[PATCH 0/2] Two CVE fixes of ksmbd - Kernel - mailweb.openeuler.org

newer
[PATCH OLK-5.10 0/2] Two CVE fixes...

[PATCH 0/2] Two CVE fixes of ksmbd

older
[PATCH] Add...

ZhaoLong Wang

27 Jun 2023 27 Jun '23

9:53 p.m.

CVE fixes: CVE-2023-32255 CVE-2023-32248 *** BLURB HERE *** Namjae Jeon (2): ksmbd: fix memleak in session setup ksmbd: fix NULL pointer dereference in smb2_get_info_filesystem() fs/ksmbd/smb2pdu.c | 7 +++++++ 1 file changed, 7 insertions(+) -- 2.31.1

Reply

Sign in to reply online Use email software

Show replies by date

ZhaoLong Wang

27 Jun 27 Jun

9:53 p.m.

New subject: [PATCH 1/2] ksmbd: fix memleak in session setup

From: Namjae Jeon <linkinjeon@kernel.org> mainline inclusion from mainline-v6.4-rc1 commit 6d7cb549c2ca20e1f07593f15e936fd54b763028 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I74FG3 CVE: CVE-2023-32255 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- If client send session setup request with unknown NTLMSSP message type, session that does not included channel can be created. It will cause session memleak. because ksmbd_sessions_deregister() does not destroy session if channel is not included. This patch return error response if client send the request unknown NTLMSSP message type. Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20593 Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com> --- fs/ksmbd/smb2pdu.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 15b7f876cb01..038ca5d0eeef 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1801,6 +1801,10 @@ int smb2_sess_setup(struct ksmbd_work *work) } kfree(sess->Preauth_HashValue); sess->Preauth_HashValue = NULL; + } else { + pr_info_ratelimited("Unknown NTLMSSP message type : 0x%x\n", + le32_to_cpu(negblob->MessageType)); + rc = -EINVAL; } } else { /* TODO: need one more negotiation */ -- 2.31.1

Reply

Sign in to reply online Use email software

ZhaoLong Wang

9:53 p.m.

New subject: [PATCH 2/2] ksmbd: fix NULL pointer dereference in smb2_get_info_filesystem()

From: Namjae Jeon <linkinjeon@kernel.org> mainline inclusion from mainline-v6.4-rc1 commit 3ac00a2ab69b34189942afa9e862d5170cdcb018 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I74FF8 CVE: CVE-2023-32248 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- If share is , share->path is NULL and it cause NULL pointer dereference issue. Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20479 Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com> --- fs/ksmbd/smb2pdu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 038ca5d0eeef..18e176fcddf0 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -4867,6 +4867,9 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, int rc = 0, len; int fs_infoclass_size = 0; + if (!share->path) + return -EIO; + rc = kern_path(share->path, LOOKUP_NO_SYMLINKS, &path); if (rc) { pr_err("cannot create vfs path\n"); -- 2.31.1

Reply

Sign in to reply online Use email software

609

Age (days ago)

609

Last active (days ago)

2 comments

1 participants

tags

participants (1)

ZhaoLong Wang