[FIPS 9.2] smb: client: fix OOBs when building SMB2_IOCTL request #504

bmastbergen · 2025-08-15T17:51:33Z

jira VULN-40240
cve CVE-2024-50151

commit-author Paulo Alcantara <[email protected]>
commit 1ab60323c5201bef25f2a3dc0ccc404d9aca77f1
upstream-diff used linux-stable LT-5.15 sha e07d05b7f5ad9a503d9cab0afde2ab867bb65470

[ Upstream commit 1ab60323c5201bef25f2a3dc0ccc404d9aca77f1 ]

When using encryption, either enforced by the server or when using 'seal' mount option, the client will squash all compound request buffers down for encryption into a single iov in smb2_set_next_command().

SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the SMB2_IOCTL request in the first iov, and if the user passes an input buffer that is greater than 328 bytes, smb2_set_next_command() will end up writing off the end of @rqst->iov[0].iov_base as shown below:

  mount.cifs //srv/share /mnt -o ...,seal
  ln -s $(perl -e "print('a')for 1..1024") /mnt/link

  BUG: KASAN: slab-out-of-bounds in
  smb2_set_next_command.cold+0x1d6/0x24c [cifs]
  Write of size 4116 at addr ffff8881148fcab8 by task ln/859

  CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
  1.16.3-2.fc40 04/01/2014
  Call Trace:
   <TASK>
   dump_stack_lvl+0x5d/0x80
   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
   print_report+0x156/0x4d9
   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
   ? __virt_addr_valid+0x145/0x310
   ? __phys_addr+0x46/0x90
   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
   kasan_report+0xda/0x110
   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
   kasan_check_range+0x10f/0x1f0
   __asan_memcpy+0x3c/0x60
   smb2_set_next_command.cold+0x1d6/0x24c [cifs]
   smb2_compound_op+0x238c/0x3840 [cifs]
   ? kasan_save_track+0x14/0x30
   ? kasan_save_free_info+0x3b/0x70
   ? vfs_symlink+0x1a1/0x2c0
   ? do_symlinkat+0x108/0x1c0
   ? __pfx_smb2_compound_op+0x10/0x10 [cifs]
   ? kmem_cache_free+0x118/0x3e0
   ? cifs_get_writable_path+0xeb/0x1a0 [cifs]
   smb2_get_reparse_inode+0x423/0x540 [cifs]
   ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs]
   ? rcu_is_watching+0x20/0x50
   ? __kmalloc_noprof+0x37c/0x480
   ? smb2_create_reparse_symlink+0x257/0x490 [cifs]
   ? smb2_create_reparse_symlink+0x38f/0x490 [cifs]
   smb2_create_reparse_symlink+0x38f/0x490 [cifs]
   ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs]
   ? find_held_lock+0x8a/0xa0
   ? hlock_class+0x32/0xb0
   ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs]
   cifs_symlink+0x24f/0x960 [cifs]
   ? __pfx_make_vfsuid+0x10/0x10
   ? __pfx_cifs_symlink+0x10/0x10 [cifs]
   ? make_vfsgid+0x6b/0xc0
   ? generic_permission+0x96/0x2d0
   vfs_symlink+0x1a1/0x2c0
   do_symlinkat+0x108/0x1c0
   ? __pfx_do_symlinkat+0x10/0x10
   ? strncpy_from_user+0xaa/0x160
   __x64_sys_symlinkat+0xb9/0xf0
   do_syscall_64+0xbb/0x1d0
   entry_SYSCALL_64_after_hwframe+0x77/0x7f
  RIP: 0033:0x7f08d75c13bb

	Reported-by: David Howells <[email protected]>
Fixes: e77fe73c7e38 ("cifs: we can not use small padding iovs together with encryption")
	Signed-off-by: Paulo Alcantara (Red Hat) <[email protected]>
	Signed-off-by: Steve French <[email protected]>
	Signed-off-by: Sasha Levin <[email protected]>
(cherry picked from commit e07d05b7f5ad9a503d9cab0afde2ab867bb65470)
	Signed-off-by: Brett Mastbergen <[email protected]>

