Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=master 2023-05-24T21:29:21Z 2023-05-24T21:29:21Z Steve French stfrench@microsoft.com 2023-05-22T01:46:30Z urn:sha1:38c8a9a52082579090e34c033d439ed2cd1a462d Move CIFS/SMB3 related client and server files (cifs.ko and ksmbd.ko and helper modules) to new fs/smb subdirectory: fs/cifs --> fs/smb/client fs/ksmbd --> fs/smb/server fs/smbfs_common --> fs/smb/common Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2023-05-16T15:26:14Z Gustav Johansson gustajo@axis.com 2023-05-05T15:05:07Z urn:sha1:e7b8b8ed9960bf699bf4029f482d9e869c094ed6 clc length is now accepted to <= 8 less than length, rather than < 8. Solve issues on some of Axis's smb clients which send messages where clc length is 8 bytes less than length. The specific client was running kernel 4.19.217 with smb dialect 3.0.2 on armv7l. Cc: stable@vger.kernel.org Signed-off-by: Gustav Johansson <gustajo@axis.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2023-05-16T15:26:14Z Chih-Yen Chang cc85nod@gmail.com 2023-05-05T15:03:54Z urn:sha1:443d61d1fa9faa60ef925513d83742902390100f ksmbd_smb2_check_message allows client to return one byte more, so we need to allocate additional memory in ksmbd_conn_handler_loop to avoid out-of-bound access. Cc: stable@vger.kernel.org Signed-off-by: Chih-Yen Chang <cc85nod@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2023-05-16T15:26:14Z Chih-Yen Chang cc85nod@gmail.com 2023-05-05T15:01:54Z urn:sha1:f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f The offset of UserName is related to the address of security buffer. To ensure the validaty of UserName, we need to compare name_off + name_len with secbuf_len instead of auth_msg_len. [ 27.096243] ================================================================== [ 27.096890] BUG: KASAN: slab-out-of-bounds in smb_strndup_from_utf16+0x188/0x350 [ 27.097609] Read of size 2 at addr ffff888005e3b542 by task kworker/0:0/7 ... [ 27.099950] Call Trace: [ 27.100194] <TASK> [ 27.100397] dump_stack_lvl+0x33/0x50 [ 27.100752] print_report+0xcc/0x620 [ 27.102305] kasan_report+0xae/0xe0 [ 27.103072] kasan_check_range+0x35/0x1b0 [ 27.103757] smb_strndup_from_utf16+0x188/0x350 [ 27.105474] smb2_sess_setup+0xaf8/0x19c0 [ 27.107935] handle_ksmbd_work+0x274/0x810 [ 27.108315] process_one_work+0x419/0x760 [ 27.108689] worker_thread+0x2a2/0x6f0 [ 27.109385] kthread+0x160/0x190 [ 27.110129] ret_from_fork+0x1f/0x30 [ 27.110454] </TASK> Cc: stable@vger.kernel.org Signed-off-by: Chih-Yen Chang <cc85nod@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2023-05-16T15:26:14Z Chih-Yen Chang cc85nod@gmail.com 2023-05-14T03:05:05Z urn:sha1:02f76c401d17e409ed45bf7887148fcc22c93c85 Add tag_len argument in smb2_find_context_vals() to avoid out-of-bound read when create_context's name_len is larger than tag length. [ 7.995411] ================================================================== [ 7.995866] BUG: KASAN: global-out-of-bounds in memcmp+0x83/0xa0 [ 7.996248] Read of size 8 at addr ffffffff8258d940 by task kworker/0:0/7 ... [ 7.998191] Call Trace: [ 7.998358] <TASK> [ 7.998503] dump_stack_lvl+0x33/0x50 [ 7.998743] print_report+0xcc/0x620 [ 7.999458] kasan_report+0xae/0xe0 [ 7.999895] kasan_check_range+0x35/0x1b0 [ 8.000152] memcmp+0x83/0xa0 [ 8.000347] smb2_find_context_vals+0xf7/0x1e0 [ 8.000635] smb2_open+0x1df2/0x43a0 [ 8.006398] handle_ksmbd_work+0x274/0x810 [ 8.006666] process_one_work+0x419/0x760 [ 8.006922] worker_thread+0x2a2/0x6f0 [ 8.007429] kthread+0x160/0x190 [ 8.007946] ret_from_fork+0x1f/0x30 [ 8.008181] </TASK> Cc: stable@vger.kernel.org Signed-off-by: Chih-Yen Chang <cc85nod@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2023-05-07T17:46:21Z Linus Torvalds torvalds@linux-foundation.org 2023-05-07T17:46:21Z urn:sha1:63342b1dd5f884d97b41b0cd04fae01a69e0a762 Pull cifs fixes from Steve French: "smb3 client fixes, mostly DFS or reconnect related: - Two DFS connection sharing fixes - DFS refresh fix - Reconnect fix - Two potential use after free fixes - Also print prefix patch in mount debug msg - Two small cleanup fixes" * tag '6.4-rc-smb3-client-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6: cifs: Remove unneeded semicolon cifs: fix sharing of DFS connections cifs: avoid potential races when handling multiple dfs tcons cifs: protect access of TCP_Server_Info::{origin,leaf}_fullpath cifs: fix potential race when tree connecting ipc cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname cifs: print smb3_fs_context::source when mounting cifs: protect session status check in smb2_reconnect() SMB3.1.1: correct definition for app_instance_id create contexts 2023-05-06T02:16:58Z Linus Torvalds torvalds@linux-foundation.org 2023-05-06T02:16:58Z urn:sha1:2e1e1337881b0e9844d687982aa54b31b1269b11 Pull ksmbd server fixes from Steve French: "Ten ksmbd server fixes, including some important security fixes: - Two use after free fixes - Fix RCU callback race - Deadlock fix - Three patches to prevent session setup attacks - Prevent guest users from establishing multichannel sessions - Fix null pointer dereference in query FS info - Memleak fix" * tag '6.4-rc-ksmbd-server-fixes-part2' of git://git.samba.org/ksmbd: ksmbd: call rcu_barrier() in ksmbd_server_exit() ksmbd: fix racy issue under cocurrent smb2 tree disconnect ksmbd: fix racy issue from smb2 close and logoff with multichannel ksmbd: not allow guest user on multichannel ksmbd: fix deadlock in ksmbd_find_crypto_ctx() ksmbd: block asynchronous requests when making a delay on session setup ksmbd: destroy expired sessions ksmbd: fix racy issue from session setup and logoff ksmbd: fix NULL pointer dereference in smb2_get_info_filesystem() ksmbd: fix memleak in session setup 2023-05-04T04:03:02Z Namjae Jeon linkinjeon@kernel.org 2023-05-02T23:51:51Z urn:sha1:eb307d09fe15844fdaebeb8cc8c9b9e925430aa5 racy issue is triggered the bug by racing between closing a connection and rmmod. In ksmbd, rcu_barrier() is not called at module unload time, so nothing prevents ksmbd from getting unloaded while it still has RCU callbacks pending. It leads to trigger unintended execution of kernel code locally and use to defeat protections such as Kernel Lockdown Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20477 Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2023-05-04T04:03:02Z Namjae Jeon linkinjeon@kernel.org 2023-05-02T23:51:12Z urn:sha1:30210947a343b6b3ca13adc9bfc88e1543e16dd5 There is UAF issue under cocurrent smb2 tree disconnect. This patch introduce TREE_CONN_EXPIRE flags for tcon to avoid cocurrent access. Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20592 Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2023-05-04T04:03:02Z Namjae Jeon linkinjeon@kernel.org 2023-05-03T05:03:40Z urn:sha1:abcc506a9a71976a8b4c9bf3ee6efd13229c1e19 When smb client send concurrent smb2 close and logoff request with multichannel connection, It can cause racy issue. logoff request free tcon and can cause UAF issues in smb2 close. When receiving logoff request with multichannel, ksmbd should wait until all remaning requests complete as well as ones in the current connection, and then make session expired. Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20796 ZDI-CAN-20595 Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>