Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-01-18 07:53:27 +0100
committerJiri Slaby <jslaby@suse.cz>2019-01-18 07:53:33 +0100
commit4fc3e06327370c733ea8a603d7667e16354f786b (patch)
treecca9e31697697ac2e0a744b99017006a7172a8e9
parente3c0972c599451202819b37c21f50153e75dff9d (diff)
cifs: Fix potential OOB access of lock element array
-rw-r--r--patches.kernel.org/4.20.3-016-cifs-Fix-potential-OOB-access-of-lock-element-.patch72
-rw-r--r--series.conf1
2 files changed, 73 insertions, 0 deletions
diff --git a/patches.kernel.org/4.20.3-016-cifs-Fix-potential-OOB-access-of-lock-element-.patch b/patches.kernel.org/4.20.3-016-cifs-Fix-potential-OOB-access-of-lock-element-.patch
new file mode 100644
index 0000000000..b67267dd39
--- /dev/null
+++ b/patches.kernel.org/4.20.3-016-cifs-Fix-potential-OOB-access-of-lock-element-.patch
@@ -0,0 +1,72 @@
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Tue, 8 Jan 2019 18:30:57 +0000
+Subject: [PATCH] cifs: Fix potential OOB access of lock element array
+References: bnc#1012628
+Patch-mainline: 4.20.3
+Git-commit: b9a74cde94957d82003fb9f7ab4777938ca851cd
+
+commit b9a74cde94957d82003fb9f7ab4777938ca851cd upstream.
+
+If maxBuf is small but non-zero, it could result in a zero sized lock
+element array which we would then try and access OOB.
+
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/cifs/file.c | 8 ++++----
+ fs/cifs/smb2file.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/fs/cifs/file.c b/fs/cifs/file.c
+index c23bf9da93d2..d5c3e0725849 100644
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -1131,10 +1131,10 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile)
+
+ /*
+ * Accessing maxBuf is racy with cifs_reconnect - need to store value
+- * and check it for zero before using.
++ * and check it before using.
+ */
+ max_buf = tcon->ses->server->maxBuf;
+- if (!max_buf) {
++ if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) {
+ free_xid(xid);
+ return -EINVAL;
+ }
+@@ -1471,10 +1471,10 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
+
+ /*
+ * Accessing maxBuf is racy with cifs_reconnect - need to store value
+- * and check it for zero before using.
++ * and check it before using.
+ */
+ max_buf = tcon->ses->server->maxBuf;
+- if (!max_buf)
++ if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE)))
+ return -EINVAL;
+
+ max_num = (max_buf - sizeof(struct smb_hdr)) /
+diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c
+index 4ed10dd086e6..2fc3d31967ee 100644
+--- a/fs/cifs/smb2file.c
++++ b/fs/cifs/smb2file.c
+@@ -122,10 +122,10 @@ smb2_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
+
+ /*
+ * Accessing maxBuf is racy with cifs_reconnect - need to store value
+- * and check it for zero before using.
++ * and check it before using.
+ */
+ max_buf = tcon->ses->server->maxBuf;
+- if (!max_buf)
++ if (max_buf < sizeof(struct smb2_lock_element))
+ return -EINVAL;
+
+ max_num = max_buf / sizeof(struct smb2_lock_element);
+--
+2.20.1
+
diff --git a/series.conf b/series.conf
index 66f07ea2a6..8fb158166e 100644
--- a/series.conf
+++ b/series.conf
@@ -253,6 +253,7 @@
patches.kernel.org/4.20.3-013-CIFS-Do-not-set-credits-to-1-if-the-server-did.patch
patches.kernel.org/4.20.3-014-CIFS-Do-not-hide-EINTR-after-sending-network-p.patch
patches.kernel.org/4.20.3-015-CIFS-Fix-credit-computation-for-compounded-req.patch
+ patches.kernel.org/4.20.3-016-cifs-Fix-potential-OOB-access-of-lock-element-.patch
########################################################
# Build fixes that apply to the vanilla kernel too.