- 25 11月, 2022 40 次提交
-
-
由 Hyunchul Lee 提交于
mainline inclusion from mainline-5.15-rc7 commit bf8acc9e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/bf8acc9e10e2 ------------------------------- * Requests except READ, WRITE, IOCTL, INFO, QUERY DIRECOTRY, CANCEL must consume one credit. * If client's granted credits are insufficient, refuse to handle requests. * Windows server 2016 or later grant up to 8192 credits to clients at once. Acked-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NHyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc7 commit f7db8fd0 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/f7db8fd03a4b ------------------------------- Add validation for request/response buffer size check in smb2_ioctl and fsctl_copychunk() take copychunk_ioctl_req pointer and the other arguments instead of smb2_ioctl_req structure and remove an unused smb2_ioctl_req argument of fsctl_validate_negotiate_info. Cc: Tom Talpey <tom@talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Cc: Steve French <smfrench@gmail.com> Cc: Sergey Senozhatsky <senozhatsky@chromium.org> Acked-by: NHyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NColin Ian King <colin.king@canonical.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc5 commit 64e78755 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/64e787556027 ------------------------------- Marios reported kernel oops from fuse driver when ksmbd call mark_inode_dirty(). This patch directly update ->i_ctime after removing mark_inode_ditry() and notify_change will put inode to dirty list. Cc: Tom Talpey <tom@talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Cc: Hyunchul Lee <hyc.lee@gmail.com> Reported-by: NMarios Makassikis <mmakassikis@freebox.fr> Tested-by: NMarios Makassikis <mmakassikis@freebox.fr> Acked-by: NHyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc5 commit 2db72604 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/2db72604f3ea ------------------------------- Fix version mismatch with out of tree, This updated version will be matched with ksmbd-tools. Cc: Tom Talpey <tom@talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Cc: Steve French <smfrench@gmail.com> Cc: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc5 commit c7705eec category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c7705eec78c9 ------------------------------- Tom suggested to use buf_data_size that is already calculated, to verify these offsets. Cc: Tom Talpey <tom@talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Suggested-by: NTom Talpey <tom@talpey.com> Acked-by: NHyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc5 commit 51a13873 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/51a1387393d9 ------------------------------- Although ksmbd doesn't send SMB2.0 support in supported dialect list of smb negotiate response, There is the leftover of smb2.0 dialect. This patch remove it not to support SMB2.0 in ksmbd. Cc: Tom Talpey <tom@talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Cc: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc5 commit c2e99d47 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c2e99d479737 ------------------------------- When invalid data offset and data length in request, ksmbd_smb2_check_message check strictly and doesn't allow to process such requests. Cc: Tom Talpey <tom@talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Acked-by: NHyunchul Lee <hyc.lee@gmail.com> Reviewed-by: NRalph Boehme <slow@samba.org> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc5 commit 36399990 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/363999901116 ------------------------------- This patch add MAX_STREAM_PROT_LEN macro and check if stream protocol length exceeds maximum value. opencode pdu size check in ksmbd_pdu_size_has_room(). Cc: Tom Talpey <tom@talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Acked-by: NHyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Dan Carpenter 提交于
