Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2947694yba;
        Mon, 6 May 2019 14:21:41 -0700 (PDT)
X-Google-Smtp-Source: APXvYqw3sKTmmnxo8To9xJNh8iC8hr3AnFBu9xZSdiRBHUoJF6yTtWLORJLmDMv0IGciHe6/RWZt
X-Received: by 2002:a65:4907:: with SMTP id p7mr35259980pgs.288.1557177700967;
        Mon, 06 May 2019 14:21:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1557177700; cv=none;
        d=google.com; s=arc-20160816;
        b=DT2uTUF5Rx2pcy+Gq9Hbb4TEAffCp+nm12KJWjNj+HNiKJa0p1mJBoSMgP/ZJh34iv
         oD+QkQY5NwNHgGNrdXQdm/od96OupIa8f7qsnFRf0mODnk0KMvsfxu76M2LXm3JGoBVx
         HTADIqqqRpcq2Z7FBYyJiTPDOl+X+FZZr4r+reFLFVRm3HKBx/7vu/ttanvt3jlZIkzl
         RlJ0933rbWsS8Eev3ekbYOhSKUA6/Dkc3XoKEw8LTxDn9sNx0aQtktNYKYto9V8YpYQC
         yfauKsEC9jN4XH0ugdMYMANZeiYjC/1/3uk1Wt8nFWGUZqNaxoK870nK97p4nwQhpcAc
         JKzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=Gj6cHoDgKm5gQ6ssloMkjav9C/MTiSHC3wRe+G+54AA=;
        b=Kz61GqY3N5Com+I+W8T0mkd3xtVntbbs/TTVl+gzq32CK8uu8h5a+pYMZ6aeJ1kBmH
         nCce1PfOGqD4BmzD8giHA2BwEErv63+yVo+EkKePbKy8KbObjo02GQ8+5M8+SpEastA/
         K9ik8HhCHHYf7Ue/IosGHlZV/yJ2ct/UyzAV4M5y9B26ORj/fPKqTcBx49Y3ipud4b0A
         B/ZyE9f2oPDLL59PlDlcAEIgXBHNHD/eR1Vjjsfpsuzw4fdih8lKh7kgDeGk0rCoW+iw
         dcR8pvnAMOUbif/ZwvoQHFsLfoTy/SnG8Z0z9ZUklLKUQ2cug3ZAfcG23I5OWwCegZtt
         vscw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=tSJat57g;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v16si15626677pgk.131.2019.05.06.14.21.25;
        Mon, 06 May 2019 14:21:40 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=tSJat57g;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726556AbfEFVTF (ORCPT <rfc822;tanxianhu@gmail.com> + 99 others);
        Mon, 6 May 2019 17:19:05 -0400
Received: from mail-pg1-f194.google.com ([209.85.215.194]:43627 "EHLO
        mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725994AbfEFVTE (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 6 May 2019 17:19:04 -0400
Received: by mail-pg1-f194.google.com with SMTP id t22so7075978pgi.10;
        Mon, 06 May 2019 14:19:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=Gj6cHoDgKm5gQ6ssloMkjav9C/MTiSHC3wRe+G+54AA=;
        b=tSJat57gHqfSHNIPcpxBlNuqd/Bm1UU35SWFywKBAdQN9SRLygwljIbSR5BkAHIhTa
         nSNouHxxRCJXJojh7j0hqydG3qrikOb8u3MmP0SKPMgYHfP4yttdyUejM6f/jQY9vLAS
         xyQiPmio2oOram5ulplBqpTCmnjqNEj8pk7pPGE3zb9yobi9Amy75Vgi/cOdG4KhrueM
         3LSHKh2gF4d6UdQwUC5c3Ot2aZbSwdwiXh+nzwce5qWCtyI8DYUp5MHeQL4PmxGE953x
         FeY2dysCxK0MsjL7uBJEeE6eG5lAAyIE1rHz3dGTOgsOLvmIX5X/u8UQRS7FEAp5ZnNy
         LS9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=Gj6cHoDgKm5gQ6ssloMkjav9C/MTiSHC3wRe+G+54AA=;
        b=Tqz5I63xXB/h3/O5SNHMoPXL7YXK0rIYF8Bjv5VV05Q8BR27wyAIGZz+C+6+0keBYP
         HqJltJFpo7Z8QaRbzpGbShXl03zjQPkt18GeRGvPuFjYvGSCS7F/NN13JtjLwIs4dtsz
         VGUEfbl9vF0g7MkbcAof9qx6eqUJsB8xPyHUKX5s4HWx27pCKz7SdGZqYQ4sbTNU7wp8
         ojxv6rY/o4NNhYRvZ9oPzreJsfLqgLRk7CX3Ckp5z09zyB+irsFAkvfHyPFj2+4FC94O
         UzbGQ2kvP7wzoBKo6UqwYeTTyU1iNhvnuy6j/pqKAISCTW/Ze8QEZwG9yp7sqwuninLA
         x/rA==
X-Gm-Message-State: APjAAAWYpEpPyJCe8/EMcbIOfpPZBOOr7lAkHV4pP2W26uqPrKR74MCQ
        uNb1uBhcRKs95KKYj8CODe8dVDigkdPCO5ENiMw=
X-Received: by 2002:a63:f843:: with SMTP id v3mr34943251pgj.69.1557177543611;
 Mon, 06 May 2019 14:19:03 -0700 (PDT)
MIME-Version: 1.0
References: <1557155792-2703-1-git-send-email-kernel@probst.it>
 <CAH2r5mtdpOvcE25P2UuNFpOwsNyFiBWRQELQFui+FJGVOOBV8w@mail.gmail.com>
 <20190506165658.GA168433@jra4> <CAH2r5msK6yNNm_QbdsFZuB5uS0iNRuqe8gSDKvVAiR0N6E3MWg@mail.gmail.com>
 <CAKywueR6DcfkzGcZUgydV4n6F4MKDEOvtCaM-gQSonX02tA9tg@mail.gmail.com>
In-Reply-To: <CAKywueR6DcfkzGcZUgydV4n6F4MKDEOvtCaM-gQSonX02tA9tg@mail.gmail.com>
From:   Steve French <smfrench@gmail.com>
Date:   Mon, 6 May 2019 16:18:52 -0500
Message-ID: <CAH2r5ms+RAoe_1c=dUYL=yCs3KWAvqoB00-T4SEpyTjRKiwA6A@mail.gmail.com>
Subject: Re: [PATCH] cifs: fix strcat buffer overflow in smb21_set_oplock_level()
To:     Pavel Shilovsky <pavel.shilovsky@gmail.com>
Cc:     Jeremy Allison <jra@samba.org>, Steve French <sfrench@samba.org>,
        CIFS <linux-cifs@vger.kernel.org>,
        samba-technical <samba-technical@lists.samba.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Christoph Probst <kernel@probst.it>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, May 6, 2019 at 2:03 PM Pavel Shilovsky
<pavel.shilovsky@gmail.com> wrote:
>
> The patch itself is fine but I think we have a bigger problem here:

