Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp9935520ybi; Wed, 24 Jul 2019 12:37:35 -0700 (PDT) X-Google-Smtp-Source: APXvYqylu/LAep/oFgwdIgG2PW5tZ7Qxtpp520aJ8z4/fmhs3UlkbSe5EzFTiG7apTTFhUX+qFYO X-Received: by 2002:a62:38c6:: with SMTP id f189mr12926789pfa.157.1563997055084; Wed, 24 Jul 2019 12:37:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563997055; cv=none; d=google.com; s=arc-20160816; b=gP1TisPHYqPBj8zonOwNjg7NXgAZR138+DxVzZPwnbz3wqQ/qCb6kHYAkK4ZkD0MLL UJz3eMY/kNNBlYuBsr3DvLPPlvYMqb5ou7/yiyVpn32FUTrKOr1uojnawtHZCHy6heeE diriGQwF3nw18VO33zWp3HXtT+ozhcIlJfjICNwjENfb2KgvXhoCl+k7ljjlZ6TifGtV s5ZqTmE5iuJbPglAdKbTBP8a8A2giAPxPFMuFMPaZJvrEuDWrZv8Uius/2Fqtv7v9HqT m5BGLDFK5lukuIBYTgwJ1I2L1wxgYRTN8dw0jBD+XYBVI/prgZUOsMp8/jDW9MybYjvL Rigw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=7FPR390wapRhMr9SWTJAHceJ0ah87DmeIgLnVzCTGEE=; b=cmmOq3WfocD2YjEc+5GZHXThOFwJkwXrkjRaN8O67WH8wuvSfKY4qrRt+0aqNcGOg2 1MK9SQV1JculCgNM1/8Iq4UteH8CMps73Vil9lL9QOq0UbqH/N0qhiWPbnkaNqN8VcAd H8KVuYHYnVVPG0afH3AfCxW+ZiqBBSnHegeEiWKh3MOHu3JRHAftGR7uSn+8vul8XTbs pxzcIvMKOiea6L/rVoubs243CCyIQyWWdAZFun9BOdKDtyfDw2w/lC8yB4TfQe78stLB O4rPykyvXJf5i7C2ffm/AN5aL1Bag9MI/hCazwYLLaEsF/47vJtC43OGRdxtQXFFIIZ5 403g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qrgmE6oG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o4si14474228plb.274.2019.07.24.12.37.20; Wed, 24 Jul 2019 12:37:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qrgmE6oG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389268AbfGXTgG (ORCPT + 99 others); Wed, 24 Jul 2019 15:36:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:35380 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389243AbfGXTgE (ORCPT ); Wed, 24 Jul 2019 15:36:04 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B17CF229F3; Wed, 24 Jul 2019 19:36:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1563996963; bh=lBoiH6Nx6mDWJdh3wOy4LLKoi9AR/6mcBcELQLb9lRA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qrgmE6oGc+vAIB/1oTCJq6bSTbs2/Onn3IbVWEVbGpkAEOwwvquIwf1CVCDcWZCUL wMnMml/GDOSz+sh8PLRxtQ3sp+G8XVDuSoTNtchw+021HaV85nxfzpqFbpHLwLcY95 IBumj4WqrvhNEm8MVLNraVJYkmjPxmE2UnWRUW34= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ronnie Sahlberg , Steve French Subject: [PATCH 5.2 276/413] cifs: fix crash in smb2_compound_op()/smb2_set_next_command() Date: Wed, 24 Jul 2019 21:19:27 +0200 Message-Id: <20190724191756.022155125@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190724191735.096702571@linuxfoundation.org> References: <20190724191735.096702571@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ronnie Sahlberg commit 88a92c913cef09e70b1744a8877d177aa6cb2189 upstream. RHBZ: 1722704 In low memory situations the various SMB2_*_init() functions can fail to allocate a request PDU and thus leave the request iovector as NULL. If we don't check the return code for failure we end up calling smb2_set_next_command() with a NULL iovector causing a crash when it tries to dereference it. CC: