Received: by 10.192.165.156 with SMTP id m28csp82568imm; Wed, 18 Apr 2018 17:48:08 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+RE3UgrXMjhEfeUwj2jHq4RejIu6xOLhsY+iwDU6RgxaWvdcGuo0Q3Hjk1qCuM7ACCqmdL X-Received: by 10.98.8.133 with SMTP id 5mr3889249pfi.154.1524098888105; Wed, 18 Apr 2018 17:48:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524098888; cv=none; d=google.com; s=arc-20160816; b=Hvj91qkdVpbzwKnaDZR0NAGrglyAn1Rf8tJXqdYGW8eQIaJd51hrmjUxWOld6d85ru c6qMZPIFzxLHM3lB6TUZzP36PvkGh8ym19kovEnYogI+bh2dne1n8YR38HRQwIsDVcuY g9ExptTDzhwP87GgPYuL2NTWYmojmYbVRqwut/G96jga6Cv8WYznBD5JEl7e+1hNLagj cxMama3UZ+AQCwmGLM4ADIx6YeyflqAolfIAV6zOxB7t6pzzYCTJ/edHmLq+x880B6HC phoC9NzcwNxwJRtDKTLI74RD+LL6+OpYBvIUUO2i+qTjcMAtlS3jeT/R/jqR/sf6LCD8 sv4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :spamdiagnosticmetadata:spamdiagnosticoutput:msip_labels :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=Lc1oFa0Ndx4ZGVtDnv++zL5IMc1kkkJrXeNKQBWKG0I=; b=NluqmRdX2wF3gy3u34d5F7wcvoml5MP/hjEYSHOUAdE499D+vA5TQB0jcb7NK8g+2J l67PjdqBN+j6Q+Kcl8oEmRyHAha/3t9Lee5XzeOTwRVe1F1+6GrA/mbPSFPenG/XpUBP lhBqs2NF5h2HwJxjeS/22jx6HQBMPnnOxg/oyKav4B29PeNC4LiSGaZioklM3HROANNP OjUDfoQ/rETXU3hU+7cHyNKNuZwrFUBMg6U4O71985TTXSpK9UszFRaLHbz8HvCIArlA SNVwjsYtXDdWMykUra0OQN4xJIQxqBONX6lcz+hMsE1FRsS5NL61f6zJ1yiSn6F0TtTT C6sg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=IeemEBBp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c82si383127pfl.294.2018.04.18.17.47.54; Wed, 18 Apr 2018 17:48:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=IeemEBBp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752915AbeDSApU (ORCPT + 99 others); Wed, 18 Apr 2018 20:45:20 -0400 Received: from mail-sn1nam01on0113.outbound.protection.outlook.com ([104.47.32.113]:46080 "EHLO NAM01-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752391AbeDSApR (ORCPT ); Wed, 18 Apr 2018 20:45:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Lc1oFa0Ndx4ZGVtDnv++zL5IMc1kkkJrXeNKQBWKG0I=; b=IeemEBBpk3Zj+XPwDuDfwu7epuXjIycvP+/UDVUZtJrc/21i9p8RluNiHqYFiZyT2g351njwBKEkGo9WBAuojtpz9vlrz0fqCEC/OBBPoHy2OmOTj9NrxnbSTC+KXg/da9UHgl1sJXOJnjsLE3yfmVagbOycWWrUrL7V25jzYhQ= Received: from DM5PR2101MB1030.namprd21.prod.outlook.com (52.132.128.11) by DM5SPR01MB348.namprd21.prod.outlook.com (10.174.187.38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.715.5; Thu, 19 Apr 2018 00:45:15 +0000 Received: from DM5PR2101MB1030.namprd21.prod.outlook.com ([fe80::91b9:c1b0:20f2:8412]) by DM5PR2101MB1030.namprd21.prod.outlook.com ([fe80::91b9:c1b0:20f2:8412%2]) with mapi id 15.20.0715.007; Thu, 19 Apr 2018 00:45:15 +0000 From: "Michael Kelley (EOSG)" To: Long Li , Steve French , "linux-cifs@vger.kernel.org" , "samba-technical@lists.samba.org" , "linux-kernel@vger.kernel.org" , "linux-rdma@vger.kernel.org" CC: "stable@vger.kernel.org" Subject: RE: [Patch v2 2/6] cifs: Allocate validate negotiation request through kmalloc Thread-Topic: [Patch v2 2/6] cifs: Allocate validate negotiation request through kmalloc Thread-Index: AQHT1oES6WnlDP3ofU2l3KWy9pX/X6QHP2hA Date: Thu, 19 Apr 2018 00:45:14 +0000 Message-ID: References: <20180417191710.14855-1-longli@linuxonhyperv.com> <20180417191710.14855-2-longli@linuxonhyperv.com> In-Reply-To: <20180417191710.14855-2-longli@linuxonhyperv.