Commit eebff19a authored by Namjae Jeon's avatar Namjae Jeon Committed by Steve French

ksmbd: fix slab out of bounds write in smb_inherit_dacl()

slab out-of-bounds write is caused by that offsets is bigger than pntsd
allocation size. This patch add the check to validate 3 offsets using
allocation size.

Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-22271
Cc: stable@vger.kernel.org
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 766e9cf3
...@@ -1107,6 +1107,7 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, ...@@ -1107,6 +1107,7 @@ int smb_inherit_dacl(struct ksmbd_conn *conn,
struct smb_acl *pdacl; struct smb_acl *pdacl;
struct smb_sid *powner_sid = NULL, *pgroup_sid = NULL; struct smb_sid *powner_sid = NULL, *pgroup_sid = NULL;
int powner_sid_size = 0, pgroup_sid_size = 0, pntsd_size; int powner_sid_size = 0, pgroup_sid_size = 0, pntsd_size;
int pntsd_alloc_size;
if (parent_pntsd->osidoffset) { if (parent_pntsd->osidoffset) {
powner_sid = (struct smb_sid *)((char *)parent_pntsd + powner_sid = (struct smb_sid *)((char *)parent_pntsd +
...@@ -1119,9 +1120,10 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, ...@@ -1119,9 +1120,10 @@ int smb_inherit_dacl(struct ksmbd_conn *conn,
pgroup_sid_size = 1 + 1 + 6 + (pgroup_sid->num_subauth * 4); pgroup_sid_size = 1 + 1 + 6 + (pgroup_sid->num_subauth * 4);
} }
pntsd = kzalloc(sizeof(struct smb_ntsd) + powner_sid_size + pntsd_alloc_size = sizeof(struct smb_ntsd) + powner_sid_size +
pgroup_sid_size + sizeof(struct smb_acl) + pgroup_sid_size + sizeof(struct smb_acl) + nt_size;
nt_size, GFP_KERNEL);
pntsd = kzalloc(pntsd_alloc_size, GFP_KERNEL);
if (!pntsd) { if (!pntsd) {
rc = -ENOMEM; rc = -ENOMEM;
goto free_aces_base; goto free_aces_base;
...@@ -1136,6 +1138,27 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, ...@@ -1136,6 +1138,27 @@ int smb_inherit_dacl(struct ksmbd_conn *conn,
pntsd->gsidoffset = parent_pntsd->gsidoffset; pntsd->gsidoffset = parent_pntsd->gsidoffset;
pntsd->dacloffset = parent_pntsd->dacloffset; pntsd->dacloffset = parent_pntsd->dacloffset;
if ((u64)le32_to_cpu(pntsd->osidoffset) + powner_sid_size >
pntsd_alloc_size) {
rc = -EINVAL;
kfree(pntsd);
goto free_aces_base;
}
if ((u64)le32_to_cpu(pntsd->gsidoffset) + pgroup_sid_size >
pntsd_alloc_size) {
rc = -EINVAL;
kfree(pntsd);
goto free_aces_base;
}
if ((u64)le32_to_cpu(pntsd->dacloffset) + sizeof(struct smb_acl) + nt_size >
pntsd_alloc_size) {
rc = -EINVAL;
kfree(pntsd);
goto free_aces_base;
}
if (pntsd->osidoffset) { if (pntsd->osidoffset) {
struct smb_sid *owner_sid = (struct smb_sid *)((char *)pntsd + struct smb_sid *owner_sid = (struct smb_sid *)((char *)pntsd +
le32_to_cpu(pntsd->osidoffset)); le32_to_cpu(pntsd->osidoffset));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment