Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp80611pxb; Wed, 24 Feb 2021 19:03:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJygA2rEQNeJYUqJl23l3OzDhKJ15cOAZ3DNlCAgO2Pzicw0rA2UQ5Ywl6zllc9m6oRFzqJI X-Received: by 2002:a17:907:98f5:: with SMTP id ke21mr662242ejc.552.1614222211335; Wed, 24 Feb 2021 19:03:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614222211; cv=none; d=google.com; s=arc-20160816; b=w4i8ufvhngyvRd1j0Fv+gKc47itNmfrXm9PKZALzFOVoseRTdWyOdEgvGRATJJDWoo LYXuQ4uaxnvEp4klvWfj5CdK6CkQJ+MwhnMHrXdPph1LpOpx7T9DbeWj9zEvFOLjb7U/ p5Cmh7GIRtPiL1N7NovCkilybd5lSGDF2YpzaqjshOc+JfX9GG0IWcl/3A81bgyHjNcE rlYmBFTlRsk5nmJ/XqgPkPuiKUArb2QyfaCwQ/FaS4Tc7FZzOc8+HEfy57DLChfj0p6o NIFLYMkV10j+cB5U0T72l8PsNyH6iPQJuFgsRZews4HE0+bTgMqJkm00z4mZVWcTD9FF Kg6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=QwuU3xNF676fW0Qz6Yj10YsJuKwVnZI2peLj/ip0DBk=; b=i838pWp/GiUSvOlpEXMyAMt5SbGiWrnMZVzQDKVPAN19CwtadxCERT1ml2ukL91sMu 7pV0dadAgr7m+bOLLyYqRUcHLEPkd4jQU0x+l2FzPW2Sj9MqW/EvyBVcuMGtP1qUsuaU digMig8XZKT1d7vvC1UrlWJEAvDc00zpRH/qsc23Yi00hvUvp5YDCz7KuRiHmn6eedBL cExua5VhUDXLHadtlj2kHoKr9ShiX1PfJ3bObG0ef7igqGU5hmnMX9/pIp19oIyX7+Ji W7/2i+qqvzmUp9/NszLdbbvB/Y7tGwg1SHKv5jIeexsCVgR2X2PhayDRYwnMxCDna9s9 sK0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qKxMfaf2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a2si2890344eda.350.2021.02.24.19.03.05; Wed, 24 Feb 2021 19:03:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qKxMfaf2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234114AbhBXSWc (ORCPT + 99 others); Wed, 24 Feb 2021 13:22:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49206 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231960AbhBXSWb (ORCPT ); Wed, 24 Feb 2021 13:22:31 -0500 Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 77B25C061574; Wed, 24 Feb 2021 10:21:50 -0800 (PST) Received: by mail-lj1-x22c.google.com with SMTP id q23so3501689lji.8; Wed, 24 Feb 2021 10:21:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QwuU3xNF676fW0Qz6Yj10YsJuKwVnZI2peLj/ip0DBk=; b=qKxMfaf2Q/JZMspNxla3/+NfLvsDeBiAvUoDgJt6FF+TdtyHON3jL6FU3AZ+vKSmSH JLPgZ9lVobDomgT8Q8riTiAUDwflZ8ZuHVeeBLusqZAnXL0/yRbabvIogX79tbCIK8o7 FTw6KeiGf8OIh2txoI78L0LOXyj8d9yUlwiASOth3FLOSBN0DVIDKkxxccjLrt1oBClz /omog7BnUxz5WYE1HOR87OUgHcZwwjAfdvROMDc3WrbtAj5R3REXfpSczfivchAhPklY nC3SIXyOTyzGzaGOaGXZa+bd3PT5rIAxCn3by0DqoecIr66wnwrkOMYz/IBvZwS6JPiL ARpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QwuU3xNF676fW0Qz6Yj10YsJuKwVnZI2peLj/ip0DBk=; b=IRksJBN6fASTKxOvhH6BfuzO1LfJwTwfgLT6o8CVpJ0vxopdE+03E+2JrtBKK4ipKL HindHtbwgUrnAjXEjTuy074SC7rOfsmSkx8o+cdFe37Bbr6pFaMjquxYg1Q4PiLWoju4 OeZOXZlCpbNqPtlbqZvTu4NO2LudljkhoX7Ur5bPfx09H6jPWY9OeBMGUxBkK3uJjXee r9XX895RX3jzAOV95ZGcM+hQGCiqG8mJnOabsc3Hx29C9pGfDIm34TQgSNVwdJ+E3ToI spTcJfNOEN3DJtm/uB9AUhRID9ypzlKuUxUjovYY86Mo5BZcF5lA5PcS/C17OGLaYgaW wqHA== X-Gm-Message-State: AOAM531uyXuy0YuOCWgL2phQN9Tz8s5jTzFLoguUkq0e1aVdeObVzRT7 NOlG51fhyKSzBEoLItgu0LsQ7Sb5WK8XMnfWHyw= X-Received: by 2002:a2e:9617:: with SMTP id v23mr9691246ljh.406.1614190906617; Wed, 24 Feb 2021 10:21:46 -0800 (PST) MIME-Version: 1.0 References: <1ca0f87e-83b3-b4dd-4448-b44f2a9d1698@canonical.com> In-Reply-To: From: Steve French Date: Wed, 24 Feb 2021 12:21:35 -0600 Message-ID: Subject: Re: [EXTERNAL] re: cifs: Retain old ACEs when converting between mode bits and ACL. To: Shyam Prasad N Cc: Shyam Prasad , rohiths msft , Steve French , Colin Ian King , "samba-technical@lists.samba.org" , "linux-kernel@vger.kernel.org" , "linux-cifs@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add the RB from Rohith and merged into cifs-2.6.git for-next On Wed, Feb 24, 2021 at 10:58 AM Shyam Prasad N via samba-technical wrote: > > Hi Steve, > > Please accept this fix for the bug that Colin pointed out. > This can be hit if the server has a corrupted SD, or it got corrupted > over the network. > We used to ignore the ACL in such a case (which in combination with my > patches caused the issue). But I think we should be returning