four kernel server fixes, most for stable as well

-----BEGIN PGP SIGNATURE-----
 
 iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAmdRBwwACgkQiiy9cAdy
 T1Gn8Qv6AzC13DrzS5+VjzvzxcqXbzOejzNbU5+ae8lbjMsWNQcJ1hUP2DaFlN1A
 O+1P7h3V8tMWtftbYPKYF377PKzefZsLbme/heWAbhINDv/y9z02acduoxfVamBH
 pBOjRnNzOx0FZFhh8sMRxXD1xmS+BuqsRhiSvkVUkEJEBkKkSiae1OofB0YYLXRC
 3kev3Bhjpz0Z4LfIa8bEN94v1wbS2KrqfFZa0/p0B3QH675+KxPGWgeGXsTtYC+0
 YXGH0abwt6cr4ZmyG3PrZxidBkro9F53ciOSu7KU0FxgTvyYnvTBnYO36BXzdAaD
 X89xrbVh53cx7F11TK6/uUkonVjoxqWpVbUsbWCj2E+MQyb8ix+aJfdGg0Pw0A20
 y/Iq0YePB6cAK1up2sD9okbWHFFJbvl/80pGa/BrkJ3NdwcszyVqCDa6jF7FUy8G
 nGDosWWWAdcuAZqYmlVrjkkVgnv3sg9HEVMRbdjY2gDfcDuNORO6heAdslW8QtEn
 enbZaGbi
 =iLEz
 -----END PGP SIGNATURE-----

Merge tag 'v6.13-rc1-ksmbd-server-fixes' of git://git.samba.org/ksmbd

Pull smb server fixes from Steve French:

 - Three fixes for potential out of bound accesses in read and write
   paths (e.g. when alternate data streams enabled)

 - GCC 15 build fix

* tag 'v6.13-rc1-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
  ksmbd: align aux_payload_buf to avoid OOB reads in cryptographic operations
  ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write
  ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read
  smb: server: Fix building with GCC 15
This commit is contained in:
Linus Torvalds 2024-12-05 14:38:49 -08:00
commit f65289a871
2 changed files with 9 additions and 3 deletions

View File

@ -6663,6 +6663,10 @@ int smb2_read(struct ksmbd_work *work)
} }
offset = le64_to_cpu(req->Offset); offset = le64_to_cpu(req->Offset);
if (offset < 0) {
err = -EINVAL;
goto out;
}
length = le32_to_cpu(req->Length); length = le32_to_cpu(req->Length);
mincount = le32_to_cpu(req->MinimumCount); mincount = le32_to_cpu(req->MinimumCount);
@ -6676,7 +6680,7 @@ int smb2_read(struct ksmbd_work *work)
ksmbd_debug(SMB, "filename %pD, offset %lld, len %zu\n", ksmbd_debug(SMB, "filename %pD, offset %lld, len %zu\n",
fp->filp, offset, length); fp->filp, offset, length);
aux_payload_buf = kvzalloc(length, KSMBD_DEFAULT_GFP); aux_payload_buf = kvzalloc(ALIGN(length, 8), KSMBD_DEFAULT_GFP);
if (!aux_payload_buf) { if (!aux_payload_buf) {
err = -ENOMEM; err = -ENOMEM;
goto out; goto out;
@ -6878,6 +6882,8 @@ int smb2_write(struct ksmbd_work *work)
} }
offset = le64_to_cpu(req->Offset); offset = le64_to_cpu(req->Offset);
if (offset < 0)
return -EINVAL;
length = le32_to_cpu(req->Length); length = le32_to_cpu(req->Length);
if (req->Channel == SMB2_CHANNEL_RDMA_V1 || if (req->Channel == SMB2_CHANNEL_RDMA_V1 ||

View File

@ -18,8 +18,8 @@
#include "mgmt/share_config.h" #include "mgmt/share_config.h"
/*for shortname implementation */ /*for shortname implementation */
static const char basechars[43] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-!@#$%"; static const char *basechars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-!@#$%";
#define MANGLE_BASE (sizeof(basechars) / sizeof(char) - 1) #define MANGLE_BASE (strlen(basechars) - 1)
#define MAGIC_CHAR '~' #define MAGIC_CHAR '~'
#define PERIOD '.' #define PERIOD '.'
#define mangle(V) ((char)(basechars[(V) % MANGLE_BASE])) #define mangle(V) ((char)(basechars[(V) % MANGLE_BASE]))