Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2821841yba; Mon, 6 May 2019 12:05:06 -0700 (PDT) X-Google-Smtp-Source: APXvYqxhlj/ty8rtPNbc7U3UiXyXcXv2ypvikO5hfXjcQX/WVVAVyklGLr2GhmGKNyU41nD1TPxR X-Received: by 2002:a63:fd16:: with SMTP id d22mr34735812pgh.426.1557169506055; Mon, 06 May 2019 12:05:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557169506; cv=none; d=google.com; s=arc-20160816; b=xUm/R+RZynnC8a1zQGH+O15s2sC2STY0f0wMQH3JgqKs/OnEny/Xo50+BKtMk6auBh ojEm2FXEUQ9kS7WwhPtOA9yFWmZNDjKMKQNLHSFLYt4+eLeopYjcr2RZAh8vnpof+5mT CcMlBXk6Kzwn/kS0ffVGNj0um7R2M4FmDfeTAaaLiz13M2s4E5CVHSKVlBhcVX5ur438 X3rttPKr1+f8zxtWr0w2awjdx2oeairX5u+jzqOHE9LN3JV54pNp9fp6pr1zyTPWLRtA xvlnZ888yxDJwqD2v9/tYHtj9DudiW2PnkfdWWe1HGWiXtN/krFsprbQlDQTUIk7REIO a9Xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=KEDXiJHWKjviYqvoTWdg/VpobGoPEHk3jlyAFxU4pGQ=; b=MzQi+Lua+xigRmi5YtF8KmrmpIUABigqU48X8AubjbcURqdkGJahQGCon4d06Q+mcP dM/qcLANBFcP4YkB89cWyfY7LMa3yURXxE/ez7dP0zyOO3aNYs/7Eb/HsK3jm1Zz66yA WqnvA/9pp9uwkC58KmLvbQR9Y00cHW02WrOLy+nbY7HPUVeh3+bCeMcHFuM4vU0uepPY 373KDT8fZhRoLbrpOly5pplDFKpRLUdiW/qcbQqvEIFMssC6zjo+PnQuUJPqiYZqk+tS GWGObZUSxN62FaoApu698PPNKcswJNDzplQR/Ak2GGgT2YjZK8b0OeikYzzKH/4t0QS3 JSnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=pLTdkPoK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w8si15376044plz.301.2019.05.06.12.04.50; Mon, 06 May 2019 12:05:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=pLTdkPoK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726554AbfEFTD7 (ORCPT + 99 others); Mon, 6 May 2019 15:03:59 -0400 Received: from mail-lj1-f195.google.com ([209.85.208.195]:33366 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726277AbfEFTD6 (ORCPT ); Mon, 6 May 2019 15:03:58 -0400 Received: by mail-lj1-f195.google.com with SMTP id f23so12083291ljc.0; Mon, 06 May 2019 12:03:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=KEDXiJHWKjviYqvoTWdg/VpobGoPEHk3jlyAFxU4pGQ=; b=pLTdkPoKFEcO9WR2wUZw9/qM5VyxwTnkPmLQfy/kmsOtWZhFhZMuF5e3k1w29bKKbY myFxg7Rfa5KQFfeqDqjzNI6fKgteSNL6lyWmGEvdzrkcKGHxoH2gBD9wWqjP10a9A/oD Np+6/YXrpJwN4B9IT0lyF4cTxARTM6qsGHEb8UYtPwDMUbbqvxQML0Aeh4ANyYXD5cvL EcGO+Fy/sbFUfrDsuZVhKXoM5OEH4XLyERFNyc+YwSdbD3MNltAKT93Uys0WTgcczjzz m7FkQGDFmbxeWxv6eN+guqn/i4roWZ1zQXeF1rVa/FV0s9NzmYCdoGbvukJLVttEYYr5 KRMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=KEDXiJHWKjviYqvoTWdg/VpobGoPEHk3jlyAFxU4pGQ=; b=gj7xV6s8DzILDIVTFkv9y6usP6E4sQhPgdOUz8bEnMAb0du2ONpts/9fsrMRmYevEV WnnY/28dLT4UL5XM7OrC2YBRGLg98aT6IJ93eYAe8n02XbtSaehU46bNdprD7G0LuftN ETYbk7o4F1V6c/hGKbyjfGJzdwHc9BeioxY76imv7zQ7Ht5fPwGSHfLxerPucVUOa5cC cmDEUMoeS3THPjhPjoaJAfJmr+KveIu0LGF8AbaG7EnoM1CyYfDVmTsxYIZYlPzXBbLS dO+vlv2eFKIbzhuoHnCxM1qinBKrrh6KNCUlDxFQRLFQsh8x7rIvdr61ecFbagNUFMmi mH/A== X-Gm-Message-State: APjAAAUc5yGE7u9czlTPjD7rdVkf8BGenqlpyGPVgXv9s9L90qatg3W5 0ij7wl8WC9/j0TXMwc0qkDjO/TeuZ0aEP+B5Gg== X-Received: by 2002:a2e:9196:: with SMTP id f22mr12526196ljg.82.1557169436484; Mon, 06 May 2019 12:03:56 -0700 (PDT) MIME-Version: 1.0 References: <1557155792-2703-1-git-send-email-kernel@probst.it> <20190506165658.GA168433@jra4> In-Reply-To: From: Pavel Shilovsky Date: Mon, 6 May 2019 12:03:45 -0700 Message-ID: Subject: Re: [PATCH] cifs: fix strcat buffer overflow in smb21_set_oplock_level() To: Steve French Cc: Jeremy Allison , Steve French , CIFS , samba-technical , LKML , Christoph