[PATCH OLK-5.10] ksmbd: validate smb request protocol id - Kernel

27 Jul 2023

From: Namjae Jeon linkinjeon@kernel.org
mainline inclusion
from mainline-v6.4-rc6
commit 1c1bcf2d3ea061613119b534f57507c377df20f9
category: bugfix
bugzilla: 189016, https://gitee.com/openeuler/kernel/issues/I7LU2S
CVE: CVE-2023-38430
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id...
----------------------------------------
This patch add the validation for smb request protocol id.
If it is not one of the four ids(SMB1_PROTO_NUMBER, SMB2_PROTO_NUMBER,
SMB2_TRANSFORM_PROTO_NUM, SMB2_COMPRESSION_TRANSFORM_ID), don't allow
processing the request. And this will fix the following KASAN warning
also.
[   13.905265] BUG: KASAN: slab-out-of-bounds in init_smb2_rsp_hdr+0x1b9/0x1f0
[   13.905900] Read of size 16 at addr ffff888005fd2f34 by task kworker/0:2/44
...
[   13.908553] Call Trace:
[   13.908793]  <TASK>
[   13.908995]  dump_stack_lvl+0x33/0x50
[   13.909369]  print_report+0xcc/0x620
[   13.910870]  kasan_report+0xae/0xe0
[   13.911519]  kasan_check_range+0x35/0x1b0
[   13.911796]  init_smb2_rsp_hdr+0x1b9/0x1f0
[   13.912492]  handle_ksmbd_work+0xe5/0x820
Cc: stable@vger.kernel.org
Reported-by: Chih-Yen Chang cc85nod@gmail.com
Signed-off-by: Namjae Jeon linkinjeon@kernel.org
Signed-off-by: Steve French stfrench@microsoft.com
Conflict:
    fs/ksmbd/connection.c
Signed-off-by: Li Nan linan122@huawei.com
---
 fs/ksmbd/connection.c |  5 +++--
 fs/ksmbd/smb_common.c | 14 +++++++++++++-
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c
index 8e15ec9e8f43..4e9ce05374a3 100644
--- a/fs/ksmbd/connection.c
+++ b/fs/ksmbd/connection.c
@@ -315,8 +315,6 @@ int ksmbd_conn_handler_loop(void *p)
    		continue;
memcpy(conn->request_buf, hdr_buf, sizeof(hdr_buf));
-		if (!ksmbd_smb_request(conn))
-			break;
/*
    	 * We already read 4 bytes to find out PDU size, now
@@ -334,6 +332,9 @@ int ksmbd_conn_handler_loop(void *p)
    		continue;
    	}
+		if (!ksmbd_smb_request(conn))
+			break;
+
    	if (!default_conn_ops.process_fn) {
    		pr_err("No connection request callback\n");
    		break;
diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c
index 8ea2cdda0984..ff2e738ae7ac 100644
--- a/fs/ksmbd/smb_common.c
+++ b/fs/ksmbd/smb_common.c
@@ -156,7 +156,19 @@ int ksmbd_verify_smb_message(struct ksmbd_work *work)
  */
 bool ksmbd_smb_request(struct ksmbd_conn *conn)
 {
-	return conn->request_buf[0] == 0;
+	__le32 *proto = (__le32 *)smb2_get_msg(conn->request_buf);
+
+	if (*proto == SMB2_COMPRESSION_TRANSFORM_ID) {
+		pr_err_ratelimited("smb2 compression not support yet");
+		return false;
+	}
+
+	if (*proto != SMB1_PROTO_NUMBER &&
+	    *proto != SMB2_PROTO_NUMBER &&
+	    *proto != SMB2_TRANSFORM_PROTO_NUM)
+		return false;
+
+	return true;
 }
static bool supported_protocol(int idx)
-- 
2.39.2


    