[PATCH] cifs: fix strcat buffer overflow in smb21_set_oplock_level()

Mon May 6 21:18:52 UTC 2019

On Mon, May 6, 2019 at 2:03 PM Pavel Shilovsky
<pavel.shilovsky at gmail.com> wrote:
>
> The patch itself is fine but I think we have a bigger problem here:

Good point.  Perhaps make update to the same patch to include both changes

> 3052 >-------cinode->oplock = 0;
>
> here we reset oplock level of the inode, so forcing all the IO go to the server.
>
> 3053 >-------if (oplock & SMB2_LEASE_READ_CACHING_HE) {
> 3054 >------->-------cinode->oplock |= CIFS_CACHE_READ_FLG;
> 3055 >------->-------strcat(message, "R");
> 3056 >-------}
> 3057 >-------if (oplock & SMB2_LEASE_HANDLE_CACHING_HE) {
> 3058 >------->-------cinode->oplock |= CIFS_CACHE_HANDLE_FLG;
> 3059 >------->-------strcat(message, "H");
> 3060 >-------}
> 3061 >-------if (oplock & SMB2_LEASE_WRITE_CACHING_HE) {
> 3062 >------->-------cinode->oplock |= CIFS_CACHE_WRITE_FLG;
>
> this and 3 above cases are all racy with other threads opening the
> same file and the oplock break thread.
>
> 3063 >------->-------strcat(message, "W");
> 3064 >-------}
> 3065 >-------if (!cinode->oplock)
> 3066 >------->-------strcat(message, "None");
> 3067 >-------cifs_dbg(FYI, "%s Lease granted on inode %p\n", message,
> 3068 >------->------- &cinode->vfs_inode);
>
> Besides the fix in the patch I would temporarily suggest to not touch
> cinode->oplock more than once in this function - have a local variable
> cifs_oplock which accumulates flags and set cinode->oplock at the very
> end. It reduce raciness a little bit but this code requires much more
> thinking about proper locking I guess.
>
> Best regards,
> Pavel Shilovskiy
>
> пн, 6 мая 2019 г. в 10:02, Steve French via samba-technical
> <samba-technical at lists.samba.org>:
> >
> > We could always switch it to strncpy :)
> >
> > In any case - he is correct, it is better than what was there because
> > we should not strcat unless the array were locked across the whole
> > function
> >
> > On Mon, May 6, 2019 at 11:57 AM Jeremy Allison <jra at samba.org> wrote:
> > >
> > > On Mon, May 06, 2019 at 11:53:44AM -0500, Steve French via samba-technical wrote:
> > > > I think strcpy is clearer - but I don't think it can overflow since if
> > > > R, W or W were written to "message" then cinode->oplock would be
> > > > non-zero so we would never strcap "None"
> > >
> > > Ahem. In Samba we have :
> > >
> > > lib/util/safe_string.h:#define strcpy(dest,src) __ERROR__XX__NEVER_USE_STRCPY___;
> > >
> > > Maybe you should do likewise :-).
> > >
> > > > On Mon, May 6, 2019 at 10:26 AM Christoph Probst <kernel at probst.it> wrote:
> > > > >
> > > > > Change strcat to strcpy in the "None" case as it is never valid to append
> > > > > "None" to any other message. It may also overflow char message[5], in a
> > > > > race condition on cinode if cinode->oplock is unset by another thread
> > > > > after "RHW" or "RH" had been written to message.
> > > > >
> > > > > Signed-off-by: Christoph Probst <kernel at probst.it>
> > > > > ---
> > > > >  fs/cifs/smb2ops.c | 2 +-
> > > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > > >
> > > > > diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
> > > > > index c36ff0d..5fd5567 100644
> > > > > --- a/fs/cifs/smb2ops.c
> > > > > +++ b/fs/cifs/smb2ops.c
> > > > > @@ -2936,7 +2936,7 @@ smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock,
> > > > >                 strcat(message, "W");
> > > > >         }
> > > > >         if (!cinode->oplock)
> > > > > -               strcat(message, "None");
> > > > > +               strcpy(message, "None");
> > > > >         cifs_dbg(FYI, "%s Lease granted on inode %p\n", message,
> > > > >                  &cinode->vfs_inode);
> > > > >  }
> > > > > --
> > > > > 2.1.4
> > > > >
> > > >
> > > >
> > > > --
> > > > Thanks,
> > > >
> > > > Steve
> > > >
> >
> >
> >
> > --
> > Thanks,
> >
> > Steve
> >

-- 
Thanks,

Steve