Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp766034pxb; Wed, 24 Feb 2021 14:37:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJynPEGMCMxne/lCSnQAso0CzHb0x7cGEGT0gogAo2NKS1omQYrP71iEPEdxIMiW8n1b9rRL X-Received: by 2002:a17:906:4e57:: with SMTP id g23mr4588707ejw.47.1614206258385; Wed, 24 Feb 2021 14:37:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614206258; cv=none; d=google.com; s=arc-20160816; b=ymZ93tI7WJ3L8tOV2ynOoHhsAsl/xJuGU4SZQtQwej2cztjGhfyHyqtA1SbjtP5RxR K6mPvSlvXnCn5gdRvZ0g5zRUf5SALT1bzQl1RyMJs1xMCzfJG6O9kUmq2bmIKUtlGEiv kPGKTDcJCdx9zo9+aEFfwSHlOJXNdogulBWXzZOY0fpsdPDJKRNMmpWMLF8WgMD0NJJ8 MukP0VG2DtNQIfXtQp4k9jd0WNEmc2uG9E7VthiKXgQ8DBSi6kXxcCHmcf9VmEIItSTr LWGDmhSjyehxX1Mt2gFMJKw3VAqhhP+DjR4JUiuqyWa8YtwN0IG9dgS/QA/Io/kEt6mC 6aJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:user-agent:date:message-id:cc:subject:from:to; bh=7k3dydVdhewntXcQD9Voazu+H8sFaUxF/Aow4G+Ng40=; b=nn5TicfyrFeu/Cl81otp47P7IpNo1vdx5i9unUVJoiat8wNGu3bwI1LT5DPMeipW/X Sgf2FRkN3U6QSiPUDKfuklhGVP6gC0i+6OD3ZMcedo8AeDFS4RWREsP7Ao9NYHzJapqs kMvfwIRU2ZgdmJCf/Vgjm+QyjCh1G8LR1XfvIICFgqoVsi12WYMDRQJPpl+T8DTIQFr9 q0AxjE2oj64VEk+kyycJxmXV4MB2f7Htbvu8ppBB4p1s82IPs+RB2dst1B5Ismhp8144 SzswaEpzPFmfJszeZ2IV2h0+WsDF41ZvfZILARdrRL2O2ZXfTgSf1BE7Y6n27WPy0WnT nLxg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g21si2117084ejr.703.2021.02.24.14.37.14; Wed, 24 Feb 2021 14:37:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233545AbhBXMol (ORCPT + 99 others); Wed, 24 Feb 2021 07:44:41 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:53777 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232209AbhBXMog (ORCPT ); Wed, 24 Feb 2021 07:44:36 -0500 Received: from 1.general.cking.uk.vpn ([10.172.193.212]) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lEtWD-000284-Ck; Wed, 24 Feb 2021 12:43:53 +0000 To: Shyam Prasad N From: Colin Ian King Subject: re: cifs: Retain old ACEs when converting between mode bits and ACL. Cc: Steve French , linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, "linux-kernel@vger.kernel.org" Message-ID: <1ca0f87e-83b3-b4dd-4448-b44f2a9d1698@canonical.com> Date: Wed, 24 Feb 2021 12:43:52 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Static analysis on linux-next with Coverity had detected a potential null pointer dereference with the following commit: commit f5065508897a922327f32223082325d10b069ebc Author: Shyam Prasad N Date: Fri Feb 12 04:38:43 2021 -0800 cifs: Retain old ACEs when converting between mode bits and ACL. The analysis is as follows: 1258 /* Convert permission bits from mode to equivalent CIFS ACL */ 1259 static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd, 1260 __u32 secdesclen, __u32 *pnsecdesclen, __u64 *pnmode, kuid_t uid, kgid_t gid, 1261 bool mode_from_sid, bool id_from_sid, int *aclflag) 1262 { 1263 int rc = 0; 1264 __u32 dacloffset; 1265 __u32 ndacloffset; 1266 __u32 sidsoffset; 1267 struct cifs_sid *owner_sid_ptr, *group_sid_ptr; 1268 struct cifs_sid *nowner_sid_ptr = NULL, *ngroup_sid_ptr = NULL; 1. assign_zero: Assigning: dacl_ptr = NULL. 1269 struct cifs_acl *dacl_ptr = NULL; /* no need for SACL ptr */ 1270 struct cifs_acl *ndacl_ptr = NULL; /* no need for SACL ptr */ 1271 char *end_of_acl = ((char *)pntsd) + secdesclen; 1272 u16 size = 0; 1273 1274 dacloffset = le32_to_cpu(pntsd->dacloffset); 2. Condition dacloffset, taking false branch. 1275 if (dacloffset) { 1276 dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset); 1277 if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) { 1278 cifs_dbg(VFS, "Existing ACL size is wrong. Discarding old ACL\n"); 1279 dacl_ptr = NULL; NOTE: dacl_ptr is set to NULL and dacloffset is true 1280 } 1281 } 1282 1283 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd + 1284 le32_to_cpu(pntsd->osidoffset)); 1285 group_sid_ptr = (struct cifs_sid *)((char *)pntsd + 1286 le32_to_cpu(pntsd->gsidoffset)); 1287 3. Condition pnmode, taking true branch. 4. Condition *pnmode != 18446744073709551615ULL, taking false branch. 1288 if (pnmode && *pnmode != NO_CHANGE_64) { /* chmod */ 1289 ndacloffset = sizeof(struct cifs_ntsd); 1290 ndacl_ptr = (struct cifs_acl *)((char *)pnntsd + ndacloffset); 1291 ndacl_ptr->revision = 1292 dacloffset ? dacl_ptr->revision : cpu_to_le16(ACL_REVISION); 1293 1294 ndacl_ptr->size = cpu_to_le16(0); 1295 ndacl_ptr->num_aces = cpu_to_le32(0); 1296 1297 rc = set_chmod_dacl(dacl_ptr, ndacl_ptr, owner_sid_ptr, group_sid_ptr, 1298 pnmode, mode_from_sid); 1299 1300 sidsoffset = ndacloffset + le16_to_cpu(ndacl_ptr->size); 1301 /* copy the non-dacl portion of secdesc */ 1302 *pnsecdesclen = copy_sec_desc(pntsd, pnntsd, sidsoffset, 1303 NULL, NULL); 1304 1305 *aclflag |= CIFS_ACL_DACL; 1306 } else { 1307 ndacloffset = sizeof(struct cifs_ntsd); 1308 ndacl_ptr = (struct cifs_acl *)((char *)pnntsd + ndacloffset); 5. Condition dacloffset, taking false branch. 1309 ndacl_ptr->revision = 1310 dacloffset ? dacl_ptr->revision : cpu_to_le16(ACL_REVISION); Explicit null dereferenced (FORWARD_NULL) 6. var_deref_op: Dereferencing null pointer dacl_ptr. 1311 ndacl_ptr->num_aces = dacl_ptr->num_aces; Line 1309..1311, when dacloffset and dacl_ptr is null we hit a null ptr dereference on dacl_ptr.