Skip to content

Commit 1f1ad86

Browse files
Paulo Alcantaranukelet
authored andcommitted
cifs: fix NULL ptr dereference in smb2_ioctl_query_info()
BugLink: https://bugs.launchpad.net/bugs/2036450 When calling smb2_ioctl_query_info() with invalid smb_query_info::flags, a NULL ptr dereference is triggered when trying to kfree() uninitialised rqst[n].rq_iov array. This also fixes leaked paths that are created in SMB2_open_init() which required SMB2_open_free() to properly free them. Here is a small C reproducer that triggers it #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #define die(s) perror(s), exit(1) #define QUERY_INFO 0xc018cf07 int main(int argc, char *argv[]) { int fd; if (argc < 2) exit(1); fd = open(argv[1], O_RDONLY); if (fd == -1) die("open"); if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1) die("ioctl"); close(fd); return 0; } mount.cifs //srv/share /mnt -o ... gcc repro.c && ./a.out /mnt/f0 [ 1832.124468] CIFS: VFS: \\w22-dc.zelda.test\test Invalid passthru query flags: 0x4 [ 1832.125043] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 1832.125764] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 1832.126241] CPU: 3 PID: 1133 Comm: a.out Not tainted 5.17.0-rc8 #2 [ 1832.126630] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 [ 1832.127322] RIP: 0010:smb2_ioctl_query_info+0x7a3/0xe30 [cifs] [ 1832.127749] Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 6c 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 74 24 28 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 cb 04 00 00 49 8b 3e e8 bb fc fa ff 48 89 da 48 [ 1832.128911] RSP: 0018:ffffc90000957b08 EFLAGS: 00010256 [ 1832.129243] RAX: dffffc0000000000 RBX: ffff888117e9b850 RCX: ffffffffa020580d [ 1832.129691] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a2c0 [ 1832.130137] RBP: ffff888117e9b878 R08: 0000000000000001 R09: 0000000000000003 [ 1832.130585] R10: fffffbfff4087458 R11: 0000000000000001 R12: ffff888117e9b800 [ 1832.131037] R13: 00000000ffffffea R14: 0000000000000000 R15: ffff888117e9b8a8 [ 1832.131485] FS: 00007fcee9900740(0000) GS:ffff888151a00000(0000) knlGS:0000000000000000 [ 1832.131993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1832.132354] CR2: 00007fcee9a1ef5e CR3: 0000000114cd2000 CR4: 0000000000350ee0 [ 1832.132801] Call Trace: [ 1832.132962] <TASK> [ 1832.133104] ? smb2_query_reparse_tag+0x890/0x890 [cifs] [ 1832.133489] ? cifs_mapchar+0x460/0x460 [cifs] [ 1832.133822] ? rcu_read_lock_sched_held+0x3f/0x70 [ 1832.134125] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs] [ 1832.134502] ? lock_downgrade+0x6f0/0x6f0 [ 1832.134760] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs] [ 1832.135170] ? smb2_check_message+0x1080/0x1080 [cifs] [ 1832.135545] cifs_ioctl+0x1577/0x3320 [cifs] [ 1832.135864] ? lock_downgrade+0x6f0/0x6f0 [ 1832.136125] ? cifs_readdir+0x2e60/0x2e60 [cifs] [ 1832.136468] ? rcu_read_lock_sched_held+0x3f/0x70 [ 1832.136769] ? __rseq_handle_notify_resume+0x80b/0xbe0 [ 1832.137096] ? __up_read+0x192/0x710 [ 1832.137327] ? __ia32_sys_rseq+0xf0/0xf0 [ 1832.137578] ? __x64_sys_openat+0x11f/0x1d0 [ 1832.137850] __x64_sys_ioctl+0x127/0x190 [ 1832.138103] do_syscall_64+0x3b/0x90 [ 1832.138378] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 1832.138702] RIP: 0033:0x7fcee9a253df [ 1832.138937] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 [ 1832.140107] RSP: 002b:00007ffeba94a8a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1832.140606] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcee9a253df [ 1832.141058] RDX: 00007ffeba94a910 RSI: 00000000c018cf07 RDI: 0000000000000003 [ 1832.141503] RBP: 00007ffeba94a930 R08: 00007fcee9b24db0 R09: 00007fcee9b45c4e [ 1832.141948] R10: 00007fcee9918d40 R11: 0000000000000246 R12: 00007ffeba94aa48 [ 1832.142396] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007fcee9b78000 [ 1832.142851] </TASK> [ 1832.142994] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload [last unloaded: cifs] Cc: [email protected] Signed-off-by: Paulo Alcantara (SUSE) <[email protected]> Signed-off-by: Steve French <[email protected]> (cherry picked from commit d6f5e35) Signed-off-by: Tim Gardner <[email protected]>
1 parent ca8b304 commit 1f1ad86

