Commit 303fff2b authored by Namjae Jeon's avatar Namjae Jeon Committed by Steve French

ksmbd: add validation for ndr read/write functions

If ndr->length is smaller than expected size, ksmbd can access invalid
access in ndr->data. This patch add validation to check ndr->offset is
over ndr->length. and added exception handling to check return value of
ndr read/write function.

Cc: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 687c59e7
...@@ -28,37 +28,60 @@ static int try_to_realloc_ndr_blob(struct ndr *n, size_t sz) ...@@ -28,37 +28,60 @@ static int try_to_realloc_ndr_blob(struct ndr *n, size_t sz)
return 0; return 0;
} }
static void ndr_write_int16(struct ndr *n, __u16 value) static int ndr_write_int16(struct ndr *n, __u16 value)
{ {
if (n->length <= n->offset + sizeof(value)) if (n->length <= n->offset + sizeof(value)) {
try_to_realloc_ndr_blob(n, sizeof(value)); int ret;
ret = try_to_realloc_ndr_blob(n, sizeof(value));
if (ret)
return ret;
}
*(__le16 *)ndr_get_field(n) = cpu_to_le16(value); *(__le16 *)ndr_get_field(n) = cpu_to_le16(value);
n->offset += sizeof(value); n->offset += sizeof(value);
return 0;
} }
static void ndr_write_int32(struct ndr *n, __u32 value) static int ndr_write_int32(struct ndr *n, __u32 value)
{ {
if (n->length <= n->offset + sizeof(value)) if (n->length <= n->offset + sizeof(value)) {
try_to_realloc_ndr_blob(n, sizeof(value)); int ret;
ret = try_to_realloc_ndr_blob(n, sizeof(value));
if (ret)
return ret;
}
*(__le32 *)ndr_get_field(n) = cpu_to_le32(value); *(__le32 *)ndr_get_field(n) = cpu_to_le32(value);
n->offset += sizeof(value); n->offset += sizeof(value);
return 0;
} }
static void ndr_write_int64(struct ndr *n, __u64 value) static int ndr_write_int64(struct ndr *n, __u64 value)
{ {
if (n->length <= n->offset + sizeof(value)) if (n->length <= n->offset + sizeof(value)) {
try_to_realloc_ndr_blob(n, sizeof(value)); int ret;
ret = try_to_realloc_ndr_blob(n, sizeof(value));
if (ret)
return ret;
}
*(__le64 *)ndr_get_field(n) = cpu_to_le64(value); *(__le64 *)ndr_get_field(n) = cpu_to_le64(value);
n->offset += sizeof(value); n->offset += sizeof(value);
return 0;
} }
static int ndr_write_bytes(struct ndr *n, void *value, size_t sz) static int ndr_write_bytes(struct ndr *n, void *value, size_t sz)
{ {
if (n->length <= n->offset + sz) if (n->length <= n->offset + sz) {
try_to_realloc_ndr_blob(n, sz); int ret;
ret = try_to_realloc_ndr_blob(n, sz);
if (ret)
return ret;
}
memcpy(ndr_get_field(n), value, sz); memcpy(ndr_get_field(n), value, sz);
n->offset += sz; n->offset += sz;
...@@ -70,8 +93,13 @@ static int ndr_write_string(struct ndr *n, char *value) ...@@ -70,8 +93,13 @@ static int ndr_write_string(struct ndr *n, char *value)
size_t sz; size_t sz;
sz = strlen(value) + 1; sz = strlen(value) + 1;
if (n->length <= n->offset + sz) if (n->length <= n->offset + sz) {
try_to_realloc_ndr_blob(n, sz); int ret;
ret = try_to_realloc_ndr_blob(n, sz);
if (ret)
return ret;
}
memcpy(ndr_get_field(n), value, sz); memcpy(ndr_get_field(n), value, sz);
n->offset += sz; n->offset += sz;
...@@ -81,8 +109,13 @@ static int ndr_write_string(struct ndr *n, char *value) ...@@ -81,8 +109,13 @@ static int ndr_write_string(struct ndr *n, char *value)
static int ndr_read_string(struct ndr *n, void *value, size_t sz) static int ndr_read_string(struct ndr *n, void *value, size_t sz)