Build Log

/home/brett/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 8s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-bmastbergen_fips-9-compliant_5.14.0-284.30.1_VULN-402"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
--
  BTF [M] sound/virtio/virtio_snd.ko
  LD [M]  virt/lib/irqbypass.ko
  BTF [M] sound/x86/snd-hdmi-lpe-audio.ko
  BTF [M] sound/xen/snd_xen_front.ko
  BTF [M] virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1528s
Making Modules
  INSTALL /lib/modules/5.14.0-bmastbergen_fips-9-compliant_5.14.0-284.30.1_VULN-402+/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_fips-9-compliant_5.14.0-284.30.1_VULN-402+/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_fips-9-compliant_5.14.0-284.30.1_VULN-402+/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_fips-9-compliant_5.14.0-284.30.1_VULN-402+/kernel/arch/x86/crypto/camellia-aesni-avx2.ko
--
  SIGN    /lib/modules/5.14.0-bmastbergen_fips-9-compliant_5.14.0-284.30.1_VULN-402+/kernel/sound/virtio/virtio_snd.ko
  SIGN    /lib/modules/5.14.0-bmastbergen_fips-9-compliant_5.14.0-284.30.1_VULN-402+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-bmastbergen_fips-9-compliant_5.14.0-284.30.1_VULN-402+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  SIGN    /lib/modules/5.14.0-bmastbergen_fips-9-compliant_5.14.0-284.30.1_VULN-402+/kernel/sound/xen/snd_xen_front.ko
  DEPMOD  /lib/modules/5.14.0-bmastbergen_fips-9-compliant_5.14.0-284.30.1_VULN-402+
[TIMER]{MODULES}: 10s
Making Install
sh ./arch/x86/boot/install.sh \
	5.14.0-bmastbergen_fips-9-compliant_5.14.0-284.30.1_VULN-402+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 45s
Checking kABI
kABI check passed
Setting Default Kernel to  and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 8s
[TIMER]{BUILD}: 1528s
[TIMER]{MODULES}: 10s
[TIMER]{INSTALL}: 45s
[TIMER]{TOTAL} 1605s
Rebooting in 10 seconds

Testing

selftest-5.14.0-284.30.1.el9_2.ciqfips.0.14.1.x86_64.log

selftest-5.14.0-bmastbergen_fips-9-compliant_5.14.0-284.30.1_VULN-402+.log

brett@lycia ~/ciq/vuln-40240 % grep ^ok selftest-5.14.0-284.30.1.el9_2.ciqfips.0.14.1.x86_64.log | wc -l
295
brett@lycia ~/ciq/vuln-40240 % grep ^ok selftest-5.14.0-bmastbergen_fips-9-compliant_5.14.0-284.30.1_VULN-402+.log | wc -l
296
brett@lycia ~/ciq/vuln-40240 %

jira VULN-40240 cve CVE-2024-50151 commit-author Paulo Alcantara <[email protected]> commit 1ab6032 upstream-diff used linux-stable LT-5.15 sha e07d05b [ Upstream commit 1ab6032 ] When using encryption, either enforced by the server or when using 'seal' mount option, the client will squash all compound request buffers down for encryption into a single iov in smb2_set_next_command(). SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the SMB2_IOCTL request in the first iov, and if the user passes an input buffer that is greater than 328 bytes, smb2_set_next_command() will end up writing off the end of @rqst->iov[0].iov_base as shown below: mount.cifs //srv/share /mnt -o ...,seal ln -s $(perl -e "print('a')for 1..1024") /mnt/link BUG: KASAN: slab-out-of-bounds in smb2_set_next_command.cold+0x1d6/0x24c [cifs] Write of size 4116 at addr ffff8881148fcab8 by task ln/859 CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] print_report+0x156/0x4d9 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] ? __virt_addr_valid+0x145/0x310 ? __phys_addr+0x46/0x90 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] kasan_report+0xda/0x110 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] kasan_check_range+0x10f/0x1f0 __asan_memcpy+0x3c/0x60 smb2_set_next_command.cold+0x1d6/0x24c [cifs] smb2_compound_op+0x238c/0x3840 [cifs] ? kasan_save_track+0x14/0x30 ? kasan_save_free_info+0x3b/0x70 ? vfs_symlink+0x1a1/0x2c0 ? do_symlinkat+0x108/0x1c0 ? __pfx_smb2_compound_op+0x10/0x10 [cifs] ? kmem_cache_free+0x118/0x3e0 ? cifs_get_writable_path+0xeb/0x1a0 [cifs] smb2_get_reparse_inode+0x423/0x540 [cifs] ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? __kmalloc_noprof+0x37c/0x480 ? smb2_create_reparse_symlink+0x257/0x490 [cifs] ? smb2_create_reparse_symlink+0x38f/0x490 [cifs] smb2_create_reparse_symlink+0x38f/0x490 [cifs] ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs] ? find_held_lock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs] cifs_symlink+0x24f/0x960 [cifs] ? __pfx_make_vfsuid+0x10/0x10 ? __pfx_cifs_symlink+0x10/0x10 [cifs] ? make_vfsgid+0x6b/0xc0 ? generic_permission+0x96/0x2d0 vfs_symlink+0x1a1/0x2c0 do_symlinkat+0x108/0x1c0 ? __pfx_do_symlinkat+0x10/0x10 ? strncpy_from_user+0xaa/0x160 __x64_sys_symlinkat+0xb9/0xf0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f08d75c13bb Reported-by: David Howells <[email protected]> Fixes: e77fe73 ("cifs: we can not use small padding iovs together with encryption") Signed-off-by: Paulo Alcantara (Red Hat) <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Sasha Levin <[email protected]> (cherry picked from commit e07d05b) Signed-off-by: Brett Mastbergen <[email protected]>

PlaidCat · 2025-08-15T20:54:51Z

Seems fine, why did you use the LT kernel when its the same as the mainline?