File tree

1 file changed

+65
-59
lines changed

1 file changed

+65
-59
lines changed

fs/cifs/smb2ops.c

Lines changed: 65 additions & 59 deletions
Original file line numberDiff line numberDiff line change
@@ -1645,6 +1645,7 @@ smb2_ioctl_query_info(const unsigned int xid,
16451645
unsigned int size[2];
16461646
void *data[2];
16471647
int create_options = is_dir ? CREATE_NOT_FILE : CREATE_NOT_DIR;
1648+
void (*free_req1_func)(struct smb_rqst *r);
16481649

16491650
vars = kzalloc(sizeof(*vars), GFP_ATOMIC);
16501651
if (vars == NULL)
@@ -1654,17 +1655,18 @@ smb2_ioctl_query_info(const unsigned int xid,
16541655

16551656
resp_buftype[0] = resp_buftype[1] = resp_buftype[2] = CIFS_NO_BUFFER;
16561657

1657-
if (copy_from_user(&qi, arg, sizeof(struct smb_query_info)))
1658-
goto e_fault;
1659-
1658+
if (copy_from_user(&qi, arg, sizeof(struct smb_query_info))) {
1659+
rc = -EFAULT;
1660+
goto free_vars;
1661+
}
16601662
if (qi.output_buffer_length > 1024) {
1661-
kfree(vars);
1662-
return -EINVAL;
1663+
rc = -EINVAL;
1664+
goto free_vars;
16631665
}
16641666

16651667
if (!ses || !server) {
1666-
kfree(vars);
1667-
return -EIO;
1668+
rc = -EIO;
1669+
goto free_vars;
16681670
}
16691671

16701672
if (smb3_encryption_required(tcon))
@@ -1673,8 +1675,8 @@ smb2_ioctl_query_info(const unsigned int xid,
16731675
if (qi.output_buffer_length) {
16741676
buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length);
16751677
if (IS_ERR(buffer)) {
1676-
kfree(vars);
1677-
return PTR_ERR(buffer);
1678+
rc = PTR_ERR(buffer);
1679+
goto free_vars;
16781680
}
16791681
}
16801682

@@ -1713,48 +1715,45 @@ smb2_ioctl_query_info(const unsigned int xid,
17131715
rc = SMB2_open_init(tcon, server,
17141716
&rqst[0], &oplock, &oparms, path);
17151717
if (rc)
1716-
goto iqinf_exit;
1718+
goto free_output_buffer;
17171719
smb2_set_next_command(tcon, &rqst[0]);
17181720

17191721
/* Query */
17201722
if (qi.flags & PASSTHRU_FSCTL) {
17211723
/* Can eventually relax perm check since server enforces too */
1722-
if (!capable(CAP_SYS_ADMIN))
1724+
if (!capable(CAP_SYS_ADMIN)) {
17231725
rc = -EPERM;
1724-
else {
1725-
rqst[1].rq_iov = &vars->io_iov[0];
1726-
rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE;
1727-
1728-
rc = SMB2_ioctl_init(tcon, server,
1729-
&rqst[1],
1730-
COMPOUND_FID, COMPOUND_FID,
1731-
qi.info_type, true, buffer,
1732-
qi.output_buffer_length,
1733-
CIFSMaxBufSize -
1734-
MAX_SMB2_CREATE_RESPONSE_SIZE -
1735-
MAX_SMB2_CLOSE_RESPONSE_SIZE);
1726+
goto free_open_req;
17361727
}
1728+
rqst[1].rq_iov = &vars->io_iov[0];
1729+
rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE;
1730+
1731+
rc = SMB2_ioctl_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID,
1732+
qi.info_type, true, buffer, qi.output_buffer_length,
1733+
CIFSMaxBufSize - MAX_SMB2_CREATE_RESPONSE_SIZE -
1734+
MAX_SMB2_CLOSE_RESPONSE_SIZE);
1735+
free_req1_func = SMB2_ioctl_free;
17371736
} else if (qi.flags == PASSTHRU_SET_INFO) {
17381737
/* Can eventually relax perm check since server enforces too */
1739-
if (!capable(CAP_SYS_ADMIN))
1738+
if (!capable(CAP_SYS_ADMIN)) {
17401739
rc = -EPERM;
1741-
else if (qi.output_buffer_length < 8)
1740+
goto free_open_req;
1741+
}
1742+
if (qi.output_buffer_length < 8) {
17421743
rc = -EINVAL;
1743-
else {
1744-
rqst[1].rq_iov = &vars->si_iov[0];
1745-
rqst[1].rq_nvec = 1;
1746-
1747-
/* MS-FSCC 2.4.13 FileEndOfFileInformation */
1748-
size[0] = 8;
1749-
data[0] = buffer;
1750-
1751-
rc = SMB2_set_info_init(tcon, server,
1752-
&rqst[1],
1753-
COMPOUND_FID, COMPOUND_FID,
1754-
current->tgid,
1755-
FILE_END_OF_FILE_INFORMATION,
1756-
SMB2_O_INFO_FILE, 0, data, size);
1744+
goto free_open_req;
17571745
}
1746+
rqst[1].rq_iov = &vars->si_iov[0];
1747+
rqst[1].rq_nvec = 1;
1748+
1749+
/* MS-FSCC 2.4.13 FileEndOfFileInformation */
1750+
size[0] = 8;
1751+
data[0] = buffer;
1752+
1753+
rc = SMB2_set_info_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID,
1754+
current->tgid, FILE_END_OF_FILE_INFORMATION,
1755+
SMB2_O_INFO_FILE, 0, data, size);
1756+
free_req1_func = SMB2_set_info_free;
17581757
} else if (qi.flags == PASSTHRU_QUERY_INFO) {
17591758
rqst[1].rq_iov = &vars->qi_iov[0];
17601759
rqst[1].rq_nvec = 1;
@@ -1765,14 +1764,15 @@ smb2_ioctl_query_info(const unsigned int xid,
17651764
qi.info_type, qi.additional_information,
17661765
qi.input_buffer_length,
17671766
qi.output_buffer_length, buffer);
1767+
free_req1_func = SMB2_query_info_free;
17681768
} else { /* unknown flags */
17691769
cifs_tcon_dbg(VFS, "Invalid passthru query flags: 0x%x\n",
17701770
qi.flags);
17711771
rc = -EINVAL;
17721772
}
17731773