mainline inclusion from mainline-5.15-rc4 commit 87ffb310 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/87ffb310d5e8 ------------------------------- The kmalloc() does not have a NULL check. This code can be re-written slightly cleaner to just use the kstrdup(). Fixes: 265fd199 ("ksmbd: use LOOKUP_BENEATH to prevent the out of share access") Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com> Acked-by: NNamjae Jeon <linkinjeon@kernel.org> Acked-by: NHyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc4 commit 4227f811 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/4227f811cdeb ------------------------------- Validate that the transform and smb request headers are present before checking OriginalMessageSize and SessionId fields. Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Cc: Sergey Senozhatsky <senozhatsky@chromium.org> Reviewed-by: NTom Talpey <tom@talpey.com> Acked-by: NHyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Hyunchul Lee 提交于
mainline inclusion from mainline-5.15-rc4 commit 8f77150c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/8f77150c15f8 ------------------------------- Add buffer validation for SMB2_CREATE_CONTEXT. Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Reviewed-by: NRalph Boehme <slow@samba.org> Signed-off-by: NHyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc4 commit 442ff9eb category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/442ff9ebeb01 ------------------------------- This patch add validation to check request buffer check in smb2 negotiate and fix null pointer deferencing oops in smb3_preauth_hash_rsp() that found from manual test. Cc: Tom Talpey <tom@talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Cc: Hyunchul Lee <hyc.lee@gmail.com> Cc: Sergey Senozhatsky <senozhatsky@chromium.org> Reviewed-by: NRalph Boehme <slow@samba.org> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc4 commit 9496e268 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/9496e268e3af ------------------------------- Add buffer validation in smb2_set_info, and remove unused variable in set_file_basic_info. and smb2_set_info infolevel functions take structure pointer argument. Cc: Tom Talpey <tom@talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Cc: Sergey Senozhatsky <senozhatsky@chromium.org> Acked-by: NHyunchul Lee <hyc.lee@gmail.com> Reviewed-by: NRalph Boehme <slow@samba.org> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc4 commit 88d30052 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/88d300522cbb ------------------------------- Use correct basic info level in set/get_file_basic_info(). Reviewed-by: NRalph Boehme <slow@samba.org> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc4 commit ce812992 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/ce812992f239 ------------------------------- Remove insecure NTLMv1 authentication. Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Reviewed-by: NTom Talpey <tom@talpey.com> Acked-by: NSteve French <smfrench@gmail.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Enzo Matsumiya 提交于
mainline inclusion from mainline-5.15-rc4 commit 1018bf24 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/1018bf24550f ------------------------------- ksmbd_kthread_fn() and create_socket() returns 0 or error code, and not task_struct/ERR_PTR. Signed-off-by: NEnzo Matsumiya <ematsumiya@suse.de> Acked-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc4 commit d72a9c15 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d72a9c158893 ------------------------------- Ronnie reported invalid request buffer access in chained command when inserting garbage value to NextCommand of compound request. This patch add validation check to avoid this issue. Cc: Tom Talpey <tom@talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Tested-by: NSteve French <smfrench@gmail.com> Reviewed-by: NSteve French <smfrench@gmail.com> Acked-by: NHyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Ronnie Sahlberg 提交于
