Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4065329yba; Tue, 7 May 2019 11:30:39 -0700 (PDT) X-Google-Smtp-Source: APXvYqwqoL47S3GVxPsxuk24vEVuxtWIrRa/AxDJp10gYpOnUARCPqQk390KkhgqeZcLN8MhufMm X-Received: by 2002:a63:f146:: with SMTP id o6mr6970803pgk.179.1557253839580; Tue, 07 May 2019 11:30:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557253839; cv=none; d=google.com; s=arc-20160816; b=NilT+72hBS5IT8wCVzaR8QOqlFmoq2EprxT5hI8+242etHPBYXeHaUZCy3E+he8MJN J+IhzsJYR9Bs7oB4GzP/jqapd+fPxqxytz7Y+S2bCWrQzShUP19kuV9eSJ/rtQe6N+GL 3xzC6cW7zrB7akXx96j6SSqQUaz+2Hga0P7Gf1C0SGgf42MZVblwdPyUIi15+m3wVP3K 0C9ri/yOjxdq61R681OsWuwDh38bDZIWyCkw19ZRL6rL363wUVHvGpG0i1I8thmjpLk+ 3om6gd6nLTs3y5CG39D24/W3Ll5zpVrkHX7c3PX2n4TffH4ljuWxZKPuzeEvp8ONTQoh jaMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=uAxHVQCsBo1b5PlzfwAXI4RufhZYGzT/dUPxeSN4rRc=; b=O9ZU69seMEFui6wXigc2tHuzItbaChRu1lGTAB8UlpdzHese1hkm6gjMdiSIvCC+TF 9g/VDdNdxtfMqlwuCZviJ//HNwAxL3Kkrk3TJ65ACygQJzIZjAg3FVyaTIlqiRpgWxrE /GhC2uBHgWaAap5Eje/Spz6MdUeGtQACYwBOdKpfanopsum41SM97yPc7XyyeJ4FQCgI /xEWLT7IH5OIyqtRHZt2mrL7apojvHwpnYQJFt7AkRDaRDWwDT1jQuCSSRTvMgWAPwim V1IExYYXI78Mnvsd3+IOvEQnrdum8/zcPW6IZC/xp8UrGC5xEjsjBndNqUtyMtw9I3ZQ H6rg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=hjEGDLuO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 136si18516483pgb.552.2019.05.07.11.30.22; Tue, 07 May 2019 11:30:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=hjEGDLuO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727013AbfEGS2w (ORCPT + 99 others); Tue, 7 May 2019 14:28:52 -0400 Received: from mail-lf1-f67.google.com ([209.85.167.67]:41978 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726473AbfEGS2w (ORCPT ); Tue, 7 May 2019 14:28:52 -0400 Received: by mail-lf1-f67.google.com with SMTP id d8so12562439lfb.8; Tue, 07 May 2019 11:28:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=uAxHVQCsBo1b5PlzfwAXI4RufhZYGzT/dUPxeSN4rRc=; b=hjEGDLuO2QkLFE8Scimbk32wX+OqUolVirFNhseP74IGhXIAWEtuYU5TRLGFPXeMoy V99BKgFguxrWHHkqwFK3m4I9tpkLvyr49I0nLrWvzgCN9IEmfvRRD313pFeeajY+dG88 VDec2lVe5xV+COKmhh8tuB/yR9jlX6Y1xSW/DscySsqLUNspbvMG6IpTkgE2vyUqIWLh WhLUCP/qh3zrcwy1PGZReAeZu/bEG3YP8jmDJHw7z8Pa/ZQt/HwaizKaB1PfyAR7Xy6X m8qV5vv4DgonM+sp1SuNzIPUGQehozrnPS1S48fcfic4emtxfvT1oycRfAJZTbbAuj2C MKog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=uAxHVQCsBo1b5PlzfwAXI4RufhZYGzT/dUPxeSN4rRc=; b=lWaE6hh0juyFLPMgnbl42J41HZC1Jic9OMxaa6PWcgIhgqnaYFhrBYv69z0t0IcZ9i C785ILoeYmlhjjjiLf7SgvR+HBLLQ2QhRFpW1yK71X4rkdN5JFIebiuaTSf0bjvPBV6M rF10eTHLOtUezfmFx/ibePbNtTed91Of/wFmam0mrqXCeDVhU6Xx13S3tBqHsw/9YU8d nX853wDPlFPIb53bS7R0UX5nqcL7tBbrkFC+n45zeMWuqIlC2JkW/C2AKJFGlb2vlFhc wQw7kTDkyLXWJoe8EUeUkowl3w36BgYDSj2Iz6ShOFlOO7AdeoetKEYw94HpA+Vqud5v