00
adfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
affs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
afs
afs: Fix refcount underflow from error handling race
2023-12-20 17:01:43 +01:00
autofs
v6.6-vfs.autofs
2023-08-28 11:39:14 -07:00
befs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
bfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
btrfs
btrfs: don't clear qgroup reserved bit in release_folio
2023-12-20 17:02:03 +01:00
cachefiles
- Some swap cleanups from Ma Wupeng ("fix WARN_ON in add_to_avail_list")
2023-08-29 14:25:26 -07:00
ceph
assorted fixes all over the place
2023-10-27 16:44:58 -10:00
coda
v6.6-vfs.ctime
2023-08-28 09:31:32 -07:00
configfs
configfs: convert to ctime accessor functions
2023-07-13 10:28:05 +02:00
cramfs
v6.6-vfs.super
2023-08-28 11:04:18 -07:00
crypto
debugfs
debugfs: Fix __rcu type comparison warning
2023-11-20 11:59:26 +01:00
devpts
v6.6-vfs.misc
2023-08-28 10:17:14 -07:00
dlm
fs: dlm: Simplify buffer size computation in dlm_create_debug_file()
2023-11-20 11:59:37 +01:00
ecryptfs
fs: Pass AT_GETATTR_NOSEC flag to getattr interface function
2023-12-03 07:33:03 +01:00
efivarfs
efivarfs: fix statfs() on efivarfs
2023-09-11 09:10:02 +00:00
efs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
erofs
erofs: fix erofs_insert_workgroup() lockref usage
2023-11-20 11:59:23 +01:00
exfat
exfat: support handle zero-size directory
2023-11-28 17:19:44 +00:00
exportfs
exportfs: remove kernel-doc warnings in exportfs
2023-08-29 17:45:22 -04:00
ext2
ext2: Fix ki_pos update for DIO buffered-io fallback case
2023-12-08 08:52:19 +01:00
ext4
ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS
2023-12-20 17:02:01 +01:00
f2fs
f2fs: split initial and dynamic conditions for extent_cache
2023-11-28 17:20:11 +00:00
fat
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
freevxfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
fscache
fuse
fuse: dax: set fc->dax to NULL in fuse_dax_conn_free()
2023-12-20 17:01:52 +01:00
gfs2
gfs2: don't withdraw if init_threads() got interrupted
2023-11-28 17:20:11 +00:00
hfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
hfsplus
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
hostfs
hostfs: convert to ctime accessor functions
2023-07-24 10:30:00 +02:00
hpfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
hugetlbfs
fs: use nth_page() in place of direct struct page manipulation
2023-11-28 17:20:05 +00:00
iomap
iomap: fix short copy in iomap_write_iter()
2023-10-19 09:41:36 -07:00
isofs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
jbd2
jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev
2023-11-28 17:20:04 +00:00
jffs2
jffs2: convert to ctime accessor functions
2023-07-24 10:30:01 +02:00
jfs
jfs: fix array-index-out-of-bounds in diAlloc
2023-11-28 17:19:43 +00:00
kernfs
Driver core changes for 6.6-rc1
2023-09-01 09:43:18 -07:00
lockd
SUNRPC: Add enum svc_auth_status
2023-08-29 17:45:22 -04:00
minix
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
netfs
netfs: Only call folio_start_fscache() one time for each folio
2023-09-18 12:03:46 -07:00
nfs
NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO
2023-11-28 17:19:49 +00:00
nfs_common
nfsd
cred: get rid of CONFIG_DEBUG_CREDENTIALS
2023-12-20 17:01:51 +01:00
nilfs2
nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
2023-12-13 18:45:22 +01:00
nls
nls: Hide new NLS_UCS2_UTILS
2023-08-31 12:07:34 -05:00
notify
fanotify: limit reporting of event with non-decodeable file handles
2023-10-19 16:19:20 +02:00
ntfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
ntfs3
driver ntfs3 for linux 6.6
2023-10-19 09:10:18 -07:00
ocfs2
Many ext4 and jbd2 cleanups and bug fixes for v6.6-rc1.
2023-08-31 15:18:15 -07:00
omfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
openpromfs
openpromfs: convert to ctime accessor functions
2023-07-24 10:30:03 +02:00
orangefs
fs: drop the timespec64 argument from update_time
2023-08-11 09:04:57 +02:00
overlayfs
fs: Pass AT_GETATTR_NOSEC flag to getattr interface function
2023-12-03 07:33:03 +01:00
proc
watchdog: move softlockup_panic back to early_param
2023-11-28 17:19:57 +00:00
pstore
pstore/platform: Add check for kstrdup
2023-11-20 11:58:53 +01:00
qnx4
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
qnx6
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
quota
quota: explicitly forbid quota files from being encrypted
2023-11-28 17:20:04 +00:00
ramfs
ramfs: convert to ctime accessor functions
2023-07-24 10:30:04 +02:00
reiserfs
reiserfs: Replace 1-element array with C99 style flex-array
2023-09-11 14:07:46 +02:00
romfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
smb
smb: client: fix NULL deref in asn1_ber_decoder()
2023-12-20 17:02:05 +01:00
squashfs
squashfs: convert to ctime accessor functions
2023-07-24 10:30:05 +02:00
sysfs
sysv
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
tracefs
eventfs: Do not allow NULL parent to eventfs_start_creating()
2023-12-20 17:02:00 +01:00
ubifs
fs: drop the timespec64 argument from update_time
2023-08-11 09:04:57 +02:00
udf
\n
2023-08-30 12:10:50 -07:00
ufs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
unicode
vboxsf
v6.6-vfs.ctime
2023-08-28 09:31:32 -07:00
verity
fsverity: skip PKCS#7 parser when keyring is empty
2023-08-20 10:33:43 -07:00
xfs
xfs: recovery should not clear di_flushiter unconditionally
2023-11-28 17:20:09 +00:00
zonefs
New code for 6.6:
2023-08-28 11:59:52 -07:00
aio.c
aio: Annotate struct kioctx_table with __counted_by
2023-09-20 14:22:01 +02:00
anon_inodes.c
attr.c
v6.6-vfs.misc
2023-08-28 10:17:14 -07:00
bad_inode.c
fs: drop the timespec64 argument from update_time
2023-08-11 09:04:57 +02:00
binfmt_elf_fdpic.c
fs: binfmt_elf_efpic: fix personality for ELF-FDPIC
2023-09-29 17:20:45 -07:00
binfmt_elf_test.c
binfmt_elf.c
Merge branch 'expand-stack'
2023-06-28 20:35:21 -07:00
binfmt_flat.c
binfmt_misc.c
fs: convert to ctime accessor functions
2023-07-13 10:28:04 +02:00
binfmt_script.c
buffer.c
iomap: add a workaround for racy i_size updates on block devices
2023-09-25 08:55:00 -07:00
char_dev.c
compat_binfmt_elf.c
coredump.c
v6.5/vfs.misc
2023-06-26 09:50:21 -07:00
d_path.c
dax.c
mm: remove enum page_entry_size
2023-08-24 16:20:30 -07:00
dcache.c
fs/dcache: Replace printk and WARN_ON by WARN
2023-08-19 13:41:11 +02:00
direct-io.c
- Yosry Ahmed brought back some cgroup v1 stats in OOM logs.
