313dab08 | 28-Nov-2024 |
Jordy Zomer <jordyzomer@google.com> |
ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write
An offset from client could be a negative value, It could allows to write data outside the bounds of the allocated buffer. Note that this iss
ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write
An offset from client could be a negative value, It could allows to write data outside the bounds of the allocated buffer. Note that this issue is coming when setting 'vfs objects = streams_xattr parameter' in ksmbd.conf.
Cc: stable@vger.kernel.org # v5.15+ Reported-by: Jordy Zomer <jordyzomer@google.com> Signed-off-by: Jordy Zomer <jordyzomer@google.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|
fc342cf8 | 28-Nov-2024 |
Jordy Zomer <jordyzomer@google.com> |
ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read
An offset from client could be a negative value, It could lead to an out-of-bounds read from the stream_buf. Note that this issue is coming whe
ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read
An offset from client could be a negative value, It could lead to an out-of-bounds read from the stream_buf. Note that this issue is coming when setting 'vfs objects = streams_xattr parameter' in ksmbd.conf.
Cc: stable@vger.kernel.org # v5.15+ Reported-by: Jordy Zomer <jordyzomer@google.com> Signed-off-by: Jordy Zomer <jordyzomer@google.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|
9a8c5d89 | 25-Nov-2024 |
Yunseong Kim <yskelg@gmail.com> |
ksmbd: fix use-after-free in SMB request handling
A race condition exists between SMB request handling in `ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the workqueue handler `handle
ksmbd: fix use-after-free in SMB request handling
A race condition exists between SMB request handling in `ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the workqueue handler `handle_ksmbd_work()`. This leads to a UAF. - KASAN: slab-use-after-free Read in handle_ksmbd_work - KASAN: slab-use-after-free in rtlock_slowlock_locked
This race condition arises as follows: - `ksmbd_conn_handler_loop()` waits for `conn->r_count` to reach zero: `wait_event(conn->r_count_q, atomic_read(&conn->r_count) == 0);` - Meanwhile, `handle_ksmbd_work()` decrements `conn->r_count` using `atomic_dec_return(&conn->r_count)`, and if it reaches zero, calls `ksmbd_conn_free()`, which frees `conn`. - However, after `handle_ksmbd_work()` decrements `conn->r_count`, it may still access `conn->r_count_q` in the following line: `waitqueue_active(&conn->r_count_q)` or `wake_up(&conn->r_count_q)` This results in a UAF, as `conn` has already been freed.
The discovery of this UAF can be referenced in the following PR for syzkaller's support for SMB requests. Link: https://github.com/google/syzkaller/pull/5524
Fixes: ee426bfb9d09 ("ksmbd: add refcnt to ksmbd_conn struct") Cc: linux-cifs@vger.kernel.org Cc: stable@vger.kernel.org # v6.6.55+, v6.10.14+, v6.11.3+ Cc: syzkaller@googlegroups.com Signed-off-by: Yunseong Kim <yskelg@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|
db5f8243 | 22-Nov-2024 |
Namjae Jeon <linkinjeon@kernel.org> |
ksmbd: add debug print for pending request during server shutdown
We need to know how many pending requests are left at the end of server shutdown. That means we need to know how long the server wil
ksmbd: add debug print for pending request during server shutdown
We need to know how many pending requests are left at the end of server shutdown. That means we need to know how long the server will wait to process pending requests in case of a server shutdown.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|
5f3f274e | 22-Nov-2024 |
Namjae Jeon <linkinjeon@kernel.org> |
ksmbd: add netdev-up/down event debug print
Add netdev-up/down event debug print to find what netdev is connected or disconnected.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by:
ksmbd: add netdev-up/down event debug print
Add netdev-up/down event debug print to find what netdev is connected or disconnected.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|
e333e776 | 22-Nov-2024 |
Namjae Jeon <linkinjeon@kernel.org> |
ksmbd: add debug prints to know what smb2 requests were received
Add debug prints to know what smb2 requests were received.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve F
ksmbd: add debug prints to know what smb2 requests were received
Add debug prints to know what smb2 requests were received.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|
fc61a5db | 22-Nov-2024 |
Namjae Jeon <linkinjeon@kernel.org> |
ksmbd: add debug print for rdma capable
Add debug print to know if netdevice is RDMA-capable network adapter.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrenc
ksmbd: add debug print for rdma capable
Add debug print to know if netdevice is RDMA-capable network adapter.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|
f75f8bdd | 22-Nov-2024 |
Namjae Jeon <linkinjeon@kernel.org> |
ksmbd: use msleep instaed of schedule_timeout_interruptible()
use msleep instaed of schedule_timeout_interruptible() to guarantee the task delays as expected.
Signed-off-by: Namjae Jeon <linkinjeon
ksmbd: use msleep instaed of schedule_timeout_interruptible()
use msleep instaed of schedule_timeout_interruptible() to guarantee the task delays as expected.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|
0066f623 | 22-Nov-2024 |
Namjae Jeon <linkinjeon@kernel.org> |
ksmbd: use __GFP_RETRY_MAYFAIL
Prefer to report ENOMEM rather than incur the oom for allocations in ksmbd. __GFP_NORETRY could not achieve that, It would fail the allocations just too easily. __GFP_
ksmbd: use __GFP_RETRY_MAYFAIL
Prefer to report ENOMEM rather than incur the oom for allocations in ksmbd. __GFP_NORETRY could not achieve that, It would fail the allocations just too easily. __GFP_RETRY_MAYFAIL will keep retrying the allocation until there is no more progress and fail the allocation instead go OOM and let the caller to deal with it.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|
0a77d947 | 04-Nov-2024 |
Namjae Jeon <linkinjeon@kernel.org> |
ksmbd: check outstanding simultaneous SMB operations
If Client send simultaneous SMB operations to ksmbd, It exhausts too much memory through the "ksmbd_work_cache”. It will cause OOM issue. ksmbd h
ksmbd: check outstanding simultaneous SMB operations
If Client send simultaneous SMB operations to ksmbd, It exhausts too much memory through the "ksmbd_work_cache”. It will cause OOM issue. ksmbd has a credit mechanism but it can't handle this problem. This patch add the check if it exceeds max credits to prevent this problem by assuming that one smb request consumes at least one credit.
