release 6.14.7
This commit is contained in:
@@ -1,33 +0,0 @@
|
||||
From 7b3f0f8d11f1b4319f593ba02d4dece890755dfa Mon Sep 17 00:00:00 2001
|
||||
From: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Date: Wed, 30 Apr 2025 11:18:28 +0900
|
||||
Subject: ksmbd: prevent rename with empty string
|
||||
|
||||
Client can send empty newname string to ksmbd server.
|
||||
It will cause a kernel oops from d_alloc.
|
||||
This patch return the error when attempting to rename
|
||||
a file or directory with an empty new name string.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Norbert Szetei <norbert@doyensec.com>
|
||||
Tested-by: Norbert Szetei <norbert@doyensec.com>
|
||||
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
fs/smb/server/smb2pdu.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
--- a/fs/smb/server/smb2pdu.c
|
||||
+++ b/fs/smb/server/smb2pdu.c
|
||||
@@ -633,6 +633,11 @@ smb2_get_name(const char *src, const int
|
||||
return name;
|
||||
}
|
||||
|
||||
+ if (*name == '\0') {
|
||||
+ kfree(name);
|
||||
+ return ERR_PTR(-EINVAL);
|
||||
+ }
|
||||
+
|
||||
if (*name == '\\') {
|
||||
pr_err("not allow directory name included leading slash\n");
|
||||
kfree(name);
|
||||
35
debian/patches/patchset-pf/smb/0001-smb-client-fix-memory-leak-during-error-handling-for.patch
vendored
Normal file
35
debian/patches/patchset-pf/smb/0001-smb-client-fix-memory-leak-during-error-handling-for.patch
vendored
Normal file
@@ -0,0 +1,35 @@
|
||||
From 8ef14a884df5aaf48cf5f7ce6c91e7318cb07d4e Mon Sep 17 00:00:00 2001
|
||||
From: Jethro Donaldson <devel@jro.nz>
|
||||
Date: Thu, 15 May 2025 01:23:23 +1200
|
||||
Subject: smb: client: fix memory leak during error handling for POSIX mkdir
|
||||
|
||||
The response buffer for the CREATE request handled by smb311_posix_mkdir()
|
||||
is leaked on the error path (goto err_free_rsp_buf) because the structure
|
||||
pointer *rsp passed to free_rsp_buf() is not assigned until *after* the
|
||||
error condition is checked.
|
||||
|
||||
As *rsp is initialised to NULL, free_rsp_buf() becomes a no-op and the leak
|
||||
is instead reported by __kmem_cache_shutdown() upon subsequent rmmod of
|
||||
cifs.ko if (and only if) the error path has been hit.
|
||||
|
||||
Pass rsp_iov.iov_base to free_rsp_buf() instead, similar to the code in
|
||||
other functions in smb2pdu.c for which *rsp is assigned late.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Jethro Donaldson <devel@jro.nz>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
fs/smb/client/smb2pdu.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/fs/smb/client/smb2pdu.c
|
||||
+++ b/fs/smb/client/smb2pdu.c
|
||||
@@ -2967,7 +2967,7 @@ replay_again:
|
||||
/* Eventually save off posix specific response info and timestamps */
|
||||
|
||||
err_free_rsp_buf:
|
||||
- free_rsp_buf(resp_buftype, rsp);
|
||||
+ free_rsp_buf(resp_buftype, rsp_iov.iov_base);
|
||||
kfree(pc_buf);
|
||||
err_free_req:
|
||||
cifs_small_buf_release(req);
|
||||
@@ -1,37 +0,0 @@
|
||||
From fb87d390de327c76b11ed544de83771118f7b0c5 Mon Sep 17 00:00:00 2001
|
||||
From: Norbert Szetei <norbert@doyensec.com>
|
||||
Date: Fri, 2 May 2025 08:21:58 +0900
|
||||
Subject: ksmbd: prevent out-of-bounds stream writes by validating *pos
|
||||
|
||||
ksmbd_vfs_stream_write() did not validate whether the write offset
|
||||
(*pos) was within the bounds of the existing stream data length (v_len).