mainline inclusion from mainline-5.15-rc4 commit 18d46769 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/18d46769d54a ------------------------------- In smb_common.c you have this function : ksmbd_smb_request() which is called from connection.c once you have read the initial 4 bytes for the next length+smb2 blob. It checks the first byte of this 4 byte preamble for valid values, i.e. a NETBIOSoverTCP SESSION_MESSAGE or a SESSION_KEEP_ALIVE. We don't need to check this for ksmbd since it only implements SMB2 over TCP port 445. The netbios stuff was only used in very old servers when SMB ran over TCP port 139. Now that we run over TCP port 445, this is actually not a NB header anymore and you can just treat it as a 4 byte length field that must be less than 16Mbyte. and remove the references to the RFC1002 constants that no longer applies. Cc: Tom Talpey <tom@talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Cc: Steve French <smfrench@gmail.com> Cc: Sergey Senozhatsky <senozhatsky@chromium.org> Acked-by: NHyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NRonnie Sahlberg <lsahlber@redhat.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Hyunchul Lee 提交于
mainline inclusion from mainline-5.15-rc3 commit 265fd199 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/265fd1991c1d ------------------------------- instead of removing '..' in a given path, call kern_path with LOOKUP_BENEATH flag to prevent the out of share access. ran various test on this: smb2-cat-async smb://127.0.0.1/homes/../out_of_share smb2-cat-async smb://127.0.0.1/homes/foo/../../out_of_share smbclient //127.0.0.1/homes -c "mkdir ../foo2" smbclient //127.0.0.1/homes -c "rename bar ../bar" Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Boehme <slow@samba.org> Tested-by: NSteve French <smfrench@gmail.com> Tested-by: NNamjae Jeon <linkinjeon@kernel.org> Acked-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NHyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc3 commit 4ea47798 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/4ea477988c42 ------------------------------- Use LOOKUP_NO_SYMLINKS flags for default lookup to prohibit the middle of symlink component lookup and remove follow symlinks parameter support. We re-implement it as reparse point later. Test result: smbclient -Ulinkinjeon%1234 //172.30.1.42/share -c "get hacked/passwd passwd" NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \hacked\passwd Cc: Ralph Böhme <slow@samba.org> Cc: Steve French <smfrench@gmail.com> Acked-by: NRonnie Sahlberg <lsahlber@redhat.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc3 commit 18a015bc category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/18a015bccf9e ------------------------------- When second smb2 pdu has invalid protocol id, ksmbd doesn't detect it and allow to process smb2 request. This patch add the check it in ksmbd_verify_smb_message() and don't use protocol id of smb2 request as protocol id of response. Reviewed-by: NRonnie Sahlberg <ronniesahlberg@gmail.com> Reviewed-by: NRalph Böhme <slow@samba.org> Reported-by: NRonnie Sahlberg <lsahlber@redhat.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc3 commit 9f632331 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/9f6323311c70 ------------------------------- Windows client expect to get default stream name(::DATA) in FILE_STREAM_INFORMATION response even if there is no stream data in file. This patch fix update failure when writing ppt or doc files. Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Reviewed-By: NTom Talpey <tom@talpey.com> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Steve French 提交于
mainline inclusion from mainline-5.15-rc3 commit e44fd508 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/e44fd5081c50 ------------------------------- While we are working through detailed security reviews of ksmbd server code we should remind users that it is an experimental module by adding a warning when the module loads. Currently the module shows as experimental in Kconfig and is disabled by default, but we don't want to confuse users. Although ksmbd passes a wide variety of the important functional tests (since initial focus had been largely on functional testing such as smbtorture, xfstests etc.), and ksmbd has added key security features (e.g. GCM256 encryption, Kerberos support), there are ongoing detailed reviews of the code base for path processing and network buffer decoding, and this patch reminds users that the module should be considered "experimental." Reviewed-by: NNamjae Jeon <linkinjeon@kernel.org> Reviewed-by: NPaulo Alcantara (SUSE) <pc@cjr.nz> Reviewed-by: NRonnie Sahlberg <lsahlber@redhat.com> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc3 commit 6d56262c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/6d56262c3d22 ------------------------------- Add validation to check whether req->InputBufferLength is smaller than smb2_ea_info_req structure size. Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Cc: Steve French <smfrench@gmail.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Hyunchul Lee 提交于