{ {
int len = strnlen(ndr_get_field(n), sz); int len;
if (n->offset + sz > n->length)
return -EINVAL;
len = strnlen(ndr_get_field(n), sz);
if (value)
memcpy(value, ndr_get_field(n), len); memcpy(value, ndr_get_field(n), len);
len++; len++;
n->offset += len; n->offset += len;
...@@ -92,41 +125,52 @@ static int ndr_read_string(struct ndr *n, void *value, size_t sz) ...@@ -92,41 +125,52 @@ static int ndr_read_string(struct ndr *n, void *value, size_t sz)
static int ndr_read_bytes(struct ndr *n, void *value, size_t sz) static int ndr_read_bytes(struct ndr *n, void *value, size_t sz)
{ {
if (n->offset + sz > n->length)
return -EINVAL;
if (value)
memcpy(value, ndr_get_field(n), sz); memcpy(value, ndr_get_field(n), sz);
n->offset += sz; n->offset += sz;
return 0; return 0;
} }
static __u16 ndr_read_int16(struct ndr *n) static int ndr_read_int16(struct ndr *n, __u16 *value)
{ {
__u16 ret; if (n->offset + sizeof(__u16) > n->length)
return -EINVAL;
ret = le16_to_cpu(*(__le16 *)ndr_get_field(n)); if (value)
*value = le16_to_cpu(*(__le16 *)ndr_get_field(n));
n->offset += sizeof(__u16); n->offset += sizeof(__u16);
return ret; return 0;
} }
static __u32 ndr_read_int32(struct ndr *n) static int ndr_read_int32(struct ndr *n, __u32 *value)
{ {
__u32 ret; if (n->offset + sizeof(__u32) > n->length)
return 0;
ret = le32_to_cpu(*(__le32 *)ndr_get_field(n)); if (value)
*value = le32_to_cpu(*(__le32 *)ndr_get_field(n));
n->offset += sizeof(__u32); n->offset += sizeof(__u32);
return ret; return 0;
} }
static __u64 ndr_read_int64(struct ndr *n) static int ndr_read_int64(struct ndr *n, __u64 *value)
{ {
__u64 ret; if (n->offset + sizeof(__u64) > n->length)
return -EINVAL;
ret = le64_to_cpu(*(__le64 *)ndr_get_field(n)); if (value)
*value = le64_to_cpu(*(__le64 *)ndr_get_field(n));
n->offset += sizeof(__u64); n->offset += sizeof(__u64);
return ret; return 0;
} }
int ndr_encode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da) int ndr_encode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da)
{ {
char hex_attr[12] = {0}; char hex_attr[12] = {0};
int ret;
n->offset = 0; n->offset = 0;
n->length = 1024; n->length = 1024;
...@@ -136,97 +180,161 @@ int ndr_encode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da) ...@@ -136,97 +180,161 @@ int ndr_encode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da)
if (da->version == 3) { if (da->version == 3) {
snprintf(hex_attr, 10, "0x%x", da->attr); snprintf(hex_attr, 10, "0x%x", da->attr);
ndr_write_string(n, hex_attr); ret = ndr_write_string(n, hex_attr);
} else { } else {
ndr_write_string(n, ""); ret = ndr_write_string(n, "");
} }
ndr_write_int16(n, da->version); if (ret)
ndr_write_int32(n, da->version); return ret;
ret = ndr_write_int16(n, da->version);
if (ret)
return ret;
ret = ndr_write_int32(n, da->version);
if (ret)
return ret;
ret = ndr_write_int32(n, da->flags);
if (ret)
return ret;
ret = ndr_write_int32(n, da->attr);
if (ret)
return ret;
ndr_write_int32(n, da->flags);
ndr_write_int32(n, da->attr);
if (da->version == 3) { if (da->version == 3) {
ndr_write_int32(n, da->ea_size); ret = ndr_write_int32(n, da->ea_size);
ndr_write_int64(n, da->size); if (ret)
ndr_write_int64(n, da->alloc_size); return ret;
ret = ndr_write_int64(n, da->size);
if (ret)
return ret;
ret = ndr_write_int64(n, da->alloc_size);
