ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read

JordyZomer · smfrench · commit fc342cf86e2d · 2024-12-01T17:31:19.000-06:00
An offset from client could be a negative value, It could lead
to an out-of-bounds read from the stream_buf.
Note that this issue is coming when setting
'vfs objects = streams_xattr parameter' in ksmbd.conf.

Cc: stable@vger.kernel.org # v5.15+
Reported-by: Jordy Zomer &lt;jordyzomer@google.com&gt;
Signed-off-by: Jordy Zomer &lt;jordyzomer@google.com&gt;
Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
@@ -6663,6 +6663,10 @@ int smb2_read(struct ksmbd_work *work)
 	}
 
 	offset = le64_to_cpu(req->Offset);
+	if (offset < 0) {
+		err = -EINVAL;
+		goto out;
+	}
 	length = le32_to_cpu(req->Length);
 	mincount = le32_to_cpu(req->MinimumCount);
 

Original file line number	Diff line number	Diff line change
`@@ -6663,6 +6663,10 @@ int smb2_read(struct ksmbd_work *work)`
`6663`	`6663`	`}`
`6664`	`6664`
`6665`	`6665`	`offset = le64_to_cpu(req->Offset);`
	`6666`	`+ if (offset < 0) {`
	`6667`	`+ err = -EINVAL;`
	`6668`	`+ goto out;`
	`6669`	`+ }`
`6666`	`6670`	`length = le32_to_cpu(req->Length);`
`6667`	`6671`	`mincount = le32_to_cpu(req->MinimumCount);`
`6668`	`6672`