microsoft
/
WSL2-Linux-Kernel
зеркало из https://github.com/microsoft/WSL2-Linux-Kernel.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
WSL2-Linux-Kernel/fs
История
Lin Ma aaa1f1a2ee ksmbd: fix global oob in ksmbd_nl_policy 
[ Upstream commit ebeae8adf89d9a82359f6659b1663d09beec2faa ]

Similar to a reported issue (check the commit b33fb5b801c6 ("net:
qualcomm: rmnet: fix global oob in rmnet_policy"), my local fuzzer finds
another global out-of-bounds read for policy ksmbd_nl_policy. See bug
trace below:

==================================================================
BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]
BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600
Read of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810

CPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G                 N 6.1.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x172/0x475 mm/kasan/report.c:395
 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495
 validate_nla lib/nlattr.c:386 [inline]
 __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600
 __nla_parse+0x3e/0x50 lib/nlattr.c:697
 __nlmsg_parse include/net/netlink.h:748 [inline]
 genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565
 genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734
 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]
 genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850
 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg+0x154/0x190 net/socket.c:734
 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482
 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fdd66a8f359
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359
RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003
RBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000
 </TASK>

The buggy address belongs to the variable:
 ksmbd_nl_policy+0x100/0xa80

The buggy address belongs to the physical page:
page:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b
flags: 0x200000000001000(reserved|node=0|zone=2)
raw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9
                   ^
 ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05
 ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9
==================================================================

To fix it, add a placeholder named __KSMBD_EVENT_MAX and let
KSMBD_EVENT_MAX to be its original value - 1 according to what other
netlink families do. Also change two sites that refer the
KSMBD_EVENT_MAX to correct value.