} else { } else {
ndr_write_int64(n, da->itime); ret = ndr_write_int64(n, da->itime);
} }
ndr_write_int64(n, da->create_time); if (ret)
return ret;
ret = ndr_write_int64(n, da->create_time);
if (ret)
return ret;
if (da->version == 3) if (da->version == 3)
ndr_write_int64(n, da->change_time); ret = ndr_write_int64(n, da->change_time);
return 0; return ret;
} }
int ndr_decode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da) int ndr_decode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da)
{ {
char *hex_attr; char hex_attr[12];
int version2; unsigned int version2;
int ret;
hex_attr = kzalloc(n->length, GFP_KERNEL);
if (!hex_attr)
return -ENOMEM;
n->offset = 0; n->offset = 0;
ndr_read_string(n, hex_attr, n->length); ret = ndr_read_string(n, hex_attr, sizeof(hex_attr));
kfree(hex_attr); if (ret)
da->version = ndr_read_int16(n); return ret;
ret = ndr_read_int16(n, &da->version);
if (ret)
return ret;
if (da->version != 3 && da->version != 4) { if (da->version != 3 && da->version != 4) {
pr_err("v%d version is not supported\n", da->version); pr_err("v%d version is not supported\n", da->version);
return -EINVAL; return -EINVAL;
} }
version2 = ndr_read_int32(n); ret = ndr_read_int32(n, &version2);
if (ret)
return ret;
if (da->version != version2) { if (da->version != version2) {
pr_err("ndr version mismatched(version: %d, version2: %d)\n", pr_err("ndr version mismatched(version: %d, version2: %d)\n",
da->version, version2); da->version, version2);
return -EINVAL; return -EINVAL;
} }
ndr_read_int32(n); ret = ndr_read_int32(n, NULL);
da->attr = ndr_read_int32(n); if (ret)
return ret;
ret = ndr_read_int32(n, &da->attr);
if (ret)
return ret;
if (da->version == 4) { if (da->version == 4) {
da->itime = ndr_read_int64(n); ret = ndr_read_int64(n, &da->itime);
da->create_time = ndr_read_int64(n); if (ret)
return ret;
ret = ndr_read_int64(n, &da->create_time);
} else { } else {
ndr_read_int32(n); ret = ndr_read_int32(n, NULL);
ndr_read_int64(n); if (ret)
ndr_read_int64(n); return ret;
da->create_time = ndr_read_int64(n);
ndr_read_int64(n); ndr_read_int64(n, NULL);
if (ret)
return ret;
ndr_read_int64(n, NULL);
if (ret)
return ret;
ret = ndr_read_int64(n, &da->create_time);
if (ret)
return ret;
ret = ndr_read_int64(n, NULL);
} }
return 0; return ret;
} }
static int ndr_encode_posix_acl_entry(struct ndr *n, struct xattr_smb_acl *acl) static int ndr_encode_posix_acl_entry(struct ndr *n, struct xattr_smb_acl *acl)
{ {
int i; int i, ret;
ret = ndr_write_int32(n, acl->count);
if (ret)
return ret;
ndr_write_int32(n, acl->count);
n->offset = ALIGN(n->offset, 8); n->offset = ALIGN(n->offset, 8);
ndr_write_int32(n, acl->count); ret = ndr_write_int32(n, acl->count);
ndr_write_int32(n, 0); if (ret)
return ret;
ret = ndr_write_int32(n, 0);
if (ret)
return ret;
for (i = 0; i < acl->count; i++) { for (i = 0; i < acl->count; i++) {
n->offset = ALIGN(n->offset, 8); n->offset = ALIGN(n->offset, 8);
ndr_write_int16(n, acl->entries[i].type); ret = ndr_write_int16(n, acl->entries[i].type);
ndr_write_int16(n, acl->entries[i].type); if (ret)
return ret;
ret = ndr_write_int16(n, acl->entries[i].type);
if (ret)
return ret;
if (acl->entries[i].type == SMB_ACL_USER) { if (acl->entries[i].type == SMB_ACL_USER) {
n->offset = ALIGN(n->offset, 8); n->offset = ALIGN(n->offset, 8);
