ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob

mainline inclusion from mainline-v6.2-rc4 commit 797805d8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6A0GH CVE: CVE-2023-0210 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=797805d81baa814f76cf7bdab35f86408a79d707 -------------------------------- "nt_len - CIFS_ENCPWD_SIZE" is passed directly from ksmbd_decode_ntlmssp_auth_blob to ksmbd_auth_ntlmv2. Malicious requests can set nt_len to less than CIFS_ENCPWD_SIZE, which results in a negative number (or large unsigned value) used for a subsequent memcpy in ksmbd_auth_ntlvm2 and can cause a panic. Fixes: e2f34481 ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Signed-off-by: N William Liu <will@willsroot.io> Signed-off-by: N Hrvoje Mišetić <misetichrvoje@gmail.com> Acked-by: N Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: N Steve French <stfrench@microsoft.com> Signed-off-by: N Zhihao Cheng <chengzhihao1@huawei.com> Reviewed-by: N Zhang Yi <yi.zhang@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com>

ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob
mainline inclusion from mainline-v6.2-rc4 commit 797805d8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6A0GH CVE: CVE-2023-0210 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=797805d81baa814f76cf7bdab35f86408a79d707 -------------------------------- "nt_len - CIFS_ENCPWD_SIZE" is passed directly from ksmbd_decode_ntlmssp_auth_blob to ksmbd_auth_ntlmv2. Malicious requests can set nt_len to less than CIFS_ENCPWD_SIZE, which results in a negative number (or large unsigned value) used for a subsequent memcpy in ksmbd_auth_ntlvm2 and can cause a panic. Fixes: e2f34481 ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Signed-off-by: N William Liu <will@willsroot.io> Signed-off-by: N Hrvoje Mišetić <misetichrvoje@gmail.com> Acked-by: N Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: N Steve French <stfrench@microsoft.com> Signed-off-by: N Zhihao Cheng <chengzhihao1@huawei.com> Reviewed-by: N Zhang Yi <yi.zhang@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com>
3c316171 · William Liu · Zheng Zengkai · 056e261b · 3c316171
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

fs/ksmbd/auth.c fs/ksmbd/auth.c +2 -1

未找到文件。
--- a/fs/ksmbd/auth.c
+++ b/fs/ksmbd/auth.c
@@ -321,7 +321,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob,
 	dn_off = le32_to_cpu(authblob->DomainName.BufferOffset);
 	dn_len = le16_to_cpu(authblob->DomainName.Length);

-	if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len)
+	if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len ||
+	    nt_len < CIFS_ENCPWD_SIZE)
 		return -EINVAL;

 	/* TODO : use domain name that imported from configuration file */