mainline inclusion from mainline-5.15-rc3 commit f58eae6c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/f58eae6c5fa8 ------------------------------- Because of .., files outside the share directory could be accessed. To prevent this, normalize the given path and remove all . and .. components. In addition to the usual large set of regression tests (smbtorture and xfstests), ran various tests on this to specifically check path name validation including libsmb2 tests to verify path normalization: ./examples/smb2-ls-async smb://172.30.1.15/homes2/../ ./examples/smb2-ls-async smb://172.30.1.15/homes2/foo/../ ./examples/smb2-ls-async smb://172.30.1.15/homes2/foo/../../ ./examples/smb2-ls-async smb://172.30.1.15/homes2/foo/../ ./examples/smb2-ls-async smb://172.30.1.15/homes2/foo/..bar/ ./examples/smb2-ls-async smb://172.30.1.15/homes2/foo/bar../ ./examples/smb2-ls-async smb://172.30.1.15/homes2/foo/bar.. ./examples/smb2-ls-async smb://172.30.1.15/homes2/foo/bar../../../../Signed-off-by: NHyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Mike Galbraith 提交于
mainline inclusion from mainline-5.15-rc3 commit a9b3043d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a9b3043de47b ------------------------------- rwlock.h specifically asks to not be included directly. In fact, the proper spinlock.h include isn't needed either, it comes with the huge pile that kthread.h ends up pulling in, so just drop it entirely. Signed-off-by: NMike Galbraith <efault@gmx.de> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc1 commit 4ffd5264 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/4ffd5264e8ec ------------------------------- Addresses-Coverity reported Uninitialized variables warninig : /fs/ksmbd/smb2pdu.c: 5525 in set_file_basic_info() 5519 if (!rc) { 5520 inode->i_ctime = ctime; 5521 mark_inode_dirty(inode); 5522 } 5523 inode_unlock(inode); 5524 } >>> CID 1506805: Uninitialized variables (UNINIT) >>> Using uninitialized value "rc". 5525 return rc; 5526 } 5527 5528 static int set_file_allocation_info(struct ksmbd_work *work, 5529 struct ksmbd_file *fp, char *buf) 5530 { Addresses-Coverity: ("Uninitialized variable") Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc1 commit 687c59e7 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/687c59e702f4 ------------------------------- ksmbd_file_table_flush is a leftover from SMB1. This function is no longer needed as SMB1 has been removed from ksmbd. Reported-by: NDan Carpenter <dan.carpenter@oracle.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Hyunchul Lee 提交于
mainline inclusion from mainline-5.15-rc1 commit 72d6cbb5 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/72d6cbb533d4 ------------------------------- Becase smb direct header is mapped and msg->num_sge already is incremented, the decrement should be removed from the condition. Signed-off-by: NHyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Per Forlin 提交于
mainline inclusion from mainline-5.15-rc1 commit d475866e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d475866eeed8 ------------------------------- This log happens on servers with a network bridge since the bridge does not have a specified link speed. This is not a real error so change the error log to debug instead. Signed-off-by: NPer Forlin <perfn@axis.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Christian Brauner 提交于
mainline inclusion from mainline-5.15-rc1 commit db7fb6fe category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/db7fb6fe3d7a ------------------------------- Permission checking and copying over ownership information is the task of the underlying filesystem not ksmbd. The order is also wrong here. This modifies the inode before notify_change(). If notify_change() fails this will have changed ownership nonetheless. All of this is unnecessary though since the underlying filesystem's ->setattr handler will do all this (if required) by itself. Cc: Steve French <stfrench@microsoft.com> Cc: Christoph Hellwig <hch@infradead.org> Cc: Namjae Jeon <namjae.jeon@samsung.com> Cc: Hyunchul Lee <hyc.lee@gmail.com> Cc: Sergey Senozhatsky <senozhatsky@chromium.org> Cc: linux-cifs@vger.kernel.org Signed-off-by: NChristian Brauner <christian.brauner@ubuntu.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Christian Brauner 提交于