qf1Q== X-Gm-Message-State: APjAAAX406jKXJ8aixBqhLb1e2oEZjv+513Lpd8KVPPf/wOinXlBvngO Kz3Qpg6iKD4ZZAEmN7FVTudKC9CxKgUsbblq3YHD9Bw= X-Received: by 2002:a19:655a:: with SMTP id c26mr13965657lfj.97.1557253730334; Tue, 07 May 2019 11:28:50 -0700 (PDT) MIME-Version: 1.0 References: <1557242200-26194-1-git-send-email-kernel@probst.it> In-Reply-To: From: Pavel Shilovsky Date: Tue, 7 May 2019 11:28:39 -0700 Message-ID: Subject: Re: [PATCH v2] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() To: Steve French Cc: Christoph Probst , Steve French , CIFS , samba-technical , LKML Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org =D0=B2=D1=82, 7 =D0=BC=D0=B0=D1=8F 2019 =D0=B3. =D0=B2 09:13, Steve French = via samba-technical : > > merged into cifs-2.6.git for-next > > On Tue, May 7, 2019 at 10:17 AM Christoph Probst via samba-technical > wrote: > > > > Change strcat to strncpy in the "None" case to fix a buffer overflow > > when cinode->oplock is reset to 0 by another thread accessing the same > > cinode. It is never valid to append "None" to any other message. > > > > Consolidate multiple writes to cinode->oplock to reduce raciness. > > > > Signed-off-by: Christoph Probst > > --- > > fs/cifs/smb2ops.c | 14 ++++++++------ > > 1 file changed, 8 insertions(+), 6 deletions(-) > > > > diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c > > index c36ff0d..aa61dcf 100644 > > --- a/fs/cifs/smb2ops.c > > +++ b/fs/cifs/smb2ops.c > > @@ -2917,26 +2917,28 @@ smb21_set_oplock_level(struct cifsInodeInfo *ci= node, __u32 oplock, > > unsigned int epoch, bool *purge_cache) > > { > > char message[5] =3D {0}; > > + unsigned int new_oplock =3D 0; > > > > oplock &=3D 0xFF; > > if (oplock =3D=3D SMB2_OPLOCK_LEVEL_NOCHANGE) > > return; > > > > - cinode->oplock =3D 0; > > if (oplock & SMB2_LEASE_READ_CACHING_HE) { > > - cinode->oplock |=3D CIFS_CACHE_READ_FLG; > > + new_oplock |=3D CIFS_CACHE_READ_FLG; > > strcat(message, "R"); > > } > > if (oplock & SMB2_LEASE_HANDLE_CACHING_HE) { > > - cinode->oplock |=3D CIFS_CACHE_HANDLE_FLG; > > + new_oplock |=3D CIFS_CACHE_HANDLE_FLG; > > strcat(message, "H"); > > } > > if (oplock & SMB2_LEASE_WRITE_CACHING_HE) { > > - cinode->oplock |=3D CIFS_CACHE_WRITE_FLG; > > + new_oplock |=3D CIFS_CACHE_WRITE_FLG; > > strcat(message, "W"); > > } > > - if (!cinode->oplock) > > - strcat(message, "None"); > > + if (!new_oplock) > > + strncpy(message, "None", sizeof(message)); > > + > > + cinode->oplock =3D new_oplock; > > cifs_dbg(FYI, "%s Lease granted on inode %p\n", message, > > &cinode->vfs_inode); > > } > > -- > > 2.1.4 > > > > > Thanks for cleaning it up! Reviewed-by: Pavel Shilovsky -- Best regards, Pavel Shilovsky