Stable Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/cifs/smb2inode.c | 12 ++++++++++++ fs/cifs/smb2ops.c | 11 ++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-) --- a/fs/cifs/smb2inode.c +++ b/fs/cifs/smb2inode.c @@ -120,6 +120,8 @@ smb2_compound_op(const unsigned int xid, SMB2_O_INFO_FILE, 0, sizeof(struct smb2_file_all_info) + PATH_MAX * 2, 0, NULL); + if (rc) + goto finished; smb2_set_next_command(tcon, &rqst[num_rqst]); smb2_set_related(&rqst[num_rqst++]); trace_smb3_query_info_compound_enter(xid, ses->Suid, tcon->tid, @@ -147,6 +149,8 @@ smb2_compound_op(const unsigned int xid, COMPOUND_FID, current->tgid, FILE_DISPOSITION_INFORMATION, SMB2_O_INFO_FILE, 0, data, size); + if (rc) + goto finished; smb2_set_next_command(tcon, &rqst[num_rqst]); smb2_set_related(&rqst[num_rqst++]); trace_smb3_rmdir_enter(xid, ses->Suid, tcon->tid, full_path); @@ -163,6 +167,8 @@ smb2_compound_op(const unsigned int xid, COMPOUND_FID, current->tgid, FILE_END_OF_FILE_INFORMATION, SMB2_O_INFO_FILE, 0, data, size); + if (rc) + goto finished; smb2_set_next_command(tcon, &rqst[num_rqst]); smb2_set_related(&rqst[num_rqst++]); trace_smb3_set_eof_enter(xid, ses->Suid, tcon->tid, full_path); @@ -180,6 +186,8 @@ smb2_compound_op(const unsigned int xid, COMPOUND_FID, current->tgid, FILE_BASIC_INFORMATION, SMB2_O_INFO_FILE, 0, data, size); + if (rc) + goto finished; smb2_set_next_command(tcon, &rqst[num_rqst]); smb2_set_related(&rqst[num_rqst++]); trace_smb3_set_info_compound_enter(xid, ses->Suid, tcon->tid, @@ -206,6 +214,8 @@ smb2_compound_op(const unsigned int xid, COMPOUND_FID, current->tgid, FILE_RENAME_INFORMATION, SMB2_O_INFO_FILE, 0, data, size); + if (rc) + goto finished; smb2_set_next_command(tcon, &rqst[num_rqst]); smb2_set_related(&rqst[num_rqst++]); trace_smb3_rename_enter(xid, ses->Suid, tcon->tid, full_path); @@ -231,6 +241,8 @@ smb2_compound_op(const unsigned int xid, COMPOUND_FID, current->tgid, FILE_LINK_INFORMATION, SMB2_O_INFO_FILE, 0, data, size); + if (rc) + goto finished; smb2_set_next_command(tcon, &rqst[num_rqst]); smb2_set_related(&rqst[num_rqst++]); trace_smb3_hardlink_enter(xid, ses->Suid, tcon->tid, full_path); --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -2027,6 +2027,10 @@ smb2_set_related(struct smb_rqst *rqst) struct smb2_sync_hdr *shdr; shdr = (struct smb2_sync_hdr *)(rqst->rq_iov[0].iov_base); + if (shdr == NULL) { + cifs_dbg(FYI, "shdr NULL in smb2_set_related\n"); + return; + } shdr->Flags |= SMB2_FLAGS_RELATED_OPERATIONS; } @@ -2041,6 +2045,12 @@ smb2_set_next_command(struct cifs_tcon * unsigned long len = smb_rqst_len(server, rqst); int i, num_padding; + shdr = (struct smb2_sync_hdr *)(rqst->rq_iov[0].iov_base); + if (shdr == NULL) { + cifs_dbg(FYI, "shdr NULL in smb2_set_next_command\n"); + return; + } + /* SMB headers in a compound are 8 byte aligned. */ /* No padding needed */ @@ -2080,7 +2090,6 @@ smb2_set_next_command(struct cifs_tcon * } finished: - shdr = (struct smb2_sync_hdr *)(rqst->rq_iov[0].iov_base); shdr->NextCommand = cpu_to_le32(len); }