Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-02 00:51:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
ccd48ec3d4
linux/fs/cifs
History
Aurelien Aptel ccd48ec3d4 smb2: fix use-after-free in smb2_ioctl_query_info() 
* rqst[1,2,3] is allocated in vars
* each rqst->rq_iov is also allocated in vars or using pooled memory

SMB2_open_free, SMB2_ioctl_free, SMB2_query_info_free are iterating on
each rqst after vars has been freed (use-after-free), and they are
freeing the kvec a second time (double-free).

How to trigger:

* compile with KASAN
* mount a share

$ smbinfo quota /mnt/foo
Segmentation fault
$ dmesg

 ==================================================================
 BUG: KASAN: use-after-free in SMB2_open_free+0x1c/0xa0
 Read of size 8 at addr ffff888007b10c00 by task python3/1200

 CPU: 2 PID: 1200 Comm: python3 Not tainted 5.12.0-rc6+ #107
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014
 Call Trace:
  dump_stack+0x93/0xc2
  print_address_description.constprop.0+0x18/0x130
  ? SMB2_open_free+0x1c/0xa0
  ? SMB2_open_free+0x1c/0xa0
  kasan_report.cold+0x7f/0x111
  ? smb2_ioctl_query_info+0x240/0x990
  ? SMB2_open_free+0x1c/0xa0
  SMB2_open_free+0x1c/0xa0
  smb2_ioctl_query_info+0x2bf/0x990
  ? smb2_query_reparse_tag+0x600/0x600
  ? cifs_mapchar+0x250/0x250
  ? rcu_read_lock_sched_held+0x3f/0x70
  ? cifs_strndup_to_utf16+0x12c/0x1c0
  ? rwlock_bug.part.0+0x60/0x60
  ? rcu_read_lock_sched_held+0x3f/0x70
  ? cifs_convert_path_to_utf16+0xf8/0x140
  ? smb2_check_message+0x6f0/0x6f0
  cifs_ioctl+0xf18/0x16b0
  ? smb2_query_reparse_tag+0x600/0x600
  ? cifs_readdir+0x1800/0x1800
  ? selinux_bprm_creds_for_exec+0x4d0/0x4d0
  ? do_user_addr_fault+0x30b/0x950
  ? __x64_sys_openat+0xce/0x140
  __x64_sys_ioctl+0xb9/0xf0
  do_syscall_64+0x33/0x40
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7fdcf1f4ba87
 Code: b3 66 90 48 8b 05 11 14 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 13 2c 00 f7 d8 64 89 01 48
 RSP: 002b:00007ffef1ce7748 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
 RAX: ffffffffffffffda RBX: 00000000c018cf07 RCX: 00007fdcf1f4ba87
 RDX: 0000564c467c5590 RSI: 00000000c018cf07 RDI: 0000000000000003
 RBP: 00007ffef1ce7770 R08: 00007ffef1ce7420 R09: 00007fdcf0e0562b
 R10: 0000000000000100 R11: 0000000000000246 R12: 0000000000004018
 R13: 0000000000000001 R14: 0000000000000003 R15: 0000564c467c5590

 Allocated by task 1200:
  kasan_save_stack+0x1b/0x40
  __kasan_kmalloc+0x7a/0x90
  smb2_ioctl_query_info+0x10e/0x990
  cifs_ioctl+0xf18/0x16b0
  __x64_sys_ioctl+0xb9/0xf0
  do_syscall_64+0x33/0x40
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 Freed by task 1200:
  kasan_save_stack+0x1b/0x40
  kasan_set_track+0x1c/0x30
  kasan_set_free_info+0x20/0x30
  __kasan_slab_free+0xe5/0x110
  slab_free_freelist_hook+0x53/0x130
  kfree+0xcc/0x320
  smb2_ioctl_query_info+0x2ad/0x990
  cifs_ioctl+0xf18/0x16b0
  __x64_sys_ioctl+0xb9/0xf0
  do_syscall_64+0x33/0x40
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 The buggy address belongs to the object at ffff888007b10c00
  which belongs to the cache kmalloc-512 of size 512
 The buggy address is located 0 bytes inside of
  512-byte region [ffff888007b10c00, ffff888007b10e00)
 The buggy address belongs to the page:
 page:0000000044e14b75 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b10
 head:0000000044e14b75 order:2 compound_mapcount:0 compound_pincount:0
 flags: 0x100000000010200(slab|head)
 raw: 0100000000010200 ffffea000015f500 0000000400000004 ffff888001042c80
 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffff888007b10b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff888007b10b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 >ffff888007b10c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                    ^
  ffff888007b10c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff888007b10d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ==================================================================

