smb: client: fix parsing of SMB3.1.1 POSIX create context

PlaidCat · PlaidCat · commit c6888a82c19f · 2024-09-12T13:19:28.000-04:00
jira LE-1907 cve CVE-2023-52434 Rebuild_History Non-Buildable kernel-5.14.0-427.16.1.el9_4 commit-author Paulo Alcantara <pc@manguebit.com> commit 76025cc Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-427.16.1.el9_4/76025cc2.failed The data offset for the SMB3.1.1 POSIX create context will always be 8-byte aligned so having the check 'noff + nlen >= doff' in smb2_parse_contexts() is wrong as it will lead to -EINVAL because noff + nlen == doff. Fix the sanity check to correctly handle aligned create context data. Fixes: af1689a ("smb: client: fix potential OOBs in smb2_parse_contexts()") Signed-off-by: Paulo Alcantara <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com> (cherry picked from commit 76025cc) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # fs/smb/client/smb2pdu.c
diff --git a/ciq/ciq_backports/kernel-5.14.0-427.16.1.el9_4/76025cc2.failed b/ciq/ciq_backports/kernel-5.14.0-427.16.1.el9_4/76025cc2.failed
@@ -0,0 +1,103 @@
+smb: client: fix parsing of SMB3.1.1 POSIX create context
+
+jira LE-1907
+cve CVE-2023-52434
+Rebuild_History Non-Buildable kernel-5.14.0-427.16.1.el9_4
+commit-author Paulo Alcantara <pc@manguebit.com>
+commit 76025cc2285d9ede3d717fe4305d66f8be2d9346
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-427.16.1.el9_4/76025cc2.failed
+
+The data offset for the SMB3.1.1 POSIX create context will always be
+8-byte aligned so having the check 'noff + nlen >= doff' in
+smb2_parse_contexts() is wrong as it will lead to -EINVAL because noff
++ nlen == doff.
+
+Fix the sanity check to correctly handle aligned create context data.
+
+Fixes: af1689a9b770 ("smb: client: fix potential OOBs in smb2_parse_contexts()")
+	Signed-off-by: Paulo Alcantara <pc@manguebit.com>
+	Signed-off-by: Steve French <stfrench@microsoft.com>
+(cherry picked from commit 76025cc2285d9ede3d717fe4305d66f8be2d9346)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	fs/smb/client/smb2pdu.c
+diff --cc fs/smb/client/smb2pdu.c
+index 456aa71f0a98,ec39dfbc3154..000000000000
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@@ -2152,31 -2269,46 +2152,58 @@@ smb2_parse_contexts(struct TCP_Server_I
+  	if (buf)
+  		buf->IndexNumber = 0;
+  
+++<<<<<<< HEAD
+ +	while (remaining >= sizeof(struct create_context)) {
+ +		name = le16_to_cpu(cc->NameOffset) + (char *)cc;
+ +		if (le16_to_cpu(cc->NameLength) == 4 &&
+ +		    strncmp(name, SMB2_CREATE_REQUEST_LEASE, 4) == 0)
+ +			*oplock = server->ops->parse_lease_buf(cc, epoch,
+ +							   lease_key);
+ +		else if (buf && (le16_to_cpu(cc->NameLength) == 4) &&
+ +		    strncmp(name, SMB2_CREATE_QUERY_ON_DISK_ID, 4) == 0)
+ +			parse_query_id_ctxt(cc, buf);
+ +		else if ((le16_to_cpu(cc->NameLength) == 16)) {
+ +			if (posix &&
+ +			    memcmp(name, smb3_create_tag_posix, 16) == 0)
+++=======
++ 	while (rem >= sizeof(*cc)) {
++ 		doff = le16_to_cpu(cc->DataOffset);
++ 		dlen = le32_to_cpu(cc->DataLength);
++ 		if (check_add_overflow(doff, dlen, &len) || len > rem)
++ 			return -EINVAL;
++ 
++ 		noff = le16_to_cpu(cc->NameOffset);
++ 		nlen = le16_to_cpu(cc->NameLength);
++ 		if (noff + nlen > doff)
++ 			return -EINVAL;
++ 
++ 		name = (char *)cc + noff;
++ 		switch (nlen) {
++ 		case 4:
++ 			if (!strncmp(name, SMB2_CREATE_REQUEST_LEASE, 4)) {
++ 				*oplock = server->ops->parse_lease_buf(cc, epoch,
++ 								       lease_key);
++ 			} else if (buf &&
++ 				   !strncmp(name, SMB2_CREATE_QUERY_ON_DISK_ID, 4)) {
++ 				parse_query_id_ctxt(cc, buf);
++ 			}
++ 			break;
++ 		case 16:
++ 			if (posix && !memcmp(name, smb3_create_tag_posix, 16))
+++>>>>>>> 76025cc2285d (smb: client: fix parsing of SMB3.1.1 POSIX create context)
+  				parse_posix_ctxt(cc, buf, posix);
+ -			break;
+ -		default:
+ -			cifs_dbg(FYI, "%s: unhandled context (nlen=%zu dlen=%zu)\n",
+ -				 __func__, nlen, dlen);
+ -			if (IS_ENABLED(CONFIG_CIFS_DEBUG2))
+ -				cifs_dump_mem("context data: ", cc, dlen);
+ -			break;
+  		}
+ -
+ -		off = le32_to_cpu(cc->Next);
+ -		if (!off)
+ +		/* else {
+ +			cifs_dbg(FYI, "Context not matched with len %d\n",
+ +				le16_to_cpu(cc->NameLength));
+ +			cifs_dump_mem("Cctxt name: ", name, 4);
+ +		} */
+ +
+ +		next = le32_to_cpu(cc->Next);
+ +		if (!next)
+  			break;
+ -		if (check_sub_overflow(rem, off, &rem))
+ -			return -EINVAL;
+ -		cc = (struct create_context *)((u8 *)cc + off);
+ +		remaining -= next;
+ +		cc = (struct create_context *)((char *)cc + next);
+  	}
+  
+  	if (rsp->OplockLevel != SMB2_OPLOCK_LEVEL_LEASE)
+* Unmerged path fs/smb/client/smb2pdu.c