ndr_write_int64(n, acl->entries[i].uid); ret = ndr_write_int64(n, acl->entries[i].uid);
} else if (acl->entries[i].type == SMB_ACL_GROUP) { } else if (acl->entries[i].type == SMB_ACL_GROUP) {
n->offset = ALIGN(n->offset, 8); n->offset = ALIGN(n->offset, 8);
ndr_write_int64(n, acl->entries[i].gid); ret = ndr_write_int64(n, acl->entries[i].gid);
} }
if (ret)
return ret;
/* push permission */ /* push permission */
ndr_write_int32(n, acl->entries[i].perm); ret = ndr_write_int32(n, acl->entries[i].perm);
} }
return 0; return ret;
} }
int ndr_encode_posix_acl(struct ndr *n, int ndr_encode_posix_acl(struct ndr *n,
...@@ -235,7 +343,8 @@ int ndr_encode_posix_acl(struct ndr *n, ...@@ -235,7 +343,8 @@ int ndr_encode_posix_acl(struct ndr *n,
struct xattr_smb_acl *acl, struct xattr_smb_acl *acl,
struct xattr_smb_acl *def_acl) struct xattr_smb_acl *def_acl)
{ {
int ref_id = 0x00020000; unsigned int ref_id = 0x00020000;
int ret;
n->offset = 0; n->offset = 0;
n->length = 1024; n->length = 1024;
...@@ -245,35 +354,46 @@ int ndr_encode_posix_acl(struct ndr *n, ...@@ -245,35 +354,46 @@ int ndr_encode_posix_acl(struct ndr *n,
if (acl) { if (acl) {
/* ACL ACCESS */ /* ACL ACCESS */
ndr_write_int32(n, ref_id); ret = ndr_write_int32(n, ref_id);
ref_id += 4; ref_id += 4;
} else { } else {
ndr_write_int32(n, 0); ret = ndr_write_int32(n, 0);
} }
if (ret)
return ret;
if (def_acl) { if (def_acl) {
/* DEFAULT ACL ACCESS */ /* DEFAULT ACL ACCESS */
ndr_write_int32(n, ref_id); ret = ndr_write_int32(n, ref_id);
ref_id += 4; ref_id += 4;
} else { } else {
ndr_write_int32(n, 0); ret = ndr_write_int32(n, 0);
} }
if (ret)
return ret;
ndr_write_int64(n, from_kuid(&init_user_ns, i_uid_into_mnt(user_ns, inode))); ret = ndr_write_int64(n, from_kuid(&init_user_ns, i_uid_into_mnt(user_ns, inode)));
ndr_write_int64(n, from_kgid(&init_user_ns, i_gid_into_mnt(user_ns, inode))); if (ret)
ndr_write_int32(n, inode->i_mode); return ret;
ret = ndr_write_int64(n, from_kgid(&init_user_ns, i_gid_into_mnt(user_ns, inode)));
if (ret)
return ret;
ret = ndr_write_int32(n, inode->i_mode);
if (ret)
return ret;
if (acl) { if (acl) {
ndr_encode_posix_acl_entry(n, acl); ret = ndr_encode_posix_acl_entry(n, acl);
if (def_acl) if (def_acl && !ret)
ndr_encode_posix_acl_entry(n, def_acl); ret = ndr_encode_posix_acl_entry(n, def_acl);
} }
return 0; return ret;
} }
int ndr_encode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl) int ndr_encode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl)
{ {
int ref_id = 0x00020004; unsigned int ref_id = 0x00020004;
int ret;
n->offset = 0; n->offset = 0;
n->length = 2048; n->length = 2048;
...@@ -281,36 +401,65 @@ int ndr_encode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl) ...@@ -281,36 +401,65 @@ int ndr_encode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl)
if (!n->data) if (!n->data)
return -ENOMEM; return -ENOMEM;
ndr_write_int16(n, acl->version); ret = ndr_write_int16(n, acl->version);
ndr_write_int32(n, acl->version); if (ret)
ndr_write_int16(n, 2); return ret;
ndr_write_int32(n, ref_id);
ret = ndr_write_int32(n, acl->version);
if (ret)
return ret;
ret = ndr_write_int16(n, 2);
if (ret)
return ret;
ret = ndr_write_int32(n, ref_id);
if (ret)
return ret;
/* push hash type and hash 64bytes */ /* push hash type and hash 64bytes */