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mikelley@ntdev.microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-04-19T00:45:12.3883014Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General x-originating-ip: [24.22.167.197] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;DM5SPR01MB348;7:o2lqtrLVKwv1fONPdK+HbI8vSpix1mOa2km+qEOtCnPMmCJsuIWZwO5f6nu+BUHXnTFLAVdpB3YgJfG8JxvnVXqY7SzVxTe2fwzkho7bkrvFl+4Gj5rn6TDeL5A2kbVnlwySWw8LCj4tkab0TUzwfyp0zGmGv0UI9FCtW9rQh/vDq7W29AWH4grhJPQAN1LKEmnP9Fq6EuX8XcaI3TLBr3xUzUn5h5Kg9m7XUfPJErj7Qom5kQNWr4oxJnx6nG2a;20:9/Bt9fbsXePPNtRkAUW9oev+rv6islj4jcHuEd74pn+haAoBcDcuiBwD0RuEmPrxbVc0Ih2Hgea7WeISvnPXAp3uusxdygQEvDiQRUiwQfVWpNV2YmvfZGqi6XazRyDwDPowOQdDPNoBopXPk6kZqKz0YxALIntd4a30vHVMv4w= x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(48565401081)(5600026)(2017052603328)(7193020);SRVR:DM5SPR01MB348; x-ms-traffictypediagnostic: DM5SPR01MB348: authentication-results: outbound.protection.outlook.com; spf=skipped (originating message); dkim=none (message not signed) header.d=none; dmarc=none action=none header.from=microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(89211679590171)(192374486261705)(9452136761055); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(61425038)(6040522)(2401047)(8121501046)(5005006)(3002001)(3231232)(944501371)(52105095)(93006095)(93001095)(10201501046)(6055026)(61426038)(61427038)(6041310)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(20161123564045)(6072148)(201708071742011);SRVR:DM5SPR01MB348;BCL:0;PCL:0;RULEID:;SRVR:DM5SPR01MB348; x-forefront-prvs: 0647963F84 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39860400002)(376002)(39380400002)(366004)(346002)(69234005)(1511001)(6436002)(5660300001)(10090500001)(55016002)(9686003)(86362001)(74316002)(575784001)(86612001)(66066001)(7696005)(76176011)(7736002)(305945005)(15650500001)(6506007)(53936002)(53546011)(2900100001)(59450400001)(99286004)(229853002)(26005)(102836004)(2501003)(476003)(8936002)(11346002)(81166006)(8676002)(4326008)(316002)(5250100002)(3846002)(110136005)(6116002)(25786009)(10290500003)(478600001)(72206003)(33656002)(14454004)(22452003)(2906002)(446003);DIR:OUT;SFP:1102;SCL:1;SRVR:DM5SPR01MB348;H:DM5PR2101MB1030.namprd21.prod.outlook.com;FPR:;SPF:None;LANG:en;MLV:sfv; x-microsoft-antispam-message-info: NsVYRVCUd7sgtegiVViccIv4g0NzGPQh+gk9QxY1mazEwk3Y6IlUqpNYQgUZbjTWNkaitvU2Sww2ktGYdw3fZ/f+8MRRY3ANBndfSawc//HO/IwRbmryglbaBNtBWc0Tjjy/S3y7BWw1t+NLNZNJ3WXsW+GOfncAxFcf/d9f4wOmrkG638KlHTZERp/AOPmU spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Office365-Filtering-Correlation-Id: 477608ce-8b6e-4441-e2c2-08d5a58ed111 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: 477608ce-8b6e-4441-e2c2-08d5a58ed111 X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Apr 2018 00:45:15.1560 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5SPR01MB348 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > -----Original Message----- > From: linux-kernel-owner@vger.kernel.org On Behalf > Of Long Li > Sent: Tuesday, April 17, 2018 12:17 PM > To: Steve French ; linux-cifs@vger.kernel.org; samba- > technical@lists.samba.org; linux-kernel@vger.kernel.org; linux-rdma@vger.