|
||||
If *pos was greater than or equal to v_len, this could lead to an
|
||||
out-of-bounds memory write.
|
||||
|
||||
This patch adds a check to ensure *pos is less than v_len before
|
||||
proceeding. If the condition fails, -EINVAL is returned.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
|
||||
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
fs/smb/server/vfs.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
--- a/fs/smb/server/vfs.c
|
||||
+++ b/fs/smb/server/vfs.c
|
||||
@@ -443,6 +443,13 @@ static int ksmbd_vfs_stream_write(struct
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ if (v_len <= *pos) {
|
||||
+ pr_err("stream write position %lld is out of bounds (stream length: %zd)\n",
|
||||
+ *pos, v_len);
|
||||
+ err = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
if (v_len < size) {
|
||||
wbuf = kvzalloc(size, KSMBD_DEFAULT_GFP);
|
||||
if (!wbuf) {
|
||||
@@ -1,74 +0,0 @@
|
||||
From 67ea573ce44aeac74e659879cdeb6ac39212d0b9 Mon Sep 17 00:00:00 2001
|
||||
From: Sean Heelan <seanheelan@gmail.com>
|
||||
Date: Tue, 6 May 2025 22:04:52 +0900
|
||||
Subject: ksmbd: Fix UAF in __close_file_table_ids
|
||||
|
||||
A use-after-free is possible if one thread destroys the file
|
||||
via __ksmbd_close_fd while another thread holds a reference to
|
||||
it. The existing checks on fp->refcount are not sufficient to
|
||||
prevent this.
|
||||
|
||||
The fix takes ft->lock around the section which removes the
|
||||
file from the file table. This prevents two threads acquiring the
|
||||
same file pointer via __close_file_table_ids, as well as the other
|
||||
functions which retrieve a file from the IDR and which already use
|
||||
this same lock.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Sean Heelan <seanheelan@gmail.com>
|
||||
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
fs/smb/server/vfs_cache.c | 33 ++++++++++++++++++++++++++-------
|
||||
1 file changed, 26 insertions(+), 7 deletions(-)
|
||||
|
||||
--- a/fs/smb/server/vfs_cache.c
|
||||
+++ b/fs/smb/server/vfs_cache.c
|
||||
@@ -661,21 +661,40 @@ __close_file_table_ids(struct ksmbd_file
|
||||
bool (*skip)(struct ksmbd_tree_connect *tcon,
|
||||
struct ksmbd_file *fp))
|
||||
{
|
||||
- unsigned int id;
|
||||
- struct ksmbd_file *fp;
|
||||
- int num = 0;
|
||||
+ struct ksmbd_file *fp;
|
||||
+ unsigned int id = 0;
|
||||
+ int num = 0;
|
||||
|
||||
- idr_for_each_entry(ft->idr, fp, id) {
|
||||
- if (skip(tcon, fp))
|
||||
+ while (1) {
|
||||
+ write_lock(&ft->lock);
|
||||
+ fp = idr_get_next(ft->idr, &id);
|
||||
+ if (!fp) {
|
||||
+ write_unlock(&ft->lock);
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (skip(tcon, fp) ||
|
||||
+ !atomic_dec_and_test(&fp->refcount)) {
|
||||
+ id++;
|
||||
+ write_unlock(&ft->lock);
|
||||
continue;
|
||||
+ }
|
||||
|
||||
set_close_state_blocked_works(fp);
|
||||
+ idr_remove(ft->idr, fp->volatile_id);
|
||||
+ fp->volatile_id = KSMBD_NO_FID;
|
||||
+ write_unlock(&ft->lock);
|
||||
+
|
||||
+ down_write(&fp->f_ci->m_lock);
|
||||
+ list_del_init(&fp->node);
|
||||
+ up_write(&fp->f_ci->m_lock);
|
||||
|
||||
- if (!atomic_dec_and_test(&fp->refcount))
|
||||
- continue;
|
||||
__ksmbd_close_fd(ft, fp);
|
||||
+
|
||||
num++;
|
||||
+ id++;
|
||||
}
|
||||
+
|
||||
return num;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user