Cc: stable@vger.kernel.org # v5.15+ Reported-by: Norbert Szetei <norbert@doyensec.com> Tested-by: Norbert Szetei <norbert@doyensec.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|
b8fc56fb | 04-Nov-2024 |
Namjae Jeon <linkinjeon@kernel.org> |
ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp
ksmbd_user_session_put should be called under smb3_preauth_hash_rsp(). It will avoid freeing session before calling smb3_preauth_hash_rsp().
ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp
ksmbd_user_session_put should be called under smb3_preauth_hash_rsp(). It will avoid freeing session before calling smb3_preauth_hash_rsp().
Cc: stable@vger.kernel.org # v5.15+ Reported-by: Norbert Szetei <norbert@doyensec.com> Tested-by: Norbert Szetei <norbert@doyensec.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|
0a77715d | 02-Nov-2024 |
Namjae Jeon <linkinjeon@kernel.org> |
ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create
There is a race condition between ksmbd_smb2_session_create and ksmbd_expire_session. This patch add missing sessions_table_lock while add
ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create
There is a race condition between ksmbd_smb2_session_create and ksmbd_expire_session. This patch add missing sessions_table_lock while adding/deleting session from global session table.
Cc: stable@vger.kernel.org # v5.15+ Reported-by: Norbert Szetei <norbert@doyensec.com> Tested-by: Norbert Szetei <norbert@doyensec.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|
a77e0e02 | 09-Oct-2024 |
Namjae Jeon <linkinjeon@kernel.org> |
ksmbd: add support for supplementary groups
Even though system user has a supplementary group, It gets NT_STATUS_ACCESS_DENIED when attempting to create file or directory. This patch add KSMBD_EVENT
ksmbd: add support for supplementary groups
Even though system user has a supplementary group, It gets NT_STATUS_ACCESS_DENIED when attempting to create file or directory. This patch add KSMBD_EVENT_LOGIN_REQUEST_EXT/RESPONSE_EXT netlink events to get supplementary groups list. The new netlink event doesn't break backward compatibility when using old ksmbd-tools.
Co-developed-by: Atte Heikkilä <atteh.mailbox@gmail.com> Signed-off-by: Atte Heikkilä <atteh.mailbox@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|
9c383396 | 28-Sep-2024 |
Thorsten Blum <thorsten.blum@linux.dev> |
ksmbd: Use struct_size() to improve smb_direct_rdma_xmit()
Use struct_size() to calculate the number of bytes to allocate for a new message.
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> A
ksmbd: Use struct_size() to improve smb_direct_rdma_xmit()
Use struct_size() to calculate the number of bytes to allocate for a new message.
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|
0801c137 | 25-Sep-2024 |
Thorsten Blum <thorsten.blum@linux.dev> |
ksmbd: Annotate struct copychunk_ioctl_req with __counted_by_le()
Add the __counted_by_le compiler attribute to the flexible array member Chunks to improve access bounds-checking via CONFIG_UBSAN_BO
ksmbd: Annotate struct copychunk_ioctl_req with __counted_by_le()
Add the __counted_by_le compiler attribute to the flexible array member Chunks to improve access bounds-checking via CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE.
Change the data type of the flexible array member Chunks from __u8[] to struct srv_copychunk[] for ChunkCount to match the number of elements in the Chunks array. (With __u8[], each srv_copychunk would occupy 24 array entries and the __counted_by compiler attribute wouldn't be applicable.)
Use struct_size() to calculate the size of the copychunk_ioctl_req.
Read Chunks[0] after checking that ChunkCount is not 0.
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|
9e676e57 | 25-Sep-2024 |
Shen Lichuan <shenlichuan@vivo.com> |
ksmbd: Correct typos in multiple comments across various files
Fixed some confusing typos that were currently identified witch codespell, the details are as follows:
-in the code comments: fs/smb/c
ksmbd: Correct typos in multiple comments across various files
Fixed some confusing typos that were currently identified witch codespell, the details are as follows:
-in the code comments: fs/smb/common/smb2pdu.h:9: specfication ==> specification fs/smb/common/smb2pdu.h:494: usally ==> usually fs/smb/common/smb2pdu.h:1064: Attrubutes ==> Attributes fs/smb/server/connection.c:28: cleand ==> cleaned fs/smb/server/ksmbd_netlink.h:216: struture ==> structure fs/smb/server/oplock.c:799: conains ==> contains fs/smb/server/oplock.c:1487: containted ==> contained fs/smb/server/server.c:282: proccessing ==> processing fs/smb/server/smb_common.c:491: comforms ==> conforms fs/smb/server/xattr.h:102: ATTRIBUITE ==> ATTRIBUTE
Signed-off-by: Shen Lichuan <shenlichuan@vivo.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
show more ...
|