releases/4.14.94/cifs-fix-potential-oob-access-of-lock-element-array.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From b9a74cde94957d82003fb9f7ab4777938ca851cd Mon Sep 17 00:00:00 2001
 From: Ross Lagerwall <ross.lagerwall@citrix.com>
 Date: Tue, 8 Jan 2019 18:30:57 +0000
 Subject: cifs: Fix potential OOB access of lock element array

 From: Ross Lagerwall <ross.lagerwall@citrix.com>

 commit b9a74cde94957d82003fb9f7ab4777938ca851cd upstream.

 If maxBuf is small but non-zero, it could result in a zero sized lock
 element array which we would then try and access OOB.

 Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
 Signed-off-by: Steve French <stfrench@microsoft.com>
 CC: Stable <stable@vger.kernel.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  fs/cifs/file.c     |    8 ++++----
  fs/cifs/smb2file.c |    4 ++--
  2 files changed, 6 insertions(+), 6 deletions(-)

 --- a/fs/cifs/file.c
 +++ b/fs/cifs/file.c
 @@ -1120,10 +1120,10 @@ cifs_push_mandatory_locks(struct cifsFil

  	/*
  	 * Accessing maxBuf is racy with cifs_reconnect - need to store value
 -	 * and check it for zero before using.
 +	 * and check it before using.
  	 */
  	max_buf = tcon->ses->server->maxBuf;
 -	if (!max_buf) {
 +	if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) {
  		free_xid(xid);
  		return -EINVAL;
  	}
 @@ -1460,10 +1460,10 @@ cifs_unlock_range(struct cifsFileInfo *c

  	/*
  	 * Accessing maxBuf is racy with cifs_reconnect - need to store value
 -	 * and check it for zero before using.
 +	 * and check it before using.
  	 */
  	max_buf = tcon->ses->server->maxBuf;
 -	if (!max_buf)
 +	if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE)))
  		return -EINVAL;

  	max_num = (max_buf - sizeof(struct smb_hdr)) /
 --- a/fs/cifs/smb2file.c
 +++ b/fs/cifs/smb2file.c
 @@ -124,10 +124,10 @@ smb2_unlock_range(struct cifsFileInfo *c

  	/*
  	 * Accessing maxBuf is racy with cifs_reconnect - need to store value
 -	 * and check it for zero before using.
 +	 * and check it before using.
  	 */
  	max_buf = tcon->ses->server->maxBuf;
 -	if (!max_buf)
 +	if (max_buf < sizeof(struct smb2_lock_element))
  		return -EINVAL;

  	max_num = max_buf / sizeof(struct smb2_lock_element);
	From b9a74cde94957d82003fb9f7ab4777938ca851cd Mon Sep 17 00:00:00 2001
	From: Ross Lagerwall <ross.lagerwall@citrix.com>
	Date: Tue, 8 Jan 2019 18:30:57 +0000
	Subject: cifs: Fix potential OOB access of lock element array

	From: Ross Lagerwall <ross.lagerwall@citrix.com>

	commit b9a74cde94957d82003fb9f7ab4777938ca851cd upstream.

	If maxBuf is small but non-zero, it could result in a zero sized lock
	element array which we would then try and access OOB.

	Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
	Signed-off-by: Steve French <stfrench@microsoft.com>
	CC: Stable <stable@vger.kernel.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	fs/cifs/file.c \| 8 ++++----
	fs/cifs/smb2file.c \| 4 ++--
	2 files changed, 6 insertions(+), 6 deletions(-)

	--- a/fs/cifs/file.c
	+++ b/fs/cifs/file.c
	@@ -1120,10 +1120,10 @@ cifs_push_mandatory_locks(struct cifsFil

	/*
	* Accessing maxBuf is racy with cifs_reconnect - need to store value
	- * and check it for zero before using.
	+ * and check it before using.
	*/
	max_buf = tcon->ses->server->maxBuf;
	- if (!max_buf) {
	+ if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) {
	free_xid(xid);
	return -EINVAL;
	}
	@@ -1460,10 +1460,10 @@ cifs_unlock_range(struct cifsFileInfo *c

	/*
	* Accessing maxBuf is racy with cifs_reconnect - need to store value
	- * and check it for zero before using.
	+ * and check it before using.
	*/
	max_buf = tcon->ses->server->maxBuf;
	- if (!max_buf)
	+ if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE)))
	return -EINVAL;

	max_num = (max_buf - sizeof(struct smb_hdr)) /
	--- a/fs/cifs/smb2file.c
	+++ b/fs/cifs/smb2file.c
	@@ -124,10 +124,10 @@ smb2_unlock_range(struct cifsFileInfo *c

	/*
	* Accessing maxBuf is racy with cifs_reconnect - need to store value
	- * and check it for zero before using.
	+ * and check it before using.
	*/
	max_buf = tcon->ses->server->maxBuf;
	- if (!max_buf)
	+ if (max_buf < sizeof(struct smb2_lock_element))
	return -EINVAL;

	max_num = max_buf / sizeof(struct smb2_lock_element);