cifs: do not include page data when checking signature

stable inclusion from stable-v4.19.271 commit 19f0577dd34b250e1595f8dd577d9c2b6c1dc85d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6DPF8 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.19.271&id=19f0577dd34b250e1595f8dd577d9c2b6c1dc85d -------------------------------- commit 30b2b219 upstream. On async reads, page data is allocated before sending. When the response is received but it has no data to fill (e.g. STATUS_END_OF_FILE), __calc_signature() will still include the pages in its computation, leading to an invalid signature check. This patch fixes this by not setting the async read smb_rqst page data (zeroed by default) if its got_bytes is 0. This can be reproduced/verified with xfstests generic/465. Cc: <stable@vger.kernel.org> Signed-off-by: N Enzo Matsumiya <ematsumiya@suse.de> Reviewed-by: N Paulo Alcantara (SUSE) <pc@cjr.nz> Signed-off-by: N Steve French <stfrench@microsoft.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflict: fs/cifs/smb2pdu.c Signed-off-by: N Li Lingfeng <lilingfeng3@huawei.com> Reviewed-by: N Zhang Xiaoxu <zhangxiaoxu5@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

cifs: do not include page data when checking signature
stable inclusion from stable-v4.19.271 commit 19f0577dd34b250e1595f8dd577d9c2b6c1dc85d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6DPF8 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.19.271&id=19f0577dd34b250e1595f8dd577d9c2b6c1dc85d -------------------------------- commit 30b2b219 upstream. On async reads, page data is allocated before sending. When the response is received but it has no data to fill (e.g. STATUS_END_OF_FILE), __calc_signature() will still include the pages in its computation, leading to an invalid signature check. This patch fixes this by not setting the async read smb_rqst page data (zeroed by default) if its got_bytes is 0. This can be reproduced/verified with xfstests generic/465. Cc: <stable@vger.kernel.org> Signed-off-by: N Enzo Matsumiya <ematsumiya@suse.de> Reviewed-by: N Paulo Alcantara (SUSE) <pc@cjr.nz> Signed-off-by: N Steve French <stfrench@microsoft.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflict: fs/cifs/smb2pdu.c Signed-off-by: N Li Lingfeng <lilingfeng3@huawei.com> Reviewed-by: N Zhang Xiaoxu <zhangxiaoxu5@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
38116603 · Enzo Matsumiya · Yongqiang Liu · 40124251 · 38116603
隐藏空白更改
内联并排

Showing with 9 addition and 6 deletion

fs/cifs/smb2pdu.c fs/cifs/smb2pdu.c +9 -6

未找到文件。
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -3154,12 +3154,15 @@ smb2_readv_callback(struct mid_q_entry *mid)
 				(struct smb2_sync_hdr *)rdata->iov[0].iov_base;
 	unsigned int credits_received = 0;
 	struct smb_rqst rqst = { .rq_iov = rdata->iov,
-				 .rq_nvec = 2,
+				 .rq_nvec = 2, };
-				 .rq_pages = rdata->pages,
-				 .rq_offset = rdata->page_offset,
+	if (rdata->got_bytes) {
-				 .rq_npages = rdata->nr_pages,
+		rqst.rq_pages = rdata->pages;
-				 .rq_pagesz = rdata->pagesz,
+		rqst.rq_offset = rdata->page_offset;
-				 .rq_tailsz = rdata->tailsz };
+		rqst.rq_npages = rdata->nr_pages;
+		rqst.rq_pagesz = rdata->pagesz;
+		rqst.rq_tailsz = rdata->tailsz;
+	}
 	cifs_dbg(FYI, "%s: mid=%llu state=%d result=%d bytes=%u\n",
 		 __func__, mid->mid, mid->mid_state, rdata->result,