Unnamed repository; edit this file 'description' to name the repository. https://git.kobert.dev/pm24.git/atom/fs/smb/server?h=master 2024-12-05T01:45:28Z 2024-12-05T01:45:28Z Norbert Szetei norbert@doyensec.com 2024-11-30T15:56:14Z urn:sha1:06a025448b572c3bd78dd23a31488a0907cd9512 The aux_payload_buf allocation in SMB2 read is performed without ensuring alignment, which could result in out-of-bounds (OOB) reads during cryptographic operations such as crypto_xor or ghash. This patch aligns the allocation of aux_payload_buf to prevent these issues. (Note that to add this patch to stable would require modifications due to recent patch "ksmbd: use __GFP_RETRY_MAYFAIL") Signed-off-by: Norbert Szetei <norbert@doyensec.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-12-01T23:31:19Z Jordy Zomer jordyzomer@google.com 2024-11-28T00:33:25Z urn:sha1:313dab082289e460391c82d855430ec8a28ddf81 An offset from client could be a negative value, It could allows to write data outside the bounds of the allocated buffer. Note that this issue is coming when setting 'vfs objects = streams_xattr parameter' in ksmbd.conf. Cc: stable@vger.kernel.org # v5.15+ Reported-by: Jordy Zomer <jordyzomer@google.com> Signed-off-by: Jordy Zomer <jordyzomer@google.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-12-01T23:31:19Z Jordy Zomer jordyzomer@google.com 2024-11-28T00:32:45Z urn:sha1:fc342cf86e2dc4d2edb0fc2ff5e28b6c7845adb9 An offset from client could be a negative value, It could lead to an out-of-bounds read from the stream_buf. Note that this issue is coming when setting 'vfs objects = streams_xattr parameter' in ksmbd.conf. Cc: stable@vger.kernel.org # v5.15+ Reported-by: Jordy Zomer <jordyzomer@google.com> Signed-off-by: Jordy Zomer <jordyzomer@google.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-12-01T23:31:19Z Brahmajit Das brahmajit.xyz@gmail.com 2024-11-26T06:11:35Z urn:sha1:e18655cf35a5958fbf4ae9ca3ebf28871a3a1801 GCC 15 introduces -Werror=unterminated-string-initialization by default, this results in the following build error fs/smb/server/smb_common.c:21:35: error: initializer-string for array of 'char' is too long [-Werror=unterminated-string-ini tialization] 21 | static const char basechars[43] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-!@#$%"; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors To this we are replacing char basechars[43] with a character pointer and then using strlen to get the length. Signed-off-by: Brahmajit Das <brahmajit.xyz@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-11-26T00:58:27Z Yunseong Kim yskelg@gmail.com 2024-11-25T07:45:55Z urn:sha1:9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e A race condition exists between SMB request handling in `ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the workqueue handler `handle_ksmbd_work()`. This leads to a UAF. - KASAN: slab-use-after-free Read in handle_ksmbd_work - KASAN: slab-use-after-free in rtlock_slowlock_locked This race condition arises as follows: - `ksmbd_conn_handler_loop()` waits for `conn->r_count` to reach zero: `wait_event(conn->r_count_q, atomic_read(&conn->r_count) == 0);` - Meanwhile, `handle_ksmbd_work()` decrements `conn->r_count` using `atomic_dec_return(&conn->r_count)`, and if it reaches zero, calls `ksmbd_conn_free()`, which frees `conn`. - However, after `handle_ksmbd_work()` decrements `conn->r_count`, it may still access `conn->r_count_q` in the following line: `waitqueue_active(&conn->r_count_q)` or `wake_up(&conn->r_count_q)` This results in a UAF, as `conn` has already been freed. The discovery of this UAF can be referenced in the following PR for syzkaller's support for SMB requests. Link: https://github.com/google/syzkaller/pull/5524 Fixes: ee426bfb9d09 ("ksmbd: add refcnt to ksmbd_conn struct") Cc: linux-cifs@vger.kernel.org Cc: stable@vger.kernel.org # v6.6.55+, v6.10.14+, v6.11.3+ Cc: syzkaller@googlegroups.com Signed-off-by: Yunseong Kim <yskelg@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-11-26T00:58:27Z Namjae Jeon linkinjeon@kernel.org 2024-11-22T07:15:20Z urn:sha1:db5f8243067f87138888a6842acbce5340d1626c We need to know how many pending requests are left at the end of server shutdown. That means we need to know how long the server will wait to process pending requests in case of a server shutdown. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-11-26T00:58:27Z Namjae Jeon linkinjeon@kernel.org 2024-11-22T07:14:37Z urn:sha1:5f3f274e2ce68999b49901de4794c4b04125b154 Add netdev-up/down event debug print to find what netdev is connected or disconnected. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-11-26T00:58:27Z Namjae Jeon linkinjeon@kernel.org 2024-11-22T07:13:53Z urn:sha1:e333e77638b3cc8b591664a1e8718a267466f974 Add debug prints to know what smb2 requests were received. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-11-26T00:58:27Z Namjae Jeon linkinjeon@kernel.org 2024-11-22T07:13:04Z urn:sha1:fc61a5db2dfbdeebc7c11f70ed4db58d7c20b976 Add debug print to know if netdevice is RDMA-capable network adapter. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-11-26T00:58:26Z Namjae Jeon linkinjeon@kernel.org 2024-11-22T07:16:00Z urn:sha1:f75f8bdd4ff4830abe31a1b94892eb12b85b9535 use msleep instaed of schedule_timeout_interruptible() to guarantee the task delays as expected. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>