mainline inclusion from mainline-5.15-rc1 commit eb5784f0 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/eb5784f0c6ef ------------------------------- It seems the error was accidently ignored until now. Make sure it is surfaced. Cc: Steve French <stfrench@microsoft.com> Cc: Christoph Hellwig <hch@infradead.org> Cc: Namjae Jeon <namjae.jeon@samsung.com> Cc: Hyunchul Lee <hyc.lee@gmail.com> Cc: Sergey Senozhatsky <senozhatsky@chromium.org> Cc: linux-cifs@vger.kernel.org Signed-off-by: NChristian Brauner <christian.brauner@ubuntu.com> Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc1 commit 7d5d8d71 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/7d5d8d715689 ------------------------------- Dan reported __write_overflow warning in ndr_read_string. CC [M] fs/ksmbd/ndr.o In file included from ./include/linux/string.h:253, from ./include/linux/bitmap.h:11, from ./include/linux/cpumask.h:12, from ./arch/x86/include/asm/cpumask.h:5, from ./arch/x86/include/asm/msr.h:11, from ./arch/x86/include/asm/processor.h:22, from ./arch/x86/include/asm/cpufeature.h:5, from ./arch/x86/include/asm/thread_info.h:53, from ./include/linux/thread_info.h:60, from ./arch/x86/include/asm/preempt.h:7, from ./include/linux/preempt.h:78, from ./include/linux/spinlock.h:55, from ./include/linux/wait.h:9, from ./include/linux/wait_bit.h:8, from ./include/linux/fs.h:6, from fs/ksmbd/ndr.c:7: In function memcpy, inlined from ndr_read_string at fs/ksmbd/ndr.c:86:2, inlined from ndr_decode_dos_attr at fs/ksmbd/ndr.c:167:2: ./include/linux/fortify-string.h:219:4: error: call to __write_overflow declared with attribute error: detected write beyond size of object __write_overflow(); ^~~~~~~~~~~~~~~~~~ This seems to be a false alarm because hex_attr size is always smaller than n->length. This patch fix this warning by allocation hex_attr with n->length. Reported-by: NDan Carpenter <dan.carpenter@oracle.com> Signed-off-by: NNamjae Jeon <namjae.jeon@samsung.com> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc1 commit e70e392f category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/e70e392fa768 ------------------------------- When commanding chmod and chown on cifs&ksmbd, ksmbd allows it without file permissions check. There is code to check it in settattr_prepare. Instead of setting the inode directly, update the mode and uid/gid through notify_change. Signed-off-by: NNamjae Jeon <namjae.jeon@samsung.com> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc1 commit a9a27d4a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a9a27d4ab3de ------------------------------- When there is no dacl in request, ksmbd send dacl that coverted by using file permission. This patch don't set FILE DELETE and FILE_DELETE_CHILD in access mask by default. Signed-off-by: NNamjae Jeon <namjae.jeon@samsung.com> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Hyunchul Lee 提交于
mainline inclusion from mainline-5.15-rc1 commit 323b1ea1 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/323b1ea10263 ------------------------------- if server shutdown happens in the situation that there are connections, workqueue could be destroyed before queueing disconnect work. Signed-off-by: NHyunchul Lee <hyc.lee@gmail.com> Signed-off-by: NNamjae Jeon <namjae.jeon@samsung.com> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc1 commit c6ce2b57 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c6ce2b5716b0 ------------------------------- Use proper errno instead of -1 in smb2_get_ksmbd_tcon(). Signed-off-by: NNamjae Jeon <namjae.jeon@samsung.com> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc1 commit 5ec3df8e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/5ec3df8e98f5 ------------------------------- Update the comment for smb2_get_ksmbd_tcon(). Signed-off-by: NNamjae Jeon <namjae.jeon@samsung.com> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-5.15-rc1 commit f4228b67 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/f4228b678b41 ------------------------------- Change data type of function that return only 0 or 1 to boolean. Signed-off-by: NNamjae Jeon <namjae.jeon@samsung.com> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-
