tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag '4.14-smb3-fixes-for-stable' of git://git.samba.org/sfrench/cifs-2.6

Pull cifs fixes from Steve French:
"Various SMB3 fixes for 4.14 and stable"

* tag '4.14-smb3-fixes-for-stable' of git://git.samba.org/sfrench/cifs-2.6:
SMB3: Validate negotiate request must always be signed
SMB: fix validate negotiate info uninitialised memory use
SMB: fix leak of validate negotiate info response buffer
CIFS: Fix NULL pointer deref on SMB2_tcon() failure
CIFS: do not send invalid input buffer on QUERY_INFO requests
cifs: Select all required crypto modules
CIFS: SMBD: Fix the definition for SMB2_CHANNEL_RDMA_V1_INVALIDATE
cifs: handle large EA requests more gracefully in smb2+
Fix encryption labels and lengths for SMB3.1.1

Linus Torvalds 78140234 c9f27f9f

+77 -34
+5
fs/cifs/Kconfig
··· 5 5 select CRYPTO 6 6 select CRYPTO_MD4 7 7 select CRYPTO_MD5 8 + select CRYPTO_SHA256 9 + select CRYPTO_CMAC 8 10 select CRYPTO_HMAC 9 11 select CRYPTO_ARC4 12 + select CRYPTO_AEAD2 13 + select CRYPTO_CCM 10 14 select CRYPTO_ECB 15 + select CRYPTO_AES 11 16 select CRYPTO_DES 12 17 help 13 18 This is the client VFS module for the SMB3 family of NAS protocols,
+6 -2
fs/cifs/cifsglob.h
··· 661 661 #endif 662 662 unsigned int max_read; 663 663 unsigned int max_write; 664 - __u8 preauth_hash[512]; 664 + #ifdef CONFIG_CIFS_SMB311 665 + __u8 preauth_sha_hash[64]; /* save initital negprot hash */ 666 + #endif /* 3.1.1 */ 665 667 struct delayed_work reconnect; /* reconnect workqueue job */ 666 668 struct mutex reconnect_mutex; /* prevent simultaneous reconnects */ 667 669 unsigned long echo_interval; ··· 851 849 __u8 smb3signingkey[SMB3_SIGN_KEY_SIZE]; 852 850 __u8 smb3encryptionkey[SMB3_SIGN_KEY_SIZE]; 853 851 __u8 smb3decryptionkey[SMB3_SIGN_KEY_SIZE]; 854 - __u8 preauth_hash[512]; 852 + #ifdef CONFIG_CIFS_SMB311 853 + __u8 preauth_sha_hash[64]; 854 + #endif /* 3.1.1 */ 855 855 }; 856 856 857 857 static inline bool
+1 -1
fs/cifs/smb2maperror.c
··· 214 214 {STATUS_DATATYPE_MISALIGNMENT, -EIO, "STATUS_DATATYPE_MISALIGNMENT"}, 215 215 {STATUS_BREAKPOINT, -EIO, "STATUS_BREAKPOINT"}, 216 216 {STATUS_SINGLE_STEP, -EIO, "STATUS_SINGLE_STEP"}, 217 - {STATUS_BUFFER_OVERFLOW, -EIO, "STATUS_BUFFER_OVERFLOW"}, 217 + {STATUS_BUFFER_OVERFLOW, -E2BIG, "STATUS_BUFFER_OVERFLOW"}, 218 218 {STATUS_NO_MORE_FILES, -ENODATA, "STATUS_NO_MORE_FILES"}, 219 219 {STATUS_WAKE_SYSTEM_DEBUGGER, -EIO, "STATUS_WAKE_SYSTEM_DEBUGGER"}, 220 220 {STATUS_HANDLES_CLOSED, -EIO, "STATUS_HANDLES_CLOSED"},
+25 -6
fs/cifs/smb2ops.c
··· 522 522 struct cifs_open_parms oparms; 523 523 struct cifs_fid fid; 524 524 struct smb2_file_full_ea_info *smb2_data; 525 + int ea_buf_size = SMB2_MIN_EA_BUF; 525 526 526 527 utf16_path = cifs_convert_path_to_utf16(path, cifs_sb); 527 528 if (!utf16_path) ··· 542 541 return rc; 543 542 } 544 543 545 - smb2_data = kzalloc(SMB2_MAX_EA_BUF, GFP_KERNEL); 546 - if (smb2_data == NULL) { 547 - SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid); 548 - return -ENOMEM; 544 + while (1) { 545 + smb2_data = kzalloc(ea_buf_size, GFP_KERNEL); 546 + if (smb2_data == NULL) { 547 + SMB2_close(xid, tcon, fid.persistent_fid, 548 + fid.volatile_fid); 549 + return -ENOMEM; 550 + } 551 + 552 + rc = SMB2_query_eas(xid, tcon, fid.persistent_fid, 553 + fid.volatile_fid, 554 + ea_buf_size, smb2_data); 555 + 556 + if (rc != -E2BIG) 557 + break; 558 + 559 + kfree(smb2_data); 560 + ea_buf_size <<= 1; 561 + 562 + if (ea_buf_size > SMB2_MAX_EA_BUF) { 563 + cifs_dbg(VFS, "EA size is too large\n"); 564 + SMB2_close(xid, tcon, fid.persistent_fid, 565 + fid.volatile_fid); 566 + return -ENOMEM; 567 + } 549 568 } 550 569 551 - rc = SMB2_query_eas(xid, tcon, fid.persistent_fid, fid.volatile_fid, 552 - smb2_data); 553 570 SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid); 554 571 555 572 if (!rc)
+22 -11
fs/cifs/smb2pdu.c
··· 648 648 { 649 649 int rc = 0; 650 650 struct validate_negotiate_info_req vneg_inbuf; 651 - struct validate_negotiate_info_rsp *pneg_rsp; 651 + struct validate_negotiate_info_rsp *pneg_rsp = NULL; 652 652 u32 rsplen; 653 653 u32 inbuflen; /* max of 4 dialects */ 654 654 ··· 727 727 rsplen); 728 728 729 729 /* relax check since Mac returns max bufsize allowed on ioctl */ 730 - if (rsplen > CIFSMaxBufSize) 731 - return -EIO; 730 + if ((rsplen > CIFSMaxBufSize) 731 + || (rsplen < sizeof(struct validate_negotiate_info_rsp))) 732 + goto err_rsp_free; 732 733 } 733 734 734 735 /* check validate negotiate info response matches what we got earlier */ ··· 748 747 749 748 /* validate negotiate successful */ 750 749 cifs_dbg(FYI, "validate negotiate info successful\n"); 750 + kfree(pneg_rsp); 751 751 return 0; 752 752 753 753 vneg_out: 754 754 cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n"); 755 + err_rsp_free: 756 + kfree(pneg_rsp); 755 757 return -EIO; 756 758 } 757 759 ··· 1259 1255 struct smb2_tree_connect_req *req; 1260 1256 struct smb2_tree_connect_rsp *rsp = NULL; 1261 1257 struct kvec iov[2]; 1262 - struct kvec rsp_iov; 1258 + struct kvec rsp_iov = { NULL, 0 }; 1263 1259 int rc = 0; 1264 1260 int resp_buftype; 1265 1261 int unc_path_len; ··· 1376 1372 return rc; 1377 1373 1378 1374 tcon_error_exit: 1379 - if (rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) { 1375 + if (rsp && rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) { 1380 1376 cifs_dbg(VFS, "BAD_NETWORK_NAME: %s\n", tree); 1381 1377 } 1382 1378 goto tcon_exit; ··· 1979 1975 } else 1980 1976 iov[0].iov_len = get_rfc1002_length(req) + 4; 1981 1977 1978 + /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */ 1979 + if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO) 1980 + req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED; 1982 1981 1983 1982 rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov); 1984 1983 cifs_small_buf_release(req); ··· 2198 2191 req->PersistentFileId = persistent_fid; 2199 2192 req->VolatileFileId = volatile_fid; 2200 2193 req->AdditionalInformation = cpu_to_le32(additional_info); 2201 - /* 4 for rfc1002 length field and 1 for Buffer */ 2202 - req->InputBufferOffset = 2203 - cpu_to_le16(sizeof(struct smb2_query_info_req) - 1 - 4); 2194 + 2195 + /* 2196 + * We do not use the input buffer (do not send extra byte) 2197 + */ 2198 + req->InputBufferOffset = 0; 2199 + inc_rfc1001_len(req, -1); 2200 + 2204 2201 req->OutputBufferLength = cpu_to_le32(output_len); 2205 2202 2206 2203 iov[0].iov_base = (char *)req; ··· 2244 2233 } 2245 2234 2246 2235 int SMB2_query_eas(const