Probst Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The patch itself is fine but I think we have a bigger problem here: 3052 >-------cinode->oplock =3D 0; here we reset oplock level of the inode, so forcing all the IO go to the se= rver. 3053 >-------if (oplock & SMB2_LEASE_READ_CACHING_HE) { 3054 >------->-------cinode->oplock |=3D CIFS_CACHE_READ_FLG; 3055 >------->-------strcat(message, "R"); 3056 >-------} 3057 >-------if (oplock & SMB2_LEASE_HANDLE_CACHING_HE) { 3058 >------->-------cinode->oplock |=3D CIFS_CACHE_HANDLE_FLG; 3059 >------->-------strcat(message, "H"); 3060 >-------} 3061 >-------if (oplock & SMB2_LEASE_WRITE_CACHING_HE) { 3062 >------->-------cinode->oplock |=3D CIFS_CACHE_WRITE_FLG; this and 3 above cases are all racy with other threads opening the same file and the oplock break thread. 3063 >------->-------strcat(message, "W"); 3064 >-------} 3065 >-------if (!cinode->oplock) 3066 >------->-------strcat(message, "None"); 3067 >-------cifs_dbg(FYI, "%s Lease granted on inode %p\n", message, 3068 >------->------- &cinode->vfs_inode); Besides the fix in the patch I would temporarily suggest to not touch cinode->oplock more than once in this function - have a local variable cifs_oplock which accumulates flags and set cinode->oplock at the very end. It reduce raciness a little bit but this code requires much more thinking about proper locking I guess. Best regards, Pavel Shilovskiy =D0=BF=D0=BD, 6 =D0=BC=D0=B0=D1=8F 2019 =D0=B3. =D0=B2 10:02, Steve French = via samba-technical : > > We could always switch it to strncpy :) > > In any case - he is correct, it is better than what was there because > we should not strcat unless the array were locked across the whole > function > > On Mon, May 6, 2019 at 11:57 AM Jeremy Allison wrote: > > > > On Mon, May 06, 2019 at 11:53:44AM -0500, Steve French via samba-techni= cal wrote: > > > I think strcpy is clearer - but I don't think it can overflow since i= f > > > R, W or W were written to "message" then cinode->oplock would be > > > non-zero so we would never strcap "None" > > > > Ahem. In Samba we have : > > > > lib/util/safe_string.h:#define strcpy(dest,src) __ERROR__XX__NEVER_USE_= STRCPY___; > > > > Maybe you should do likewise :-). > > > > > On Mon, May 6, 2019 at 10:26 AM Christoph Probst w= rote: > > > > > > > > Change strcat to strcpy in the "None" case as it is never valid to = append > > > > "None" to any other message. It may also overflow char message[5], = in a > > > > race condition on cinode if cinode->oplock is unset by another thre= ad > > > > after "RHW" or "RH" had been written to message. > > > > > > > > Signed-off-by: Christoph Probst > > > > --- > > > > fs/cifs/smb2ops.c | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c > > > > index c36ff0d..5fd5567 100644 > > > > --- a/fs/cifs/smb2ops.c > > > > +++ b/fs/cifs/smb2ops.c > > > > @@ -2936,7 +2936,7 @@ smb21_set_oplock_level(struct cifsInodeInfo *= cinode, __u32 oplock, > > > > strcat(message, "W"); > > > > } > > > > if (!cinode->oplock) > > > > - strcat(message, "None"); > > > > + strcpy(message, "None"); > > > > cifs_dbg(FYI, "%s Lease granted on inode %p\n", message, > > > > &cinode->vfs_inode); > > > > } > > > > -- > > > > 2.1.4 > > > > > > > > > > > > > -- > > > Thanks, > > > > > > Steve > > > > > > > -- > Thanks, > > Steve >