2023-06-28 10:28:11 -07:00
drop_caches.c
fs: drop_caches: draining pages before dropping caches
2023-08-18 10:12:11 -07:00
eventfd.c
eventfd: prevent underflow for eventfd semaphores
2023-07-11 11:41:34 +02:00
eventpoll.c
epoll: simplify ep_alloc()
2023-07-26 14:56:07 +02:00
exec.c
- An extensive rework of kexec and crash Kconfig from Eric DeVolder
2023-08-29 14:53:51 -07:00
fcntl.c
fcntl: Cast commands with int args explicitly
2023-07-10 14:36:11 +02:00
fhandle.c
file_table.c
fs: use __fput_sync in close(2)
2023-08-08 19:36:51 +02:00
file.c
v6.6-vfs.misc
2023-08-28 10:17:14 -07:00
filesystems.c
fs_context.c
fs: factor out vfs_parse_monolithic_sep() helper
2023-10-12 18:53:36 +03:00
fs_parser.c
fs_pin.c
fs_struct.c
kill do_each_thread()
2023-08-21 13:46:25 -07:00
fs_types.c
fs-writeback.c
writeback, cgroup: switch inodes with dirty timestamps to release dying cgwbs
2023-11-20 11:58:52 +01:00
fsopen.c
fs: add FSCONFIG_CMD_CREATE_EXCL
2023-08-14 18:48:02 +02:00
init.c
inode.c
filemap: add a per-mapping stable writes flag
2023-12-03 07:33:03 +01:00
internal.h
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
ioctl.c
v6.6-vfs.super
2023-08-28 11:04:18 -07:00
Kconfig
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
Kconfig.binfmt
riscv: support the elf-fdpic binfmt loader
2023-08-23 14:17:43 -07:00
kernel_read_file.c
fs: Fix kernel-doc warnings
2023-08-19 12:12:12 +02:00
libfs.c
libfs: getdents() should return 0 after reaching EOD
2023-12-03 07:33:03 +01:00
locks.c
NFSD 6.6 Release Notes
2023-08-31 15:32:18 -07:00
Makefile
fs: add CONFIG_BUFFER_HEAD
2023-08-02 09:13:09 -06:00
mbcache.c
mnt_idmapping.c
mount.h
mpage.c
namei.c
audit,io_uring: io_uring openat triggers audit reference count underflow
2023-10-13 18:34:46 +02:00
namespace.c
v6.5/vfs.mount
2023-06-26 10:27:04 -07:00
nsfs.c
fs: convert to ctime accessor functions
2023-07-13 10:28:04 +02:00
open.c
cred: get rid of CONFIG_DEBUG_CREDENTIALS
2023-12-20 17:01:51 +01:00
pipe.c
fs/pipe: remove duplicate "offset" initializer
2023-09-20 14:22:01 +02:00
pnode.c
pnode.h
posix_acl.c
fs: convert to ctime accessor functions
2023-07-13 10:28:04 +02:00
proc_namespace.c
read_write.c
fs: Fix one kernel-doc comment
2023-08-15 08:32:45 +02:00
readdir.c
vfs: get rid of old '->iterate' directory operation
2023-08-06 15:08:35 +02:00
remap_range.c
select.c
seq_file.c
signalfd.c
splice.c
- Some swap cleanups from Ma Wupeng ("fix WARN_ON in add_to_avail_list")
2023-08-29 14:25:26 -07:00
stack.c
fs: convert to ctime accessor functions
2023-07-13 10:28:04 +02:00
stat.c
fs: Pass AT_GETATTR_NOSEC flag to getattr interface function
2023-12-03 07:33:03 +01:00
statfs.c
super.c
fs: export sget_dev()
2023-08-31 12:47:15 +02:00
sync.c
sysctls.c
timerfd.c
userfaultfd.c
mm: userfaultfd: remove stale comment about core dump locking
2023-08-24 16:20:27 -07:00
utimes.c
xattr.c
tmpfs,xattr: GFP_KERNEL_ACCOUNT for simple xattrs
2023-08-22 10:57:46 +02:00