Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2508942imm;
        Mon, 24 Sep 2018 05:40:01 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdbiWOJx1dTZ1lrBsMIoGfMJRXZ7Mx4AfmQMlZUriHICosbLi1a/86OnC0mijTwAr3UOMWFr
X-Received: by 2002:a62:c60e:: with SMTP id m14-v6mr10321584pfg.40.1537792801533;
        Mon, 24 Sep 2018 05:40:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1537792801; cv=none;
        d=google.com; s=arc-20160816;
        b=y64RAw2iBMgzOoJpYqzjMhC4B70lv5EU/ACB6yaRof+8zapFJZ6St6A9KL4toDuGaS
         alRPjLjVh3UkWXeGwBGaFEv2FnnRpLtw+ep8TPc1PgCu/9J3Vv0iyCyzRuOj+hExfYbC
         yYiAXT20jazGi2cw5pX/IP65CtusH+Mrw7FopA+0Q6pIpShhD89LiEcL3gakemWL/PkI
         fpaDVbaFL9Lnihk3aViMhigyzhq1gaOH5083ar/BY57bnwJMx7IoawjupfV0mYat1kjI
         s57vyJ7k+Fb57ohFFooLYFmyvkdx1dSYBm6TGcx0VDGoL/aQffRrqf+3srbaNj105CyY
         42fg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from;
        bh=jqCiBvzt+IAlPNei8slejQzXLyyzWq2lVlKHBSHIVUI=;
        b=XlB0+xa465J7fTg2eyiMT7ukwcoxWTtDlwYv6qCPGKIdvxx7yVvoqPFuhjgPAIocNT
         7DlANo9+P2Xmjp4NO/isI42Cmiwayb8x+JP8gQfuJfwdikvuIkj8CskIeBjL28Uf9SqY
         jKCYSX7lrJZ2UJJD69uvsS7w6twS8/V8hOvNw2gii6COtPDt0ImDdiPKIqudWwK1h1nX
         7PWnqX5kRY945ptxC76UxMKXntEDRbDVtzI9+u9a5Z8JQCujd1NL2hJtMoqvNbBdT2HS
         Qi9g3pmK7EBTL9+ibew4BPkaG/FA6NyMseo3MPecKIpaG1sTZITGfBY3AroEFYnJ2EdR
         i3dA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y15-v6si38653773pfg.124.2018.09.24.05.39.46;
        Mon, 24 Sep 2018 05:40:01 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388301AbeIXSkZ (ORCPT <rfc822;carmate383@gmail.com>
        + 99 others); Mon, 24 Sep 2018 14:40:25 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:58726 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728702AbeIXSkZ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 24 Sep 2018 14:40:25 -0400
Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 3E99B107F;
        Mon, 24 Sep 2018 12:38:28 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
        Steve French <stfrench@microsoft.com>,
        Aurelien Aptel <aaptel@suse.com>
Subject: [PATCH 4.18 136/235] cifs: integer overflow in in SMB2_ioctl()
Date:   Mon, 24 Sep 2018 13:52:02 +0200
Message-Id: <20180924113119.368977469@linuxfoundation.org>
X-Mailer: git-send-email 2.19.0
In-Reply-To: <20180924113103.999624566@linuxfoundation.org>
References: <20180924113103.999624566@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 2d204ee9d671327915260071c19350d84344e096 upstream.

The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
wrap around to a smaller value which looks like it would lead to an
information leak.

Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2pdu.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2418,14 +2418,14 @@ SMB2_ioctl(const unsigned int xid, struc
 	/* We check for obvious errors in the output buffer length and offset */
 	if (*plen == 0)
 		goto ioctl_exit; /* server returned no data */
-	else if (*plen > 0xFF00) {
+	else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
 		cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
 		*plen = 0;
 		rc = -EIO;
 		goto ioctl_exit;
 	}
 
-	if (rsp_iov.iov_len < le32_to_cpu(rsp->OutputOffset) + *plen) {
+	if (rsp_iov.iov_len - *plen < le32_to_cpu(rsp->OutputOffset)) {
 		cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
 			le32_to_cpu(rsp->OutputOffset));
 		*plen = 0;