ndr_write_int16(n, acl->hash_type); ret = ndr_write_int16(n, acl->hash_type);
ndr_write_bytes(n, acl->hash, XATTR_SD_HASH_SIZE); if (ret)
ndr_write_bytes(n, acl->desc, acl->desc_len); return ret;
ndr_write_int64(n, acl->current_time);
ndr_write_bytes(n, acl->posix_acl_hash, XATTR_SD_HASH_SIZE);
/* push ndr for security descriptor */ ret = ndr_write_bytes(n, acl->hash, XATTR_SD_HASH_SIZE);
ndr_write_bytes(n, acl->sd_buf, acl->sd_size); if (ret)
return ret;
return 0; ret = ndr_write_bytes(n, acl->desc, acl->desc_len);
if (ret)
return ret;
ret = ndr_write_int64(n, acl->current_time);
if (ret)
return ret;
ret = ndr_write_bytes(n, acl->posix_acl_hash, XATTR_SD_HASH_SIZE);
if (ret)
return ret;
/* push ndr for security descriptor */
ret = ndr_write_bytes(n, acl->sd_buf, acl->sd_size);
return ret;
} }
int ndr_decode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl) int ndr_decode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl)
{ {
int version2; unsigned int version2;
int ret;
n->offset = 0; n->offset = 0;
acl->version = ndr_read_int16(n); ret = ndr_read_int16(n, &acl->version);
if (ret)
return ret;
if (acl->version != 4) { if (acl->version != 4) {
pr_err("v%d version is not supported\n", acl->version); pr_err("v%d version is not supported\n", acl->version);
return -EINVAL; return -EINVAL;
} }
version2 = ndr_read_int32(n); ret = ndr_read_int32(n, &version2);
if (ret)
return ret;
if (acl->version != version2) { if (acl->version != version2) {
pr_err("ndr version mismatched(version: %d, version2: %d)\n", pr_err("ndr version mismatched(version: %d, version2: %d)\n",
acl->version, version2); acl->version, version2);
...@@ -318,11 +467,22 @@ int ndr_decode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl) ...@@ -318,11 +467,22 @@ int ndr_decode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl)
} }
/* Read Level */ /* Read Level */
ndr_read_int16(n); ret = ndr_read_int16(n, NULL);
if (ret)
return ret;
/* Read Ref Id */ /* Read Ref Id */
ndr_read_int32(n); ret = ndr_read_int32(n, NULL);
acl->hash_type = ndr_read_int16(n); if (ret)
ndr_read_bytes(n, acl->hash, XATTR_SD_HASH_SIZE); return ret;
ret = ndr_read_int16(n, &acl->hash_type);
if (ret)
return ret;
ret = ndr_read_bytes(n, acl->hash, XATTR_SD_HASH_SIZE);
if (ret)
return ret;
ndr_read_bytes(n, acl->desc, 10); ndr_read_bytes(n, acl->desc, 10);
if (strncmp(acl->desc, "posix_acl", 9)) { if (strncmp(acl->desc, "posix_acl", 9)) {
...@@ -331,15 +491,20 @@ int ndr_decode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl) ...@@ -331,15 +491,20 @@ int ndr_decode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl)
} }
/* Read Time */ /* Read Time */
ndr_read_int64(n); ret = ndr_read_int64(n, NULL);
if (ret)
return ret;
/* Read Posix ACL hash */ /* Read Posix ACL hash */
ndr_read_bytes(n, acl->posix_acl_hash, XATTR_SD_HASH_SIZE); ret = ndr_read_bytes(n, acl->posix_acl_hash, XATTR_SD_HASH_SIZE);
if (ret)
return ret;
acl->sd_size = n->length - n->offset; acl->sd_size = n->length - n->offset;
acl->sd_buf = kzalloc(acl->sd_size, GFP_KERNEL); acl->sd_buf = kzalloc(acl->sd_size, GFP_KERNEL);
if (!acl->sd_buf) if (!acl->sd_buf)
return -ENOMEM; return -ENOMEM;
ndr_read_bytes(n, acl->sd_buf, acl->sd_size); ret = ndr_read_bytes(n, acl->sd_buf, acl->sd_size);
return ret;
return 0;
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment