CVE fixes: CVE-2023-32255 CVE-2023-32248
*** BLURB HERE ***
Namjae Jeon (2): ksmbd: fix memleak in session setup ksmbd: fix NULL pointer dereference in smb2_get_info_filesystem()
fs/ksmbd/smb2pdu.c | 7 +++++++ 1 file changed, 7 insertions(+)
From: Namjae Jeon linkinjeon@kernel.org
mainline inclusion from mainline-v6.4-rc1 commit 6d7cb549c2ca20e1f07593f15e936fd54b763028 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I74FG3 CVE: CVE-2023-32255
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
If client send session setup request with unknown NTLMSSP message type, session that does not included channel can be created. It will cause session memleak. because ksmbd_sessions_deregister() does not destroy session if channel is not included. This patch return error response if client send the request unknown NTLMSSP message type.
Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20593 Signed-off-by: Namjae Jeon linkinjeon@kernel.org Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: ZhaoLong Wang wangzhaolong1@huawei.com --- fs/ksmbd/smb2pdu.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 15b7f876cb01..038ca5d0eeef 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1801,6 +1801,10 @@ int smb2_sess_setup(struct ksmbd_work *work) } kfree(sess->Preauth_HashValue); sess->Preauth_HashValue = NULL; + } else { + pr_info_ratelimited("Unknown NTLMSSP message type : 0x%x\n", + le32_to_cpu(negblob->MessageType)); + rc = -EINVAL; } } else { /* TODO: need one more negotiation */
From: Namjae Jeon linkinjeon@kernel.org
mainline inclusion from mainline-v6.4-rc1 commit 3ac00a2ab69b34189942afa9e862d5170cdcb018 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I74FF8 CVE: CVE-2023-32248
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
If share is , share->path is NULL and it cause NULL pointer dereference issue.
Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20479 Signed-off-by: Namjae Jeon linkinjeon@kernel.org Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: ZhaoLong Wang wangzhaolong1@huawei.com --- fs/ksmbd/smb2pdu.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 038ca5d0eeef..18e176fcddf0 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -4867,6 +4867,9 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, int rc = 0, len; int fs_infoclass_size = 0;
+ if (!share->path) + return -EIO; + rc = kern_path(share->path, LOOKUP_NO_SYMLINKS, &path); if (rc) { pr_err("cannot create vfs path\n");