= kernel.org > Cc: Long Li ; stable@vger.kernel.org > Subject: [Patch v2 2/6] cifs: Allocate validate negotiation request throu= gh kmalloc >=20 > From: Long Li >=20 > The data buffer allocated on the stack can't be DMA'ed, and hence can't s= end > through RDMA via SMB Direct. >=20 > Fix this by allocating the request on the heap in smb3_validate_negotiate= . >=20 > Fixes: ff1c038addc4f205d5f1ede449426c7d316c0eed "Check SMB3 dialects agai= nst > downgrade attacks" >=20 > Changes in v2: > Removed duplicated code on freeing buffers on function exit. > (Thanks to Parav Pandit ) >=20 > Fixed typo in the patch title. >=20 > Signed-off-by: Long Li > Cc: stable@vger.kernel.org > --- > fs/cifs/smb2pdu.c | 57 ++++++++++++++++++++++++++++++-------------------= ------ > 1 file changed, 31 insertions(+), 26 deletions(-) >=20 > diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c > index 0f044c4..41625e4 100644 > --- a/fs/cifs/smb2pdu.c > +++ b/fs/cifs/smb2pdu.c > @@ -729,8 +729,8 @@ SMB2_negotiate(const unsigned int xid, struct cifs_se= s *ses) >=20 > int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tc= on) > { > - int rc =3D 0; > - struct validate_negotiate_info_req vneg_inbuf; > + int ret, rc =3D -EIO; > + struct validate_negotiate_info_req *pneg_inbuf; > struct validate_negotiate_info_rsp *pneg_rsp =3D NULL; > u32 rsplen; > u32 inbuflen; /* max of 4 dialects */ > @@ -741,6 +741,9 @@ int smb3_validate_negotiate(const unsigned int xid, s= truct cifs_tcon > *tcon) > if (tcon->ses->server->rdma) > return 0; > #endif > + pneg_inbuf =3D kmalloc(sizeof(*pneg_inbuf), GFP_KERNEL); > + if (!pneg_inbuf) > + return -ENOMEM; Immediately after the above new code, there are three if statements that ca= n 'return 0' and never free the pneg_inbuf memory. They should instead set '= rc' appropriately and 'goto' the out_free_inbuf label. Michael >=20 > /* In SMB3.11 preauth integrity supersedes validate negotiate */ > if (tcon->ses->server->dialect =3D=3D SMB311_PROT_ID) > @@ -764,53 +767,53 @@ int smb3_validate_negotiate(const unsigned int xid,= struct cifs_tcon > *tcon) > if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL) > cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by serv= er\n"); >=20 > - vneg_inbuf.Capabilities =3D > + pneg_inbuf->Capabilities =3D > cpu_to_le32(tcon->ses->server->vals->req_capabilities); > - memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid, > + memcpy(pneg_inbuf->Guid, tcon->ses->server->client_guid, > SMB2_CLIENT_GUID_SIZE); >=20 > if (tcon->ses->sign) > - vneg_inbuf.SecurityMode =3D > + pneg_inbuf->SecurityMode =3D > cpu_to_le16(SMB2_NEGOTIATE_SIGNING_REQUIRED); > else if (global_secflags & CIFSSEC_MAY_SIGN) > - vneg_inbuf.SecurityMode =3D > + pneg_inbuf->SecurityMode =3D > cpu_to_le16(SMB2_NEGOTIATE_SIGNING_ENABLED); > else > - vneg_inbuf.SecurityMode =3D 0; > + pneg_inbuf->SecurityMode =3D 0; >=20 >=20 > if (strcmp(tcon->ses->server->vals->version_string, > SMB3ANY_VERSION_STRING) =3D=3D 