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
2021-04-25 16:28:24 -05:00
..
asn1.c cifs: remove bogus debug code 2020-10-22 12:17:52 -05:00
cache.c cifs: Make extract_sharename function public 2020-12-14 09:16:22 -06:00
cifs_debug.c cifs: export supported mount options via new mount_params /proc file 2021-04-25 16:28:24 -05:00
cifs_debug.h cifs: Standardize logging output 2020-06-01 00:10:18 -05:00
cifs_dfs_ref.c cifs: allocate buffer in the caller of build_path_from_dentry() 2021-04-25 16:28:23 -05:00
cifs_fs_sb.h cifs: store a pointer to the root dentry in cifs_sb_info once we have completed mounting the share 2021-04-25 16:28:23 -05:00
cifs_ioctl.h cifs: add SMB3 change notification support 2020-02-06 09:14:28 -06:00
cifs_spnego.c cifs: switch servers depending on binding state 2019-11-25 01:16:30 -06:00
cifs_spnego.h
cifs_swn.c fs/cifs/: fix misspellings using codespell tool 2021-03-19 00:37:51 -05:00
cifs_swn.h cifs: simplify SWN code with dummy funcs instead of ifdefs 2021-04-25 16:28:22 -05:00
cifs_unicode.c Convert trailing spaces and periods in path components 2020-10-11 23:57:18 -05:00
cifs_unicode.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifs_uniupr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifsacl.c cifs: Remove useless variable 2021-04-25 16:28:22 -05:00
cifsacl.h cifs: Fix cifsacl ACE mask for group and others. 2021-02-22 21:20:44 -06:00
cifsencrypt.c cifs: change confusing field serverName (to ip_addr) 2021-02-22 21:20:43 -06:00
cifsfs.c cifs: Grab a reference for the dentry of the cached directory during the lifetime of the cache 2021-04-25 16:28:23 -05:00
cifsfs.h cifs/smb3 fixes including improvements to mode bit conversion when using cifsacl mount option, new mount options for controlling attribute caching, improvements to crediting and reconnect, improved debugging 2021-02-26 14:09:41 -08:00
cifsglob.h cifs: add a timestamp to track when the lease of the cached dir was taken 2021-04-25 16:28:23 -05:00
cifspdu.h cifs: cifspdu.h: Replace one-element array with flexible-array member 2021-04-25 16:28:22 -05:00
cifsproto.h cifs: allocate buffer in the caller of build_path_from_dentry() 2021-04-25 16:28:23 -05:00
cifsroot.c cifs: Standardize logging output 2020-06-01 00:10:18 -05:00
cifssmb.c cifs: rename the *_shroot* functions to *_cached_dir* 2021-04-25 16:28:23 -05:00
connect.c cifs: don't cargo-cult strndup() 2021-04-25 16:28:23 -05:00
dfs_cache.c cifs: constify get_normalized_path() properly 2021-04-25 16:28:23 -05:00
dfs_cache.h cifs: rename smb_vol as smb3_fs_context and move it to fs_context.h 2020-12-13 19:12:07 -06:00
dir.c cifs: switch build_path_from_dentry() to using dentry_path_raw() 2021-04-25 16:28:23 -05:00
dns_resolve.c keys: Pass the network namespace into request_key mechanism 2019-06-27 23:02:12 +01:00
dns_resolve.h
export.c docs: fs: convert docs without extension to ReST 2019-07-31 13:31:05 -06:00
file.c cifs: allocate buffer in the caller of build_path_from_dentry() 2021-04-25 16:28:23 -05:00
fs_context.c cifs: log mount errors using cifs_errorf() 2021-04-25 16:28:24 -05:00
fs_context.h cifs: add fs_context param to parsing helpers 2021-04-25 16:28:24 -05:00
fscache.c cifs: Make extract_sharename function public 2020-12-14 09:16:22 -06:00
