| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Move CIFS/SMB3 related client and server files (cifs.ko and ksmbd.ko
and helper modules) to new fs/smb subdirectory:
fs/cifs --> fs/smb/client
fs/ksmbd --> fs/smb/server
fs/smbfs_common --> fs/smb/common
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
clc length is now accepted to <= 8 less than length,
rather than < 8.
Solve issues on some of Axis's smb clients which send
messages where clc length is 8 bytes less than length.
The specific client was running kernel 4.19.217 with
smb dialect 3.0.2 on armv7l.
Cc: stable@vger.kernel.org
Signed-off-by: Gustav Johansson <gustajo@axis.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
length
ksmbd allowed the actual frame length to be smaller than the rfc1002
length. If allowed, it is possible to allocates a large amount of memory
that can be limited by credit management and can eventually cause memory
exhaustion problem. This patch do not allow it except SMB2 Negotiate
request which will be validated when message handling proceeds.
Also, Allow a message that padded to 8byte boundary.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
When turning debug mode on, The following error message from
ksmbd_smb2_check_message() is coming.
ksmbd: cli req padded more than expected. Length 112 not 88 for cmd:10 mid:14
data area length calculation for smb2 lock request in smb2_get_data_area_len() is
incorrect.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
if Status is not 0 and PathLength is long,
smb_strndup_from_utf16 could make out of bound
read in smb2_tree_connnect.
This bug can lead an oops looking something like:
[ 1553.882047] BUG: KASAN: slab-out-of-bounds in smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
[ 1553.882064] Read of size 2 at addr ffff88802c4eda04 by task kworker/0:2/42805
...
[ 1553.882095] Call Trace:
[ 1553.882098] <TASK>
[ 1553.882101] dump_stack_lvl+0x49/0x5f
[ 1553.882107] print_report.cold+0x5e/0x5cf
[ 1553.882112] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
[ 1553.882122] kasan_report+0xaa/0x120
[ 1553.882128] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
[ 1553.882139] __asan_report_load_n_noabort+0xf/0x20
[ 1553.882143] smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
[ 1553.882155] ? smb_strtoUTF16+0x3b0/0x3b0 [ksmbd]
[ 1553.882166] ? __kmalloc_node+0x185/0x430
[ 1553.882171] smb2_tree_connect+0x140/0xab0 [ksmbd]
[ 1553.882185] handle_ksmbd_work+0x30e/0x1020 [ksmbd]
[ 1553.882197] process_one_work+0x778/0x11c0
[ 1553.882201] ? _raw_spin_lock_irq+0x8e/0xe0
[ 1553.882206] worker_thread+0x544/0x1180
[ 1553.882209] ? __cpuidle_text_end+0x4/0x4
[ 1553.882214] kthread+0x282/0x320
[ 1553.882218] ? process_one_work+0x11c0/0x11c0
[ 1553.882221] ? kthread_complete_and_exit+0x30/0x30
[ 1553.882225] ret_from_fork+0x1f/0x30
[ 1553.882231] </TASK>
There is no need to check error request validation in server.
This check allow invalid requests not to validate message.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17818
Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
OOB read memory can be written to a file,
if DataOffset is 0 and Length is too large
in SMB2_WRITE request of compound request.
To prevent this, when checking the length of
the data area of SMB2_WRITE in smb2_get_data_area_len(),
let the minimum of DataOffset be the size of
SMB2 header + the size of SMB2_WRITE header.
This bug can lead an oops looking something like:
[ 798.008715] BUG: KASAN: slab-out-of-bounds in copy_page_from_iter_atomic+0xd3d/0x14b0
[ 798.008724] Read of size 252 at addr ffff88800f863e90 by task kworker/0:2/2859
...
