Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp4141450pxb; Mon, 8 Feb 2021 08:54:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJxw/vih4PUqYzlMMgJC4DY1gtZ/M2jNkswLtR85Jrq9ryfXo8JCdhbeMXYdvdqImXr+NgtW X-Received: by 2002:a17:907:724a:: with SMTP id ds10mr17167339ejc.28.1612803241614; Mon, 08 Feb 2021 08:54:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612803241; cv=none; d=google.com; s=arc-20160816; b=mp3Y+CaGhCoa5s5wLEZDw0w9r2Xjc61y/82kVZseZO/sM4C4YjlxKMXz2pL2akqJ3u G99fLmOq9ugNCcN5fHrAqAMOJuTSJbuyFPbetIoPYo44ZcAylDRB48/PCgm5hRAdyfZ7 VAR+dHTspOnZ7TyUwR3qsl3CXzaEhTkH0bpoenFXbThil8YN1BXGuTDyrQEovv1lFPZ+ sOvZEozFY+6vDhEsmYiIVt58IRZZBOFyTabeaFF9q7WdZQTULu0+Ntpt+5vfHylggbM8 HCk6nXPyS9YWg6gs0KpTCegqI2JBAA4sdp51GwmikmaW2+RO3QxBJ3Go4cNOVI6IUVm6 IumA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=XZ4HLr6mUFZaaarA26mwkC8ZVJcVNrhj4JsHF6kfWHA=; b=olakbBiln2CObD+W9UsOhGX15WMtmNRw8h0dWIPSI5t4f8fRiFreKXWfi+6jxQqRiM ufZuegSKuiVJ+Ac74QKD3XwJBPqOoOcksQysL4yVt10GuCLj4Vo8UbQ5erp8GC7ejaKn xf07OgPKFsQ7hwV95QQmEIfUyxWx/dPWybxzNZYlSPI7tsgGYXKfzUF3ueQEKlkPSxL8 jfYMqfMUQfeyXNhn8mBnkzmi56qr+kzlWgvBsHEQjRz0HzmBmDRJzUZ6uOyap4wk4yay GwJMNdh5sl+Tn5R8RpOl0RFwcH85kTrTOvbcJ5cqfIC7bYcossoQqzArj/agb8Kt2Lef /anQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=0Rq4jpbN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f19si11783277edw.370.2021.02.08.08.53.38; Mon, 08 Feb 2021 08:54:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=0Rq4jpbN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234663AbhBHQws (ORCPT + 99 others); Mon, 8 Feb 2021 11:52:48 -0500 Received: from mail.kernel.org ([198.145.29.99]:56646 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232908AbhBHPOt (ORCPT ); Mon, 8 Feb 2021 10:14:49 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 6490764E7B; Mon, 8 Feb 2021 15:10:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1612797047; bh=n5R5zxvYF6u6yqmuMzTnxim5ziyRVbFO5IQ8yihSc94=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0Rq4jpbN1TytYsH6wGU7CtL7sI9sIVAdvB+36IQvRUHl2DoCZhg6BUAJdrtm/f90u OYS3VyLxKX4CrvCzdNwJ5mHSXp8UwjMWtuxHsiT6sppGWy6V0utq16UM1AFGyGdyue jFDd0fxm0g230SGcSjns5IDxYPgwfaDykRFRmVWE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Gustavo A. R. Silva" , Steve French Subject: [PATCH 5.4 40/65] smb3: Fix out-of-bounds bug in SMB2_negotiate() Date: Mon, 8 Feb 2021 16:01:12 +0100 Message-Id: <20210208145811.775530270@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210208145810.230485165@linuxfoundation.org> References: <20210208145810.230485165@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Gustavo A. R. Silva commit 8d8d1dbefc423d42d626cf5b81aac214870ebaab upstream. While addressing some warnings generated by -Warray-bounds, I found this bug that was introduced back in 2017: CC [M] fs/cifs/smb2pdu.o fs/cifs/smb2pdu.c: In function ‘SMB2_negotiate’: fs/cifs/smb2pdu.c:822:16: warning: array subscript 1 is above array bounds of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds] 822 | req->Dialects[1] = cpu_to_le16(SMB30_PROT_ID); | ~~~~~~~~~~~~~^~~ fs/cifs/smb2pdu.c:823:16: warning: array subscript 2 is above array bounds of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds] 823 | req->Dialects[2] = cpu_to_le16(SMB302_PROT_ID); | ~~~~~~~~~~~~~^~~ fs/cifs/smb2pdu.c:824:16: warning: array subscript 3 is above array bounds of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds] 824 | req->Dialects[3] = cpu_to_le16(SMB311_PROT_ID); | ~~~~~~~~~~~~~^~~ fs/cifs/smb2pdu.c:816:16: warning: array subscript 1 is above array bounds of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds] 816 | req->Dialects[1] = cpu_to_le16(SMB302_PROT_ID); | ~~~~~~~~~~~~~^~~ At the time, the size of array _Dialects_ was changed from 1 to 3 in struct validate_negotiate_info_req, and then in 2019 it was changed from 3 to 4, but those changes were never made in struct smb2_negotiate_req, which has led to a 3 and a half years old out-of-bounds bug in function SMB2_negotiate() (fs/cifs/smb2pdu.c). Fix this by increasing the size of array _Dialects_ in struct smb2_negotiate_req to 4. Fixes: 9764c02fcbad ("SMB3: Add support for multidialect negotiate (SMB2.1 and later)") Fixes: d5c7076b772a ("smb3: add smb3.1.1 to default dialect list") Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/cifs/smb2pdu.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/cifs/smb2pdu.h +++ b/fs/cifs/smb2pdu.h @@ -227,7 +227,7 @@ struct smb2_negotiate_req { __le32 NegotiateContextOffset; /* SMB3.1.1 only. MBZ earlier */ __le16 NegotiateContextCount; /* SMB3.1.1 only. MBZ earlier */ __le16 Reserved2; - __le16 Dialects[1]; /* One dialect (vers=) at a time for now */ + __le16 Dialects[4]; /* BB expand this if autonegotiate > 4 dialects */ } __packed; /* Dialects */