• Namjae Jeon's avatar
    ksmbd: fix out-of-bound read in deassemble_neg_contexts() · f1a41187
    Namjae Jeon authored
    The check in the beginning is
    `clen + sizeof(struct smb2_neg_context) <= len_of_ctxts`,
    but in the end of loop, `len_of_ctxts` will subtract
    `((clen + 7) & ~0x7) + sizeof(struct smb2_neg_context)`, which causes
    integer underflow when clen does the 8 alignment. We should use
    `(clen + 7) & ~0x7` in the check to avoid underflow from happening.
    
    Then there are some variables that need to be declared unsigned
    instead of signed.
    
    [   11.671070] BUG: KASAN: slab-out-of-bounds in smb2_handle_negotiate+0x799/0x1610
    [   11.671533] Read of size 2 at addr ffff888005e86cf2 by task kworker/0:0/7
    ...
    [   11.673383] Call Trace:
    [   11.673541]  <TASK>
    [   11.673679]  dump_stack_lvl+0x33/0x50
    [   11.673913]  print_report+0xcc/0x620
    [   11.674671]  kasan_report+0xae/0xe0
    [   11.675171]  kasan_check_range+0x35/0x1b0
    [   11.675412]  smb2_handle_negotiate+0x799/0x1610
    [   11.676217]  ksmbd_smb_negotiate_common+0x526/0x770
    [   11.676795]  handle_ksmbd_work+0x274/0x810
    ...
    
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarChih-Yen Chang <cc85nod@gmail.com>
    Tested-by: default avatarChih-Yen Chang <cc85nod@gmail.com>
    Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
    Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
    f1a41187
smb2pdu.c 231 KB