Good point.  Perhaps make update to the same patch to include both changes

> 3052 >-------cinode->oplock =3D 0;
>
> here we reset oplock level of the inode, so forcing all the IO go to the =
server.
>
> 3053 >-------if (oplock & SMB2_LEASE_READ_CACHING_HE) {
> 3054 >------->-------cinode->oplock |=3D CIFS_CACHE_READ_FLG;
> 3055 >------->-------strcat(message, "R");
> 3056 >-------}
> 3057 >-------if (oplock & SMB2_LEASE_HANDLE_CACHING_HE) {
> 3058 >------->-------cinode->oplock |=3D CIFS_CACHE_HANDLE_FLG;
> 3059 >------->-------strcat(message, "H");
> 3060 >-------}
> 3061 >-------if (oplock & SMB2_LEASE_WRITE_CACHING_HE) {
> 3062 >------->-------cinode->oplock |=3D CIFS_CACHE_WRITE_FLG;
>
> this and 3 above cases are all racy with other threads opening the
> same file and the oplock break thread.
>
> 3063 >------->-------strcat(message, "W");
> 3064 >-------}
> 3065 >-------if (!cinode->oplock)
> 3066 >------->-------strcat(message, "None");
> 3067 >-------cifs_dbg(FYI, "%s Lease granted on inode %p\n", message,
> 3068 >------->------- &cinode->vfs_inode);
>
> Besides the fix in the patch I would temporarily suggest to not touch
> cinode->oplock more than once in this function - have a local variable
> cifs_oplock which accumulates flags and set cinode->oplock at the very
> end. It reduce raciness a little bit but this code requires much more
> thinking about proper locking I guess.
>
> Best regards,
> Pavel Shilovskiy
>
> =D0=BF=D0=BD, 6 =D0=BC=D0=B0=D1=8F 2019 =D0=B3. =D0=B2 10:02, Steve Frenc=
h via samba-technical
> <samba-technical@lists.samba.org>:
> >
> > We could always switch it to strncpy :)
> >
> > In any case - he is correct, it is better than what was there because
> > we should not strcat unless the array were locked across the whole
> > function
> >
> > On Mon, May 6, 2019 at 11:57 AM Jeremy Allison <jra@samba.org> wrote:
> > >
> > > On Mon, May 06, 2019 at 11:53:44AM -0500, Steve French via samba-tech=
nical wrote:
> > > > I think strcpy is clearer - but I don't think it can overflow since=
 if
> > > > R, W or W were written to "message" then cinode->oplock would be
> > > > non-zero so we would never strcap "None"
> > >
> > > Ahem. In Samba we have :
> > >
> > > lib/util/safe_string.h:#define strcpy(dest,src) __ERROR__XX__NEVER_US=
E_STRCPY___;
> > >
> > > Maybe you should do likewise :-).
> > >
> > > > On Mon, May 6, 2019 at 10:26 AM Christoph Probst <kernel@probst.it>=
 wrote:
> > > > >
> > > > > Change strcat to strcpy in the "None" case as it is never valid t=
o append
> > > > > "None" to any other message. It may also overflow char message[5]=
, in a
> > > > > race condition on cinode if cinode->oplock is unset by another th=
read
> > > > > after "RHW" or "RH" had been written to message.
> > > > >
> > > > > Signed-off-by: Christoph Probst <kernel@probst.it>
> > > > > ---
> > > > >  fs/cifs/smb2ops.c | 2 +-
> > > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > > >
> > > > > diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
> > > > > index c36ff0d..5fd5567 100644
> > > > > --- a/fs/cifs/smb2ops.c
> > > > > +++ b/fs/cifs/smb2ops.c
> > > > > @@ -2936,7 +2936,7 @@ smb21_set_oplock_level(struct cifsInodeInfo=
 *cinode, __u32 oplock,
> > > > >                 strcat(message, "W");
> > > > >         }
> > > > >         if (!cinode->oplock)
> > > > > -               strcat(message, "None");
> > > > > +               strcpy(message, "None");
> > > > >         cifs_dbg(FYI, "%s Lease granted on inode %p\n", message,
> > > > >                  &cinode->vfs_inode);
> > > > >  }
> > > > > --
> > > > > 2.1.4
> > > > >
> > > >
> > > >
> > > > --
> > > > Thanks,
> > > >
> > > > Steve
> > > >
> >
> >
> >
> > --
> > Thanks,
> >
> > Steve
> >



--=20
Thanks,

Steve