17741774
if (rc)
1775-
goto iqinf_exit;
1775+
goto free_open_req;
17761776
smb2_set_next_command(tcon, &rqst[1]);
17771777
smb2_set_related(&rqst[1]);
17781778

@@ -1783,14 +1783,14 @@ smb2_ioctl_query_info(const unsigned int xid,
17831783
rc = SMB2_close_init(tcon, server,
17841784
&rqst[2], COMPOUND_FID, COMPOUND_FID, false);
17851785
if (rc)
1786-
goto iqinf_exit;
1786+
goto free_req_1;
17871787
smb2_set_related(&rqst[2]);
17881788

17891789
rc = compound_send_recv(xid, ses, server,
17901790
flags, 3, rqst,
17911791
resp_buftype, rsp_iov);
17921792
if (rc)
1793-
goto iqinf_exit;
1793+
goto out;
17941794

17951795
/* No need to bump num_remote_opens since handle immediately closed */
17961796
if (qi.flags & PASSTHRU_FSCTL) {
@@ -1800,47 +1800,53 @@ smb2_ioctl_query_info(const unsigned int xid,
18001800
qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount);
18011801
if (qi.input_buffer_length > 0 &&
18021802
le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length
1803-
> rsp_iov[1].iov_len)
1804-
goto e_fault;
1803+
> rsp_iov[1].iov_len) {
1804+
rc = -EFAULT;
1805+
goto out;
1806+
}
18051807

18061808
if (copy_to_user(&pqi->input_buffer_length,
18071809
&qi.input_buffer_length,
1808-
sizeof(qi.input_buffer_length)))
1809-
goto e_fault;
1810+
sizeof(qi.input_buffer_length))) {
1811+
rc = -EFAULT;
1812+
goto out;
1813+
}
18101814

18111815
if (copy_to_user((void __user *)pqi + sizeof(struct smb_query_info),
18121816
(const void *)io_rsp + le32_to_cpu(io_rsp->OutputOffset),
18131817
qi.input_buffer_length))
1814-
goto e_fault;
1818+
rc = -EFAULT;
18151819
} else {
18161820
pqi = (struct smb_query_info __user *)arg;
18171821
qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base;
18181822
if (le32_to_cpu(qi_rsp->OutputBufferLength) < qi.input_buffer_length)
18191823
qi.input_buffer_length = le32_to_cpu(qi_rsp->OutputBufferLength);
18201824
if (copy_to_user(&pqi->input_buffer_length,
18211825
&qi.input_buffer_length,
1822-
sizeof(qi.input_buffer_length)))
1823-
goto e_fault;
1826+
sizeof(qi.input_buffer_length))) {
1827+
rc = -EFAULT;
1828+
goto out;
1829+
}
18241830

18251831
if (copy_to_user(pqi + 1, qi_rsp->Buffer,
18261832
qi.input_buffer_length))
1827-
goto e_fault;
1833+
rc = -EFAULT;
18281834
}
18291835

1830-
iqinf_exit:
1831-
cifs_small_buf_release(rqst[0].rq_iov[0].iov_base);
1832-
cifs_small_buf_release(rqst[1].rq_iov[0].iov_base);
1833-
cifs_small_buf_release(rqst[2].rq_iov[0].iov_base);
1836+
out:
18341837
free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base);
18351838
free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base);
18361839
free_rsp_buf(resp_buftype[2], rsp_iov[2].iov_base);
1837-
kfree(vars);
1840+
SMB2_close_free(&rqst[2]);
1841+
free_req_1:
1842+
free_req1_func(&rqst[1]);
1843+
free_open_req:
1844+
SMB2_open_free(&rqst[0]);
1845+
free_output_buffer:
18381846
kfree(buffer);
1847+
free_vars:
1848+
kfree(vars);
18391849
return rc;
1840-
1841-
e_fault:
1842-
rc = -EFAULT;
1843-
goto iqinf_exit;
18441850
}
18451851

18461852
static ssize_t

0 commit comments

Comments
 (0)