0) { > - vneg_inbuf.Dialects[0] =3D cpu_to_le16(SMB30_PROT_ID); > - vneg_inbuf.Dialects[1] =3D cpu_to_le16(SMB302_PROT_ID); > - vneg_inbuf.DialectCount =3D cpu_to_le16(2); > + pneg_inbuf->Dialects[0] =3D cpu_to_le16(SMB30_PROT_ID); > + pneg_inbuf->Dialects[1] =3D cpu_to_le16(SMB302_PROT_ID); > + pneg_inbuf->DialectCount =3D cpu_to_le16(2); > /* structure is big enough for 3 dialects, sending only 2 */ > inbuflen =3D sizeof(struct validate_negotiate_info_req) - 2; > } else if (strcmp(tcon->ses->server->vals->version_string, > SMBDEFAULT_VERSION_STRING) =3D=3D 0) { > - vneg_inbuf.Dialects[0] =3D cpu_to_le16(SMB21_PROT_ID); > - vneg_inbuf.Dialects[1] =3D cpu_to_le16(SMB30_PROT_ID); > - vneg_inbuf.Dialects[2] =3D cpu_to_le16(SMB302_PROT_ID); > - vneg_inbuf.DialectCount =3D cpu_to_le16(3); > + pneg_inbuf->Dialects[0] =3D cpu_to_le16(SMB21_PROT_ID); > + pneg_inbuf->Dialects[1] =3D cpu_to_le16(SMB30_PROT_ID); > + pneg_inbuf->Dialects[2] =3D cpu_to_le16(SMB302_PROT_ID); > + pneg_inbuf->DialectCount =3D cpu_to_le16(3); > /* structure is big enough for 3 dialects */ > inbuflen =3D sizeof(struct validate_negotiate_info_req); > } else { > /* otherwise specific dialect was requested */ > - vneg_inbuf.Dialects[0] =3D > + pneg_inbuf->Dialects[0] =3D > cpu_to_le16(tcon->ses->server->vals->protocol_id); > - vneg_inbuf.DialectCount =3D cpu_to_le16(1); > + pneg_inbuf->DialectCount =3D cpu_to_le16(1); > /* structure is big enough for 3 dialects, sending only 1 */ > inbuflen =3D sizeof(struct validate_negotiate_info_req) - 4; > } >=20 > - rc =3D SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID, > + ret =3D SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID, > FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */, > - (char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req), > + (char *)pneg_inbuf, sizeof(struct validate_negotiate_info_req), > (char **)&pneg_rsp, &rsplen); >=20 > - if (rc !=3D 0) { > - cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc); > - return -EIO; > + if (ret !=3D 0) { > + cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", ret); > + goto out_free_inbuf; > } >=20 > if (rsplen !=3D sizeof(struct validate_negotiate_info_rsp)) { > @@ -820,7 +823,7 @@ int smb3_validate_negotiate(const unsigned int xid, s= truct cifs_tcon > *tcon) > /* relax check since Mac returns max bufsize allowed on ioctl */ > if ((rsplen > CIFSMaxBufSize) > || (rsplen < sizeof(struct validate_negotiate_info_rsp))) > - goto err_rsp_free; > + goto out_free_rsp; > } >=20 > /* check validate negotiate info response matches what we got earlier *= / > @@ -838,14 +841,16 @@ int smb3_validate_negotiate(const unsigned int xid,= struct cifs_tcon > *tcon) >=20 > /* validate negotiate successful */ > cifs_dbg(FYI, "validate negotiate info successful\n"); > - kfree(pneg_rsp); > - return 0; > + rc =3D 0; > + goto out_free_rsp; >=20 > vneg_out: > cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n"); > -err_rsp_free: > +out_free_rsp: > kfree(pneg_rsp); > - return -EIO; > +out_free_inbuf: > + kfree(pneg_inbuf); > + return rc; > } >=20 > enum securityEnum > -- > 2.7.4