Summary: | smbfs doesn't validate msg fields -> potential kernel page fault | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | Robert Morris <rtm> | ||||
Component: | kern | Assignee: | John Baldwin <jhb> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Only Me | CC: | emaste, grahamperrin, jhb | ||||
Priority: | --- | Keywords: | crash | ||||
Version: | CURRENT | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
See Also: | https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263043 | ||||||
Attachments: |
|
Description
Robert Morris
2021-09-14 17:32:43 UTC
I think there is also a bug in that smb_t2_placedata assumes that the last mbuf in the chain is large enough to contain all of the bits to be discarded. I've replaced that with a call to m_adj() with a negative length which trims from the end while handling this case. I have not yet tested a potential fix as setting up samba is a bit more work than some of the other bugs. If it is not easy to test potential fix locally I can work on recreating the testing setup to test. https://reviews.freebsd.org/D41229 (In reply to John Baldwin from comment #1) D41229 does fix the problem for me. With the patch, I can mount a samba server and read and write files with no problems. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=aca3d65fedffbbe71399a88d33ea8ecf550177eb commit aca3d65fedffbbe71399a88d33ea8ecf550177eb Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2023-08-04 23:42:41 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2023-08-04 23:42:41 +0000 netsmb: Add bounds checking to smb_t2_placedata Verify that the requested region of the mbuf chain is not beyond the end of the chain before trimming it from the end. If it is out of bounds, fail with an error (EPROTO). While here, properly handle the case that the amount of data at the end of the chain might span more than one mbuf by using m_adj to drop the extra bytes rather than assuming m_len of the last mbuf can be adjusted directly. PR: 258504 Reported by: Robert Morris <rtm@lcs.mit.edu> Co-authored-by: Robert Morris <rtm@lcs.mit.edu> MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41229 sys/netsmb/smb_rq.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=5b8178fa46a766ece29aafcceed3c3db01f51a0b commit 5b8178fa46a766ece29aafcceed3c3db01f51a0b Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2023-08-04 23:42:41 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2023-09-06 21:56:10 +0000 netsmb: Add bounds checking to smb_t2_placedata Verify that the requested region of the mbuf chain is not beyond the end of the chain before trimming it from the end. If it is out of bounds, fail with an error (EPROTO). While here, properly handle the case that the amount of data at the end of the chain might span more than one mbuf by using m_adj to drop the extra bytes rather than assuming m_len of the last mbuf can be adjusted directly. PR: 258504 Reported by: Robert Morris <rtm@lcs.mit.edu> Co-authored-by: Robert Morris <rtm@lcs.mit.edu> MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41229 (cherry picked from commit aca3d65fedffbbe71399a88d33ea8ecf550177eb) sys/netsmb/smb_rq.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=dd66ba430cb9d4c53fdd583fa2f20521552d58ff commit dd66ba430cb9d4c53fdd583fa2f20521552d58ff Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2023-08-04 23:42:41 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2023-09-06 20:03:18 +0000 netsmb: Add bounds checking to smb_t2_placedata Verify that the requested region of the mbuf chain is not beyond the end of the chain before trimming it from the end. If it is out of bounds, fail with an error (EPROTO). While here, properly handle the case that the amount of data at the end of the chain might span more than one mbuf by using m_adj to drop the extra bytes rather than assuming m_len of the last mbuf can be adjusted directly. PR: 258504 Reported by: Robert Morris <rtm@lcs.mit.edu> Co-authored-by: Robert Morris <rtm@lcs.mit.edu> MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41229 (cherry picked from commit aca3d65fedffbbe71399a88d33ea8ecf550177eb) sys/netsmb/smb_rq.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) |