[PATCH][focal/linux, bionic/linux, hirsute/linux, hirsute/linux-azure] Revert "CIFS: Fix a potencially linear read overflow"
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Mon Nov 29 17:38:25 UTC 2021
On Mon, Nov 29, 2021 at 08:14:58AM -0700, Tim Gardner wrote:
> BugLink: https://bugs.launchpad.net/bugs/1952094
>
> This reverts commit 3d5631a27ec4767ac80dbf553f9ae501b18e07e3.
Which is upstream commit f980d055a0f858d73d9467bb0b570721bbfcdfb8.
>
> This stable patch causes a regression. There are no subsequent
> upstream fixes.
>
I still fail to see how that introduces a regression.
Let's take a src string that is larger or equal to maxlen.
Before the patch:
len = strnlen(src, maxlen); -> len = maxlen;
len++; len = maxlen + 1;
dst = kmalloc(len, GPF_KERNEL); /* allocates a maxlen+1 sized dst */
if (!dst)
return NULL;
strlcpy(dst, src, len); // where I replace len/size with maxlen+1 from now on
size_t ret = strlen(src); // ret >= maxlen
if (maxlen + 1) {
size_t len = (ret >= maxlen + 1) ? maxlen + 1 - 1 : ret;
/* here, either ret == maxlen, which makes len = ret = maxlen;
or ret > maxlen, which makes len = maxlen + 1 - 1 = maxlen */
memcpy(dest, src, maxlen);
dest[maxlen] = '\0';
}
After the patch:
dst = kstrndup(src, maxlen, GFP_KERNEL);
...
len = strnlen(s, max); -> len = max;
buf = kmalloc_track_caller(len+1, gfp); /* again, allocates maxlen+1 */
/* from here on, replaces len with maxlen */
if (buf) {
memcpy(buf, s, maxlen);
dest[maxlen] = '\0';
}
return buf; /* here, returns NULL as before the patch, in case allocation fails */
By looking at the bug, it looks like the failure happens when nls_load fails to
load nls_utf8 module. So, perhaps, the user missed the installation of
linux-modules-extra when installing from the archive, and then installed the
package when instructed to install the test kernel?
Cascardo.
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
> ---
>
> I'll ask the upstream reviewers about reverting or fixing this patch.
> Its been included in many stable releases:
>
> linux-4.4.y.txt:0955df2d9bf4857e3e2287e3028903e6cec06c30 CIFS: Fix a potencially linear read overflow
> linux-4.9.y.txt:8878af780747f498551b7d360cae61b415798f18 CIFS: Fix a potencially linear read overflow
> linux-4.14.y.txt:20967547ffc6039f17c63a1c24eb779ee166b245 CIFS: Fix a potencially linear read overflow
> linux-4.19.y.txt:bea655491daf39f1934a71bf576bf3499092d3a4 CIFS: Fix a potencially linear read overflow
> linux-5.4.y.txt:b444064a0e0ef64491b8739a9ae05a952b5f8974 CIFS: Fix a potencially linear read overflow
> linux-5.10.y.txt:6c4857203ffa36918136756a889b12c5864bc4ad CIFS: Fix a potencially linear read overflow
> linux-5.13.y.txt:9bffe470e9b537075345406512df01ca2188b725 CIFS: Fix a potencially linear read overflow
> linux-5.14.y.txt:c41dd61c86482ab34f6f039b13296308018fd99b CIFS: Fix a potencially linear read overflow
>
> rtg
> ---
> fs/cifs/cifs_unicode.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c
> index 171ad8b42107e..9bd03a2310328 100644
> --- a/fs/cifs/cifs_unicode.c
> +++ b/fs/cifs/cifs_unicode.c
> @@ -358,9 +358,14 @@ cifs_strndup_from_utf16(const char *src, const int maxlen,
> if (!dst)
> return NULL;
> cifs_from_utf16(dst, (__le16 *) src, len, maxlen, codepage,
> - NO_MAP_UNI_RSVD);
> + NO_MAP_UNI_RSVD);
> } else {
> - dst = kstrndup(src, maxlen, GFP_KERNEL);
> + len = strnlen(src, maxlen);
> + len++;
> + dst = kmalloc(len, GFP_KERNEL);
> + if (!dst)
> + return NULL;
> + strlcpy(dst, src, len);
> }
>
> return dst;
> --
> 2.34.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list