[SRU][Jammy][PATCH 1/1] ksmbd: check the validation of pdu_size in ksmbd_conn_handler_loop

Stefan Bader stefan.bader at canonical.com
Tue Feb 13 09:36:12 UTC 2024 

On 26.01.24 10:55, Stefan Bader wrote:
> On 25.01.24 22:44, Bethany Jamison wrote:
>> From: Namjae Jeon <linkinjeon at kernel.org>
>>
>> The length field of netbios header must be greater than the SMB header
>> sizes(smb1 or smb2 header), otherwise the packet is an invalid SMB 
>> packet.
>>
>> If `pdu_size` is 0, ksmbd allocates a 4 bytes chunk to 
>> `conn->request_buf`.
>> In the function `get_smb2_cmd_val` ksmbd will read cmd from
>> `rcv_hdr->Command`, which is `conn->request_buf + 12`, causing the KASAN
>> detector to print the following error message:
>>
>> [    7.205018] BUG: KASAN: slab-out-of-bounds in 
>> get_smb2_cmd_val+0x45/0x60
>> [    7.205423] Read of size 2 at addr ffff8880062d8b50 by task 
>> ksmbd:42632/248
>> ...
>> [    7.207125]  <TASK>
>> [    7.209191]  get_smb2_cmd_val+0x45/0x60
>> [    7.209426]  ksmbd_conn_enqueue_request+0x3a/0x100
>> [    7.209712]  ksmbd_server_process_request+0x72/0x160
>> [    7.210295]  ksmbd_conn_handler_loop+0x30c/0x550
>> [    7.212280]  kthread+0x160/0x190
>> [    7.212762]  ret_from_fork+0x1f/0x30
>> [    7.212981]  </TASK>
>>
>> Cc: stable at vger.kernel.org
>> Reported-by: Chih-Yen Chang <cc85nod at gmail.com>
>> Signed-off-by: Namjae Jeon <linkinjeon at kernel.org>
>> Signed-off-by: Steve French <stfrench at microsoft.com>
>> (backported from commit 368ba06881c395f1c9a7ba22203cf8d78b4addc0)
>> [bjamison: Jammy was missing the definition of smb2_get_msg function 
>> which was
>> used in the fix commit - function definition was very simple so I 
>> added it]
> 
> I do not want to say NACK right away but are you sure this works? The 
> commit which added this functions was
> 
> commit cb4517201b8acdb5fd5314494aaf86c267f22345
> Author: Namjae Jeon <linkinjeon at kernel.org>
> Date:   Wed Nov 3 08:08:44 2021 +0900
> 
>      ksmbd: remove smb2_buf_length in smb2_hdr
> 
> Which also did a lot of rework in the structures... When I looks at one 
> of the places where the smb2_get_msg gets added:
> 
> diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c
> index f9dae6ef2115..ce0e85552da9 100644
> --- a/fs/ksmbd/oplock.c
> +++ b/fs/ksmbd/oplock.c
> @@ -629,10 +629,10 @@ static void __smb2_oplock_break_noti(struct 
> work_struct *wk)
>                  return;
>          }
> 
> -       rsp_hdr = work->response_buf;
> +       rsp_hdr = smb2_get_msg(work->response_buf);
> 
> This looks like Jammy code would still expect the rsp_hdr to be where 
> work->reponse_buf points to. While the access function uses a +4 offset.
> 

Hi Bethany,

this request is in a bit of a fuzzy state. Did we figure out whether my 
concern was valid or not. If yes, could you nack this, if no, maybe you 
could explain me why I am wrong.
> 
>> CVE-2023-38431
>> Signed-off-by: Bethany Jamison <bethany.jamison at canonical.com>
>> ---
>>   fs/ksmbd/connection.c | 12 ++++++++++++
>>   fs/ksmbd/smb2pdu.h    |  9 +++++++++
>>   2 files changed, 21 insertions(+)
>>
>> diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c
>> index 3c4b7a96919ce..33d9f6ade7004 100644
>> --- a/fs/ksmbd/connection.c
>> +++ b/fs/ksmbd/connection.c
>> @@ -263,6 +263,9 @@ bool ksmbd_conn_alive(struct ksmbd_conn *conn)
>>       return true;
>>   }
>> +#define SMB1_MIN_SUPPORTED_HEADER_SIZE (sizeof(struct smb_hdr))
>> +#define SMB2_MIN_SUPPORTED_HEADER_SIZE (sizeof(struct smb2_hdr) + 4)
>> +
>>   /**
>>    * ksmbd_conn_handler_loop() - session thread to listen on new smb 
>> requests
>>    * @p:        connection instance
>> @@ -319,6 +322,9 @@ int ksmbd_conn_handler_loop(void *p)
>>           if (pdu_size > MAX_STREAM_PROT_LEN)
>>               break;
>> +        if (pdu_size < SMB1_MIN_SUPPORTED_HEADER_SIZE)
>> +            break;
>> +
>>           /* 4 for rfc1002 length field */
>>           /* 1 for implied bcc[0] */
>>           size = pdu_size + 4 + 1;
>> @@ -346,6 +352,12 @@ int ksmbd_conn_handler_loop(void *p)
>>               continue;
>>           }
>> +        if (((struct smb2_hdr 
>> *)smb2_get_msg(conn->request_buf))->ProtocolId ==
> 
> Maybe that should be
> 
> if ( ((struct smb2_hdr *) conn->request_buf )->ProtocolId == 
> SMB2_PROTO_NUMBER) {
> 
> 
>> +            SMB2_PROTO_NUMBER) {
>> +            if (pdu_size < SMB2_MIN_SUPPORTED_HEADER_SIZE)
>> +                break;
>> +        }
>> +
>>           if (!default_conn_ops.process_fn) {
>>               pr_err("No connection request callback\n");
>>               break;
>> diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h
>> index fa1cd556ab7ac..c8cc1083d3c81 100644
>> --- a/fs/ksmbd/smb2pdu.h
>> +++ b/fs/ksmbd/smb2pdu.h
>> @@ -1707,4 +1707,13 @@ int smb2_ioctl(struct ksmbd_work *work);
>>   int smb2_oplock_break(struct ksmbd_work *work);
>>   int smb2_notify(struct ksmbd_work *ksmbd_work);
>> +/*
>> + * Get the body of the smb2 message excluding the 4 byte rfc1002 headers
>> + * from request/response buffer.
>> + */
>> +static inline void *smb2_get_msg(void *buf)
>> +{
>> +    return buf + 4;
>> +}
>> +
>>   #endif    /* _SMB2PDU_H */
> 
> 
Thanks,
- Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240213/d1778bbd/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240213/d1778bbd/attachment-0001.sig>

More information about the kernel-team mailing list