fscache.h cifs: Make extract_sharename function public 2020-12-14 09:16:22 -06:00
inode.c cifs: check the timestamp for the cached dirent when deciding on revalidate 2021-04-25 16:28:24 -05:00
ioctl.c cifs: allocate buffer in the caller of build_path_from_dentry() 2021-04-25 16:28:23 -05:00
Kconfig cifs: On cifs_reconnect, resolve the hostname again. 2021-04-07 21:29:36 -05:00
link.c cifs: allocate buffer in the caller of build_path_from_dentry() 2021-04-25 16:28:23 -05:00
Makefile cifs: On cifs_reconnect, resolve the hostname again. 2021-04-07 21:29:36 -05:00
misc.c cifs: don't cargo-cult strndup() 2021-04-25 16:28:23 -05:00
netlink.c cifs: Set witness notification handler for messages from userspace daemon 2020-12-14 09:16:22 -06:00
netlink.h cifs: Register generic netlink family 2020-12-14 09:16:22 -06:00
netmisc.c cifs`: handle ERRBaduid for SMB1 2020-08-02 18:00:25 -05:00
nterr.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
nterr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
ntlmssp.h cifs: dynamic allocation of ntlmssp blob 2016-06-23 23:45:07 -05:00
readdir.c cifs: allocate buffer in the caller of build_path_from_dentry() 2021-04-25 16:28:23 -05:00
rfc1002pdu.h
sess.c cifs: fix credit accounting for extra channel 2021-03-06 11:35:57 -06:00
smb1ops.c cifs: constify path argument of ->make_node() 2021-04-25 16:28:23 -05:00
smb2file.c cifs: allow unlock flock and OFD lock across fork 2020-03-22 22:49:09 -05:00
smb2glob.h cifs: Adjust key sizes and key generation routines for AES256 encryption 2021-03-26 07:49:39 -05:00
smb2inode.c cifs: rename the *_shroot* functions to *_cached_dir* 2021-04-25 16:28:23 -05:00
smb2maperror.c cifs: map STATUS_ACCOUNT_LOCKED_OUT to -EACCES 2020-10-15 23:58:14 -05:00
smb2misc.c cifs: add a timestamp to track when the lease of the cached dir was taken 2021-04-25 16:28:23 -05:00
smb2ops.c smb2: fix use-after-free in smb2_ioctl_query_info() 2021-04-25 16:28:24 -05:00
smb2pdu.c cifs: rename the *_shroot* functions to *_cached_dir* 2021-04-25 16:28:23 -05:00
smb2pdu.h SMB3: update structures for new compression protocol definitions 2021-04-25 16:28:23 -05:00
smb2proto.h cifs: add a function to get a cached dir based on its dentry 2021-04-25 16:28:23 -05:00
smb2status.h cifs: don't use __constant_cpu_to_le32() 2019-05-07 23:24:54 -05:00
smb2transport.c cifs: Adjust key sizes and key generation routines for AES256 encryption 2021-03-26 07:49:39 -05:00
smbdirect.c cifs: Fix fall-through warnings for Clang 2020-12-13 19:12:07 -06:00
smbdirect.h cifs: smbd: Do not schedule work to send immediate packet on every receive 2020-04-07 12:41:16 -05:00
smbencrypt.c fs: cifs: move from the crypto cipher API to the new DES library interface 2019-08-22 14:57:34 +10:00
smberr.h
smbfsctl.h smb3: add some missing definitions from MS-FSCC 2020-10-23 15:38:10 -05:00
trace.c smb3: Cleanup license mess 2019-01-24 09:37:33 -06:00
trace.h cifs: Identify a connection by a conn_id. 2021-02-16 15:48:02 -06:00
transport.c cifs: Fix preauth hash corruption 2021-03-14 18:14:32 -05:00
unc.c cifs: don't cargo-cult strndup() 2021-04-25 16:28:23 -05:00
winucase.c Replace HTTP links with HTTPS ones: CIFS 2020-07-05 14:23:38 -06:00
xattr.c cifs: allocate buffer in the caller of build_path_from_dentry() 2021-04-25 16:28:23 -05:00