an error > immediately. > > Regards, > Shyam > > On Wed, Feb 24, 2021 at 7:16 AM Shyam Prasad wrote: > > > > Hi Colin, > > > > Thanks for reporting this. I'll submit a fix. > > > > Regards, > > Shyam > > > > -----Original Message----- > > From: Colin Ian King > > Sent: Wednesday, February 24, 2021 6:14 PM > > To: Shyam Prasad > > Cc: Steve French ; linux-cifs@vger.kernel.org; samba-technical@lists.samba.org; linux-kernel@vger.kernel.org > > Subject: [EXTERNAL] re: cifs: Retain old ACEs when converting between mode bits and ACL. > > > > Hi, > > > > Static analysis on linux-next with Coverity had detected a potential null pointer dereference with the following commit: > > > > commit f5065508897a922327f32223082325d10b069ebc > > Author: Shyam Prasad N > > Date: Fri Feb 12 04:38:43 2021 -0800 > > > > cifs: Retain old ACEs when converting between mode bits and ACL. > > > > The analysis is as follows: > > > > 1258 /* Convert permission bits from mode to equivalent CIFS ACL */ > > 1259 static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd, > > 1260 __u32 secdesclen, __u32 *pnsecdesclen, __u64 *pnmode, kuid_t > > uid, kgid_t gid, > > 1261 bool mode_from_sid, bool id_from_sid, int *aclflag) > > 1262 { > > 1263 int rc = 0; > > 1264 __u32 dacloffset; > > 1265 __u32 ndacloffset; > > 1266 __u32 sidsoffset; > > 1267 struct cifs_sid *owner_sid_ptr, *group_sid_ptr; > > 1268 struct cifs_sid *nowner_sid_ptr = NULL, *ngroup_sid_ptr = NULL; > > > > 1. assign_zero: Assigning: dacl_ptr = NULL. > > > > 1269 struct cifs_acl *dacl_ptr = NULL; /* no need for SACL ptr */ > > 1270 struct cifs_acl *ndacl_ptr = NULL; /* no need for SACL ptr */ > > 1271 char *end_of_acl = ((char *)pntsd) + secdesclen; > > 1272 u16 size = 0; > > 1273 > > 1274 dacloffset = le32_to_cpu(pntsd->dacloffset); > > > > 2. Condition dacloffset, taking false branch. > > > > 1275 if (dacloffset) { > > 1276 dacl_ptr = (struct cifs_acl *)((char *)pntsd + > > dacloffset); > > 1277 if (end_of_acl < (char *)dacl_ptr + > > le16_to_cpu(dacl_ptr->size)) { > > 1278 cifs_dbg(VFS, "Existing ACL size is wrong. > > Discarding old ACL\n"); > > 1279 dacl_ptr = NULL; > > > > NOTE: dacl_ptr is set to NULL and dacloffset is true > > > > 1280 } > > 1281 } > > 1282 > > 1283 owner_sid_ptr = (struct cifs_sid *)((char *)pntsd + > > 1284 le32_to_cpu(pntsd->osidoffset)); > > 1285 group_sid_ptr = (struct cifs_sid *)((char *)pntsd + > > 1286 le32_to_cpu(pntsd->gsidoffset)); > > 1287 > > > > 3. Condition pnmode, taking true branch. > > 4. Condition *pnmode != 18446744073709551615ULL, taking false branch. > > > > 1288 if (pnmode && *pnmode != NO_CHANGE_64) { /* chmod */ > > 1289 ndacloffset = sizeof(struct cifs_ntsd); > > 1290 ndacl_ptr = (struct cifs_acl *)((char *)pnntsd + > > ndacloffset); > > 1291 ndacl_ptr->revision = > > 1292 dacloffset ? dacl_ptr->revision : > > cpu_to_le16(ACL_REVISION); > > 1293 > > 1294 ndacl_ptr->size = cpu_to_le16(0); > > 1295 ndacl_ptr->num_aces = cpu_to_le32(0); > > 1296 > > 1297 rc = set_chmod_dacl(dacl_ptr, ndacl_ptr, > > owner_sid_ptr, group_sid_ptr, > > 1298 pnmode, mode_from_sid); > > 1299 > > 1300 sidsoffset = ndacloffset + le16_to_cpu(ndacl_ptr->size); > > 1301 /* copy the non-dacl portion of secdesc */ > > 1302 *pnsecdesclen = copy_sec_desc(pntsd, pnntsd, sidsoffset, > > 1303 NULL, NULL); > > 1304 > > 1305 *aclflag |= CIFS_ACL_DACL; > > 1306 } else { > > 1307 ndacloffset = sizeof(struct cifs_ntsd); > > 1308 ndacl_ptr = (struct cifs_acl *)((char *)pnntsd + > > ndacloffset); > > > > 5. Condition dacloffset, taking false branch. > > > > 1309 ndacl_ptr->revision = > > 1310 dacloffset ? dacl_ptr->revision : > > cpu_to_le16(ACL_REVISION); > > > > Explicit null dereferenced (FORWARD_NULL) > > > > 6. var_deref_op: Dereferencing null pointer dacl_ptr. > > > > 1311 ndacl_ptr->num_aces = dacl_ptr->num_aces; > > > > > > Line 1309..1311, when dacloffset and dacl_ptr is null we hit a null ptr dereference on dacl_ptr. > > > > > -- > Regards, > Shyam -- Thanks, Steve