From: Namjae Jeon <linkinjeon@kernel.org> mainline inclusion from mainline-v6.6-rc1 commit 17d5b135bb720832364e8f55f6a887a3c7ec8fdb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAAVBH CVE: CVE-2023-4458 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- If ->DataOffset of create context is 0, DataBuffer size is not correctly validated. This patch change wrong validation code and consider tag length in request. Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21824 Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Conflicts: fs/ksmbd/oplock.c fs/smb/server/oplock.c [oplock.c hasn't moved from fs/ksmbd to fs/smb/server.] Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com> --- fs/ksmbd/oplock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c index fc5b2137002f..6df455a54b70 100644 --- a/fs/ksmbd/oplock.c +++ b/fs/ksmbd/oplock.c @@ -1488,7 +1488,7 @@ struct create_context *smb2_find_context_vals(void *open_req, const char *tag, i name_len < 4 || name_off + name_len > cc_len || (value_off & 0x7) != 0 || - (value_off && (value_off < name_off + name_len)) || + (value_len && value_off < name_off + (name_len < 8 ? 8 : name_len)) || ((u64)value_off + value_len > cc_len)) return ERR_PTR(-EINVAL); -- 2.25.1