[SRU][J/F][PATCH 1/1] cifs: fix underflow in parse_server_interfaces()

Cengiz Can cengiz.can at canonical.com
Tue May 7 14:47:11 UTC 2024 

On 25-04-24 14:24:49, Bethany Jamison wrote:
> From: Dan Carpenter <dan.carpenter at linaro.org>
> 
> In this loop, we step through the buffer and after each item we check
> if the size_left is greater than the minimum size we need.  However,
> the problem is that "bytes_left" is type ssize_t while sizeof() is type
> size_t.  That means that because of type promotion, the comparison is
> done as an unsigned and if we have negative bytes left the loop
> continues instead of ending.
> 
> Fixes: fe856be475f7 ("CIFS: parse and store info on iface queries")
> Signed-off-by: Dan Carpenter <dan.carpenter at linaro.org>
> Reviewed-by: Shyam Prasad N <sprasad at microsoft.com>
> Signed-off-by: Steve French <stfrench at microsoft.com>
> (backported from commit cffe487026be13eaf37ea28b783d9638ab147204)
> [bjamison: parse_server_interfaces() is organized differently than
> upstream I modified both the while loops with the same sizeof() issue
> to match the intentions of the fix commit]

Are you absolutely sure that `*p` was `size_t` before and requires a cast to
`ssize_t` in our version?

> CVE-2024-26828
> Signed-off-by: Bethany Jamison <bethany.jamison at canonical.com>
> ---
>  fs/cifs/smb2ops.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
> index b725bd3144fb7..a7a2e6d8e645f 100644
> --- a/fs/cifs/smb2ops.c
> +++ b/fs/cifs/smb2ops.c
> @@ -521,7 +521,7 @@ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf,
>  
>  	bytes_left = buf_len;
>  	p = buf;
> -	while (bytes_left >= sizeof(*p)) {
> +	while (bytes_left >= (ssize_t)sizeof(*p)) {
>  		nb_iface++;
>  		next = le32_to_cpu(p->Next);
>  		if (!next) {
> @@ -556,7 +556,7 @@ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf,
>  	info = *iface_list;
>  	bytes_left = buf_len;
>  	p = buf;
> -	while (bytes_left >= sizeof(*p)) {
> +	while (bytes_left >= (ssize_t)sizeof(*p)) {
>  		info->speed = le64_to_cpu(p->LinkSpeed);
>  		info->rdma_capable = le32_to_cpu(p->Capability & RDMA_CAPABLE) ? 1 : 0;
>  		info->rss_capable = le32_to_cpu(p->Capability & RSS_CAPABLE) ? 1 : 0;
> -- 
> 2.34.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list