Cc: stable@vger.kernel.org
Fixes: 0626e6641f ("cifsd: add server handler for central processing and tranport layers")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2024-02-23 08:54:35 +01:00
..
9p 9p: v9fs_listxattr: fix %s null argument warning 2023-11-28 16:56:19 +00:00
adfs
affs affs: initialize fsdata in affs_truncate() 2023-02-01 08:27:06 +01:00
afs afs: Hide silly-rename files from userspace 2024-02-23 08:54:28 +01:00
autofs autofs: fix memory leak of waitqueues in autofs_catatonic_mode 2023-09-23 11:09:54 +02:00
befs
bfs
btrfs btrfs: add definition for EXTENT_TREE_V2 2024-02-23 08:54:34 +01:00
cachefiles
ceph ceph: fix type promotion bug on 32bit systems 2023-10-19 23:05:36 +02:00
cifs smb: client: fix OOB in smbCalcSize() 2024-01-05 15:13:38 +01:00
coda coda: Avoid partial allocation of sig_inputArgs 2023-03-10 09:39:50 +01:00
configfs configfs: fix possible memory leak in configfs_create_dir() 2022-12-31 13:14:15 +01:00
cramfs
crypto
debugfs debugfs: fix automount d_fsdata usage 2024-01-25 14:52:27 -08:00
devpts
dlm dlm: fix plock lookup when using multiple lockspaces 2023-09-19 12:22:52 +02:00
ecryptfs
efivarfs efivarfs: force RO when remounting if SetVariable is not supported 2024-01-25 14:52:33 -08:00
efs
erofs erofs: ensure that the post-EOF tails are all zeroed 2023-09-06 21:28:37 +01:00
exfat exfat: support handle zero-size directory 2023-11-28 16:56:19 +00:00
exportfs
ext2 ext2: fix datatype of block number in ext2_xattr_set2() 2023-09-23 11:09:57 +02:00
ext4 ext4: allow for the last group to be marked as trimmed 2024-02-23 08:54:22 +01:00
f2fs f2fs: fix the f2fs_file_write_iter tracepoint 2024-01-25 14:52:43 -08:00
fat
freevxfs
fscache
fuse fuse: share lookup state between submount and its parent 2024-01-05 15:13:36 +01:00
gfs2 gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump 2024-01-25 14:52:35 -08:00
hfs hfs: fix missing hfs_bnode_get() in __hfs_bnode_create 2023-03-10 09:39:57 +01:00
hfsplus fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() 2023-05-24 17:36:43 +01:00
hostfs
hpfs
hugetlbfs hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param() 2022-12-31 13:14:44 +01:00
iomap iomap: update ki_pos a little later in iomap_dio_complete 2023-12-08 08:48:05 +01:00
isofs
jbd2 jbd2: fix soft lockup in journal_finish_inode_data_buffers() 2024-01-25 14:52:29 -08:00
jffs2 jffs2: reduce stack usage in jffs2_build_xattr_subsystem() 2023-07-23 13:47:34 +02:00
jfs jfs: fix array-index-out-of-bounds in diAlloc 2023-11-28 16:56:18 +00:00
kernfs kernfs: fix missing kernfs_idr_lock to remove an ID from the IDR 2023-07-23 13:47:23 +02:00
ksmbd ksmbd: fix global oob in ksmbd_nl_policy 2024-02-23 08:54:35 +01:00
lockd fs: lockd: avoid possible wrong NULL parameter 2023-09-19 12:22:43 +02:00
minix
netfs
nfs NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT 2024-01-25 14:52:36 -08:00
nfs_common
nfsd nfsd: fix file memleak on client_opens_release 2023-11-28 16:56:34 +00:00
nilfs2 nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage() 2023-12-13 18:36:43 +01:00
nls fs/nls: make load_nls() take a const parameter 2023-09-19 12:22:27 +02:00
notify fanotify: disallow mount/sb marks on kernel internal pseudo fs 2023-07-23 13:47:36 +02:00
ntfs ntfs: check overflow when iterating ATTR_RECORDs 2022-11-26 09:24:52 +01:00
ntfs3 fs/ntfs3: Avoid possible memory leak 2023-11-08 17:26:46 +01:00
ocfs2 fs: ocfs2: namei: check return value of ocfs2_add_entry() 2023-09-19 12:22:34 +02:00
omfs
openpromfs
orangefs orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init() 2022-12-31 13:14:44 +01:00
overlayfs ima: detect changes to the backing overlay file 2023-11-28 16:56:29 +00:00
proc proc: sysctl: prevent aliased sysctls from getting passed to init 2023-12-03 07:31:24 +01:00
pstore pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() 2024-01-25 14:52:35 -08:00
qnx4
qnx6
quota quota: explicitly forbid quota files from being encrypted 2023-11-28 16:56:31 +00:00
ramfs shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs 2023-07-23 13:47:33 +02:00
reiserfs reiserfs: Check the return value from __getblk() 2023-09-19 12:22:30 +02:00
romfs
smbfs_common
squashfs revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" 2023-02-22 12:57:07 +01:00
sysfs
sysv fs/sysv: Null check to prevent null-ptr-deref bug 2023-08-11 15:13:58 +02:00
tracefs tracefs: Add missing lockdown check to tracefs_create_dir() 2023-09-23 11:10:02 +02:00
ubifs ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path 2024-02-23 08:54:26 +01:00
udf udf: initialize newblock to 0 2023-09-19 12:22:53 +02:00
ufs
unicode
vboxsf
verity fsverity: skip PKCS#7 parser when keyring is empty 2023-09-19 12:22:52 +02:00
xfs xfs: read only mounts with fsopen mount API are busted 2024-02-23 08:54:32 +01:00
zonefs zonefs: Fix error message in zonefs_file_dio_append() 2023-04-05 11:25:01 +02:00
Kconfig ksmbd: have a dependency on cifs ARC4 2024-01-05 15:13:36 +01:00
Kconfig.binfmt
Makefile io_uring: move to separate directory 2022-12-14 11:37:31 +01:00
aio.c aio: fix mremap after fork null-deref 2023-02-22 12:57:05 +01:00
anon_inodes.c
attr.c attr: block mode changes of symlinks 2023-09-23 11:10:01 +02:00
bad_inode.c
binfmt_aout.c
binfmt_elf.c
binfmt_elf_fdpic.c fs: binfmt_elf_efpic: fix personality for ELF-FDPIC 2023-10-06 13:18:24 +02:00
binfmt_flat.c
binfmt_misc.c binfmt_misc: fix shift-out-of-bounds in check_special_flags 2022-12-31 13:14:39 +01:00
binfmt_script.c
buffer.c mm: fs: initialize fsdata passed to write_begin/write_end interface 2022-11-26 09:24:51 +01:00
char_dev.c chardev: fix error handling in cdev_device_add() 2022-12-31 13:14:30 +01:00
compat_binfmt_elf.c
coredump.c
d_path.c
dax.c
dcache.c
direct-io.c
drop_caches.c
eventfd.c eventfd: prevent underflow for eventfd semaphores 2023-09-19 12:22:30 +02:00
eventpoll.c epoll: ep_autoremove_wake_function should use list_del_init_careful 2023-06-21 15:59:14 +02:00
exec.c exec: Fix error handling in begin_new_exec() 2024-02-23 08:54:31 +01:00
fcntl.c
fhandle.c
file.c file: reinstate f_pos locking optimization for regular files 2023-08-11 15:13:58 +02:00
file_table.c
filesystems.c
fs-writeback.c writeback, cgroup: switch inodes with dirty timestamps to release dying cgwbs 2023-11-20 11:08:13 +01:00
fs_context.c fs: avoid empty option when generating legacy mount string 2023-07-23 13:47:34 +02:00
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fsopen.c
init.c
inode.c fs: add ctime accessors infrastructure 2023-12-08 08:48:04 +01:00
internal.h nfs: use vfs setgid helper 2023-08-30 16:18:19 +02:00
ioctl.c lsm: new security_file_ioctl_compat() hook 2024-02-23 08:54:25 +01:00
kernel_read_file.c
libfs.c libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value 2022-12-31 13:14:03 +01:00
locks.c locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock 2023-09-23 11:09:55 +02:00
mbcache.c mbcache: Avoid nesting of cache->c_list_lock under bit locks 2023-01-12 11:59:20 +01:00
mount.h
mpage.c
namei.c rename(): fix the locking of subdirectories 2024-02-23 08:54:26 +01:00
namespace.c fs: indicate request originates from old mount API 2024-01-25 14:52:35 -08:00
no-block.c
nsfs.c
open.c open: make RESOLVE_CACHED correctly test for O_TMPFILE 2023-08-11 15:13:57 +02:00
pipe.c pipe: wakeup wr_wait after setting max_usage 2024-02-23 08:54:33 +01:00
pnode.c pnode: terminate at peers of source 2023-01-12 11:58:47 +01:00
pnode.h
posix_acl.c
proc_namespace.c
read_write.c vfs: fix copy_file_range() averts filesystem freeze protection 2022-12-19 12:36:39 +01:00
readdir.c
remap_range.c
select.c
seq_file.c
signalfd.c
splice.c
stack.c
stat.c
statfs.c statfs: enforce statfs[64] structure initialization 2023-05-24 17:36:54 +01:00
super.c fs: Protect reconfiguration of sb read-write from racing writes 2023-08-11 15:13:58 +02:00
sync.c
timerfd.c
userfaultfd.c
utimes.c
xattr.c fs: don't audit the capability check in simple_xattr_list() 2022-12-31 13:14:01 +01:00