PlaidCat

bmastbergen · 2025-08-15T21:00:49Z

Seems fine, why did you use the LT kernel when its the same as the mainline?

It is the exact same changeset, but its applied to a different file. Thats all.

thefossguy-ciq

🚤

…uper() jira LE-2015 cve CVE-2024-40998 Rebuild_History Non-Buildable kernel-5.14.0-427.42.1.el9_4 commit-author Baokun Li <[email protected]> commit b4b4fda Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-427.42.1.el9_4/b4b4fda3.failed In the following concurrency we will access the uninitialized rs->lock: ext4_fill_super ext4_register_sysfs // sysfs registered msg_ratelimit_interval_ms // Other processes modify rs->interval to // non-zero via msg_ratelimit_interval_ms ext4_orphan_cleanup ext4_msg(sb, KERN_INFO, "Errors on filesystem, " __ext4_msg ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state) if (!rs->interval) // do nothing if interval is 0 return 1; raw_spin_trylock_irqsave(&rs->lock, flags) raw_spin_trylock(lock) _raw_spin_trylock __raw_spin_trylock spin_acquire(&lock->dep_map, 0, 1, _RET_IP_) lock_acquire __lock_acquire register_lock_class assign_lock_key dump_stack(); ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10); raw_spin_lock_init(&rs->lock); // init rs->lock here and get the following dump_stack: ========================================================= INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 ctrliq#504 [...] Call Trace: dump_stack_lvl+0xc5/0x170 dump_stack+0x18/0x30 register_lock_class+0x740/0x7c0 __lock_acquire+0x69/0x13a0 lock_acquire+0x120/0x450 _raw_spin_trylock+0x98/0xd0 ___ratelimit+0xf6/0x220 __ext4_msg+0x7f/0x160 [ext4] ext4_orphan_cleanup+0x665/0x740 [ext4] __ext4_fill_super+0x21ea/0x2b10 [ext4] ext4_fill_super+0x14d/0x360 [ext4] [...] ========================================================= Normally interval is 0 until s_msg_ratelimit_state is initialized, so ___ratelimit() does nothing. But registering sysfs precedes initializing rs->lock, so it is possible to change rs->interval to a non-zero value via the msg_ratelimit_interval_ms interface of sysfs while rs->lock is uninitialized, and then a call to ext4_msg triggers the problem by accessing an uninitialized rs->lock. Therefore register sysfs after all initializations are complete to avoid such problems. Signed-off-by: Baokun Li <[email protected]> Reviewed-by: Jan Kara <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Theodore Ts'o <[email protected]> (cherry picked from commit b4b4fda) Signed-off-by: Jonathan Maple <[email protected]> # Conflicts: # fs/ext4/super.c

bmastbergen requested review from PlaidCat, kerneltoast, shreeya-patel98 and thefossguy-ciq August 15, 2025 18:25

PlaidCat approved these changes Aug 15, 2025

View reviewed changes

thefossguy-ciq approved these changes Aug 18, 2025

View reviewed changes

shreeya-patel98 approved these changes Aug 18, 2025

View reviewed changes

bmastbergen merged commit 5be47ac into fips-9-compliant/5.14.0-284.30.1 Aug 18, 2025
3 checks passed

bmastbergen deleted the bmastbergen_fips-9-compliant/5.14.0-284.30.1/VULN-40240 branch August 18, 2025 12:58

PlaidCat changed the title ~~smb: client: fix OOBs when building SMB2_IOCTL request~~ [FIPS 9.2] smb: client: fix OOBs when building SMB2_IOCTL request Aug 18, 2025

pvts-mat mentioned this pull request Aug 19, 2025

[FIPS 8.7 Legacy] net_sched: hfsc: Address reentrant enqueue adding class to eltree twice #510

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[FIPS 9.2] smb: client: fix OOBs when building SMB2_IOCTL request #504

[FIPS 9.2] smb: client: fix OOBs when building SMB2_IOCTL request #504

Uh oh!

bmastbergen commented Aug 15, 2025

Uh oh!

PlaidCat commented Aug 15, 2025

Uh oh!

PlaidCat left a comment

Uh oh!

bmastbergen commented Aug 15, 2025

Uh oh!

thefossguy-ciq left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

4 participants

[FIPS 9.2] smb: client: fix OOBs when building SMB2_IOCTL request #504

[FIPS 9.2] smb: client: fix OOBs when building SMB2_IOCTL request #504

Uh oh!

Conversation

bmastbergen commented Aug 15, 2025

Build Log

Testing

Uh oh!

PlaidCat commented Aug 15, 2025

Uh oh!

PlaidCat left a comment

Choose a reason for hiding this comment

Uh oh!

bmastbergen commented Aug 15, 2025

Uh oh!

thefossguy-ciq left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

4 participants