unsigned int xid, struct cifs_tcon *tcon, 2247 - u64 persistent_fid, u64 volatile_fid, 2248 - struct smb2_file_full_ea_info *data) 2236 + u64 persistent_fid, u64 volatile_fid, 2237 + int ea_buf_size, struct smb2_file_full_ea_info *data) 2249 2238 { 2250 2239 return query_info(xid, tcon, persistent_fid, volatile_fid, 2251 2240 FILE_FULL_EA_INFORMATION, SMB2_O_INFO_FILE, 0, 2252 - SMB2_MAX_EA_BUF, 2241 + ea_buf_size, 2253 2242 sizeof(struct smb2_file_full_ea_info), 2254 2243 (void **)&data, 2255 2244 NULL);
+3 -2
fs/cifs/smb2pdu.h
··· 832 832 /* Channel field for read and write: exactly one of following flags can be set*/ 833 833 #define SMB2_CHANNEL_NONE 0x00000000 834 834 #define SMB2_CHANNEL_RDMA_V1 0x00000001 /* SMB3 or later */ 835 - #define SMB2_CHANNEL_RDMA_V1_INVALIDATE 0x00000001 /* SMB3.02 or later */ 835 + #define SMB2_CHANNEL_RDMA_V1_INVALIDATE 0x00000002 /* SMB3.02 or later */ 836 836 837 837 /* SMB2 read request without RFC1001 length at the beginning */ 838 838 struct smb2_read_plain_req { ··· 1178 1178 char FileName[0]; /* Name to be assigned to new link */ 1179 1179 } __packed; /* level 11 Set */ 1180 1180 1181 - #define SMB2_MAX_EA_BUF 2048 1181 + #define SMB2_MIN_EA_BUF 2048 1182 + #define SMB2_MAX_EA_BUF 65536 1182 1183 1183 1184 struct smb2_file_full_ea_info { /* encoding of response for level 15 */ 1184 1185 __le32 next_entry_offset;
+1
fs/cifs/smb2proto.h
··· 134 134 u64 persistent_file_id, u64 volatile_file_id); 135 135 extern int SMB2_query_eas(const unsigned int xid, struct cifs_tcon *tcon, 136 136 u64 persistent_file_id, u64 volatile_file_id, 137 + int ea_buf_size, 137 138 struct smb2_file_full_ea_info *data); 138 139 extern int SMB2_query_info(const unsigned int xid, struct cifs_tcon *tcon, 139 140 u64 persistent_file_id, u64 volatile_file_id,
+14 -12
fs/cifs/smb2transport.c
··· 390 390 return generate_smb3signingkey(ses, &triplet); 391 391 } 392 392 393 + #ifdef CONFIG_CIFS_SMB311 393 394 int 394 395 generate_smb311signingkey(struct cifs_ses *ses) 395 396 ··· 399 398 struct derivation *d; 400 399 401 400 d = &triplet.signing; 402 - d->label.iov_base = "SMB2AESCMAC"; 403 - d->label.iov_len = 12; 404 - d->context.iov_base = "SmbSign"; 405 - d->context.iov_len = 8; 401 + d->label.iov_base = "SMBSigningKey"; 402 + d->label.iov_len = 14; 403 + d->context.iov_base = ses->preauth_sha_hash; 404 + d->context.iov_len = 64; 406 405 407 406 d = &triplet.encryption; 408 - d->label.iov_base = "SMB2AESCCM"; 409 - d->label.iov_len = 11; 410 - d->context.iov_base = "ServerIn "; 411 - d->context.iov_len = 10; 407 + d->label.iov_base = "SMBC2SCipherKey"; 408 + d->label.iov_len = 16; 409 + d->context.iov_base = ses->preauth_sha_hash; 410 + d->context.iov_len = 64; 412 411 413 412 d = &triplet.decryption; 414 - d->label.iov_base = "SMB2AESCCM"; 415 - d->label.iov_len = 11; 416 - d->context.iov_base = "ServerOut"; 417 - d->context.iov_len = 10; 413 + d->label.iov_base = "SMBS2CCipherKey"; 414 + d->label.iov_len = 16; 415 + d->context.iov_base = ses->preauth_sha_hash; 416 + d->context.iov_len = 64; 418 417 419 418 return generate_smb3signingkey(ses, &triplet); 420 419 } 420 + #endif /* 311 */ 421 421 422 422 int 423 423 smb3_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server)