由 Marios Makassikis 提交于
mainline inclusion from mainline-5.15-rc1 commit eebff916 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/eebff916f077 ------------------------------- To negotiate either the SMB2 protocol or SMB protocol, a client must send a SMB_COM_NEGOTIATE message containing the list of dialects it supports, to which the server will respond with either a SMB_COM_NEGOTIATE or a SMB2_NEGOTIATE response. The current implementation responds with the highest common dialect, rather than looking explicitly for "SMB 2.???" and "SMB 2.002", as indicated in [MS-SMB2]: [MS-SMB2] 3.3.5.3.1: If the server does not implement the SMB 2.1 or 3.x dialect family, processing MUST continue as specified in 3.3.5.3.2. Otherwise, the server MUST scan the dialects provided for the dialect string "SMB 2.???". If the string is not present, continue to section 3.3.5.3.2. If the string is present, the server MUST respond with an SMB2 NEGOTIATE Response as specified in 2.2.4. [MS-SMB2] 3.3.5.3.2: The server MUST scan the dialects provided for the dialect string "SMB 2.002". If the string is present, the client understands SMB2, and the server MUST respond with an SMB2 NEGOTIATE Response. This is an issue if a client attempts to negotiate SMB3.1.1 using a SMB_COM_NEGOTIATE, as it will trigger the following NULL pointer dereference: 8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = 1917455e [00000000] *pgd=00000000 Internal error: Oops: 17 [#1] ARM CPU: 0 PID: 60 Comm: kworker/0:1 Not tainted 5.4.60-00027-g0518c02b5c5b #35 Hardware name: Marvell Kirkwood (Flattened Device Tree) Workqueue: ksmbd-io handle_ksmbd_work PC is at ksmbd_gen_preauth_integrity_hash+0x24/0x190 LR is at smb3_preauth_hash_rsp+0x50/0xa0 pc : [<802b7044>] lr : [<802d6ac0>] psr: 40000013 sp : bf199ed8 ip : 00000000 fp : 80d1edb0 r10: 80a3471b r9 : 8091af16 r8 : 80d70640 r7 : 00000072 r6 : be95e198 r5 : ca000000 r4 : b97fee00 r3 : 00000000 r2 : 00000002 r1 : b97fea00 r0 : b97fee00 Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 0005317f Table: 3e7f4000 DAC: 00000055 Process kworker/0:1 (pid: 60, stack limit = 0x3dd1fdb4) Stack: (0xbf199ed8 to 0xbf19a000) 9ec0: b97fee00 00000000 9ee0: be95e198 00000072 80d70640 802d6ac0 b3da2680 b97fea00 424d53ff be95e140 9f00: b97fee00 802bd7b0 bf10fa58 80128a78 00000000 000001c8 b6220000 bf0b7720 9f20: be95e198 80d0c410 bf7e2a00 00000000 00000000 be95e19c 80d0c370 80123b90 9f40: bf0b7720 be95e198 bf0b7720 bf0b7734 80d0c410 bf198000 80d0c424 80d116e0 9f60: bf10fa58 801240c0 00000000 bf10fa40 bf1463a0 bf198000 bf0b7720 80123ed0 9f80: bf077ee4 bf10fa58 00000000 80127f80 bf1463a0 80127e88 00000000 00000000 9fa0: 00000000 00000000 00000000 801010d0 00000000 00000000 00000000 00000000 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 [<802b7044>] (ksmbd_gen_preauth_integrity_hash) from [<802d6ac0>] (smb3_preauth_hash_rsp+0x50/0xa0) [<802d6ac0>] (smb3_preauth_hash_rsp) from [<802bd7b0>] (handle_ksmbd_work+0x348/0x3f8) [<802bd7b0>] (handle_ksmbd_work) from [<80123b90>] (process_one_work+0x160/0x200) [<80123b90>] (process_one_work) from [<801240c0>] (worker_thread+0x1f0/0x2e4) [<801240c0>] (worker_thread) from [<80127f80>] (kthread+0xf8/0x10c) [<80127f80>] (kthread) from [<801010d0>] (ret_from_fork+0x14/0x24) Exception stack(0xbf199fb0 to 0xbf199ff8) 9fa0: 00000000 00000000 00000000 00000000 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 Code: e1855803 e5d13003 e1855c03 e5903094 (e1d330b0) ---[ end trace 8d03be3ed09e5699 ]--- Kernel panic - not syncing: Fatal exception smb3_preauth_hash_rsp() panics because conn->preauth_info is only allocated when processing a SMB2 NEGOTIATE request. Fix this by splitting the smb_protos array into two, each containing only SMB1 and SMB2 dialects respectively. While here, make ksmbd_negotiate_smb_dialect() static as it not called from anywhere else. Signed-off-by: NMarios Makassikis <mmakassikis@freebox.fr> Signed-off-by: NNamjae Jeon <namjae.jeon@samsung.com> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
-