[ 798.008754] Call Trace:
[ 798.008756] <TASK>
[ 798.008759] dump_stack_lvl+0x49/0x5f
[ 798.008764] print_report.cold+0x5e/0x5cf
[ 798.008768] ? __filemap_get_folio+0x285/0x6d0
[ 798.008774] ? copy_page_from_iter_atomic+0xd3d/0x14b0
[ 798.008777] kasan_report+0xaa/0x120
[ 798.008781] ? copy_page_from_iter_atomic+0xd3d/0x14b0
[ 798.008784] kasan_check_range+0x100/0x1e0
[ 798.008788] memcpy+0x24/0x60
[ 798.008792] copy_page_from_iter_atomic+0xd3d/0x14b0
[ 798.008795] ? pagecache_get_page+0x53/0x160
[ 798.008799] ? iov_iter_get_pages_alloc+0x1590/0x1590
[ 798.008803] ? ext4_write_begin+0xfc0/0xfc0
[ 798.008807] ? current_time+0x72/0x210
[ 798.008811] generic_perform_write+0x2c8/0x530
[ 798.008816] ? filemap_fdatawrite_wbc+0x180/0x180
[ 798.008820] ? down_write+0xb4/0x120
[ 798.008824] ? down_write_killable+0x130/0x130
[ 798.008829] ext4_buffered_write_iter+0x137/0x2c0
[ 798.008833] ext4_file_write_iter+0x40b/0x1490
[ 798.008837] ? __fsnotify_parent+0x275/0xb20
[ 798.008842] ? __fsnotify_update_child_dentry_flags+0x2c0/0x2c0
[ 798.008846] ? ext4_buffered_write_iter+0x2c0/0x2c0
[ 798.008851] __kernel_write+0x3a1/0xa70
[ 798.008855] ? __x64_sys_preadv2+0x160/0x160
[ 798.008860] ? security_file_permission+0x4a/0xa0
[ 798.008865] kernel_write+0xbb/0x360
[ 798.008869] ksmbd_vfs_write+0x27e/0xb90 [ksmbd]
[ 798.008881] ? ksmbd_vfs_read+0x830/0x830 [ksmbd]
[ 798.008892] ? _raw_read_unlock+0x2a/0x50
[ 798.008896] smb2_write+0xb45/0x14e0 [ksmbd]
[ 798.008909] ? __kasan_check_write+0x14/0x20
[ 798.008912] ? _raw_spin_lock_bh+0xd0/0xe0
[ 798.008916] ? smb2_read+0x15e0/0x15e0 [ksmbd]
[ 798.008927] ? memcpy+0x4e/0x60
[ 798.008931] ? _raw_spin_unlock+0x19/0x30
[ 798.008934] ? ksmbd_smb2_check_message+0x16af/0x2350 [ksmbd]
[ 798.008946] ? _raw_spin_lock_bh+0xe0/0xe0
[ 798.008950] handle_ksmbd_work+0x30e/0x1020 [ksmbd]
[ 798.008962] process_one_work+0x778/0x11c0
[ 798.008966] ? _raw_spin_lock_irq+0x8e/0xe0
[ 798.008970] worker_thread+0x544/0x1180
[ 798.008973] ? __cpuidle_text_end+0x4/0x4
[ 798.008977] kthread+0x282/0x320
[ 798.008982] ? process_one_work+0x11c0/0x11c0
[ 798.008985] ? kthread_complete_and_exit+0x30/0x30
[ 798.008989] ret_from_fork+0x1f/0x30
[ 798.008995] </TASK>
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17817
Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
outstanding credits must be initialized to 0,
because it means the sum of credits consumed by
in-flight requests.
And outstanding credits must be compared with
total credits in smb2_validate_credit_charge(),
because total credits are the sum of credits
granted by ksmbd.
This patch fix the following error,
while frametest with Windows clients:
Limits exceeding the maximum allowable outstanding requests,
given : 128, pending : 8065
Fixes: b589f5db6d4a ("ksmbd: limits exceeding the maximum allowable outstanding requests")
Cc: stable@vger.kernel.org
Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Reported-by: Yufan Chen <wiz.chen@gmail.com>
Tested-by: Yufan Chen <wiz.chen@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
If the client ignores the CreditResponse received from the server and
continues to send the request, ksmbd limits the requests if it exceeds
smb2 max credits.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
Moves the credit charge deduction from total_credits under the processing
a request. When repeating smb2 lock request and other command request,
there will be a problem that ->total_credits does not decrease.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
Add smb2 max credits parameter to adjust maximum credits value to limit
number of outstanding requests.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
To move smb2_hdr to smbfs_common, This patch remove smb2_buf_length
variable in smb2_hdr. Also, declare smb2_get_msg function to get smb2
request/response from ->request/response_buf.
Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
When validating request length in ksmbd_check_message, 8byte alignment
is not needed for compound request. It can cause wrong validation
of request length.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org # v5.15
Acked-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
Use ksmbd_req_buf_next() in ksmbd_smb2_check_message().
Cc: Tom Talpey <tom@talpey.com>
Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: Steve French <smfrench@gmail.com>
Cc: Hyunchul Lee <hyc.lee@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
smb2_validate_credit_charge() accesses fields in the SMB2 PDU body,
but until smb2_calc_size() is called the PDU has not yet been verified
to be large enough to access the PDU dynamic part length field.
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
* Requests except READ, WRITE, IOCTL, INFO, QUERY
DIRECOTRY, CANCEL must consume one credit.
* If client's granted credits are insufficient,
refuse to handle requests.
* Windows server 2016 or later grant up to 8192
credits to clients at once.
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
When invalid data offset and data length in request,
ksmbd_smb2_check_message check strictly and doesn't allow to process such
requests.
Cc: Tom Talpey <tom@talpey.com>
Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: Ralph Böhme <slow@samba.org>
Acked-by: Hyunchul Lee <hyc.lee@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
Move credit charge verification over smb2 request size verification
to avoid being skipped.
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
MS-SMB2 specification describe :
If the calculated credit number is greater than the CreditCharge,
the server MUST fail the request with the error code
STATUS_INVALID_PARAMETER.
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
smb2_validate_credit_charge() checks the CreditCharge field in the
request is valid with regards to the payload size.
The current implementation rejects requests with CreditCharge = 0 and a
payload < 64K, even though they should be accepted.
Set CreditCharge to a minimum value of 1 to avoid rejecting such
requests. This matches what samba4 does.
Fixes share enumeration for jcifs-ng clients.
Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
replace request and respone buffer macro with inline functions.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
Move fs/cifsd to fs/ksmbd and rename the remaining cifsd name to ksmbd.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
|
