releases/3.16.62/cifs-integer-overflow-in-in-smb2_ioctl.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: Dan Carpenter <dan.carpenter@oracle.com>
 Date: Mon, 10 Sep 2018 14:12:07 +0300
 Subject: cifs: integer overflow in in SMB2_ioctl()

 commit 2d204ee9d671327915260071c19350d84344e096 upstream.

 The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
 wrap around to a smaller value which looks like it would lead to an
 information leak.

 Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
 Signed-off-by: Steve French <stfrench@microsoft.com>
 Reviewed-by: Aurelien Aptel <aaptel@suse.com>
 [bwh: Backported to 3.16: Use get_rfc1002_length(rsp) instead of
  rsp->iov.iov_len]
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  fs/cifs/smb2pdu.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)

 --- a/fs/cifs/smb2pdu.c
 +++ b/fs/cifs/smb2pdu.c
 @@ -1394,14 +1394,14 @@ SMB2_ioctl(const unsigned int xid, struc
  	/* We check for obvious errors in the output buffer length and offset */
  	if (*plen == 0)
  		goto ioctl_exit; /* server returned no data */
 -	else if (*plen > 0xFF00) {
 +	else if (*plen > get_rfc1002_length(rsp) || *plen > 0xFF00) {
  		cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
  		*plen = 0;
  		rc = -EIO;
  		goto ioctl_exit;
  	}

 -	if (get_rfc1002_length(rsp) < le32_to_cpu(rsp->OutputOffset) + *plen) {
 +	if (get_rfc1002_length(rsp) - *plen < le32_to_cpu(rsp->OutputOffset)) {
  		cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
  			le32_to_cpu(rsp->OutputOffset));
  		*plen = 0;
	From: Dan Carpenter <dan.carpenter@oracle.com>
	Date: Mon, 10 Sep 2018 14:12:07 +0300
	Subject: cifs: integer overflow in in SMB2_ioctl()

	commit 2d204ee9d671327915260071c19350d84344e096 upstream.

	The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
	wrap around to a smaller value which looks like it would lead to an
	information leak.

	Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	Signed-off-by: Steve French <stfrench@microsoft.com>
	Reviewed-by: Aurelien Aptel <aaptel@suse.com>
	[bwh: Backported to 3.16: Use get_rfc1002_length(rsp) instead of
	rsp->iov.iov_len]
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	fs/cifs/smb2pdu.c \| 4 ++--
	1 file changed, 2 insertions(+), 2 deletions(-)

	--- a/fs/cifs/smb2pdu.c
	+++ b/fs/cifs/smb2pdu.c
	@@ -1394,14 +1394,14 @@ SMB2_ioctl(const unsigned int xid, struc
	/* We check for obvious errors in the output buffer length and offset */
	if (*plen == 0)
	goto ioctl_exit; /* server returned no data */
	- else if (*plen > 0xFF00) {
	+ else if (plen > get_rfc1002_length(rsp) \|\| plen > 0xFF00) {
	cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
	*plen = 0;
	rc = -EIO;
	goto ioctl_exit;
	}

	- if (get_rfc1002_length(rsp) < le32_to_cpu(rsp->OutputOffset) + *plen) {
	+ if (get_rfc1002_length(rsp) - *plen < le32_to_cpu(rsp->OutputOffset)) {
	cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
	le32_to_cpu(rsp->OutputOffset));
	*plen = 0;