diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-06-30 15:07:47 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-06-30 15:07:47 +0200 |
| commit | 3b6b19800a71fc96aeb9169f0809d7412635db35 (patch) | |
| tree | 64d71ec4296951d990cf71e97499819346dd3399 | |
| parent | 23c9ef72e13a116929a85dcc07c92acb5908faf0 (diff) | |
| download | stable-queue-3b6b19800a71fc96aeb9169f0809d7412635db35.tar.gz | |
6.6-stable patches
added patches:
ksmbd-remove-unsafe_memcpy-use-in-session-setup.patch
ksmbd-use-unsafe_memcpy-for-ntlm_negotiate.patch
| -rw-r--r-- | queue-6.6/ksmbd-remove-unsafe_memcpy-use-in-session-setup.patch | 55 | ||||
| -rw-r--r-- | queue-6.6/ksmbd-use-unsafe_memcpy-for-ntlm_negotiate.patch | 42 | ||||
| -rw-r--r-- | queue-6.6/series | 2 |
3 files changed, 99 insertions, 0 deletions
diff --git a/queue-6.6/ksmbd-remove-unsafe_memcpy-use-in-session-setup.patch b/queue-6.6/ksmbd-remove-unsafe_memcpy-use-in-session-setup.patch new file mode 100644 index 00000000000..a69a9e6ca54 --- /dev/null +++ b/queue-6.6/ksmbd-remove-unsafe_memcpy-use-in-session-setup.patch @@ -0,0 +1,55 @@ +From d782d6e1d9078d6b82f8468dd6421050165e7d75 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon <linkinjeon@kernel.org> +Date: Mon, 23 Sep 2024 22:39:11 +0900 +Subject: ksmbd: remove unsafe_memcpy use in session setup + +From: Namjae Jeon <linkinjeon@kernel.org> + +commit d782d6e1d9078d6b82f8468dd6421050165e7d75 upstream. + +Kees pointed out to just use directly ->Buffer instead of pointing +->Buffer using offset not to use unsafe_memcpy(). + +Suggested-by: Kees Cook <kees@kernel.org> +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/server/smb2pdu.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1345,8 +1345,7 @@ static int ntlm_negotiate(struct ksmbd_w + return rc; + + sz = le16_to_cpu(rsp->SecurityBufferOffset); +- chgblob = +- (struct challenge_message *)((char *)&rsp->hdr.ProtocolId + sz); ++ chgblob = (struct challenge_message *)rsp->Buffer; + memset(chgblob, 0, sizeof(struct challenge_message)); + + if (!work->conn->use_spnego) { +@@ -1379,9 +1378,7 @@ static int ntlm_negotiate(struct ksmbd_w + goto out; + } + +- sz = le16_to_cpu(rsp->SecurityBufferOffset); +- unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len, +- /* alloc is larger than blob, see smb2_allocate_rsp_buf() */); ++ memcpy(rsp->Buffer, spnego_blob, spnego_blob_len); + rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len); + + out: +@@ -1463,10 +1460,7 @@ static int ntlm_authenticate(struct ksmb + if (rc) + return -ENOMEM; + +- sz = le16_to_cpu(rsp->SecurityBufferOffset); +- unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, +- spnego_blob_len, +- /* alloc is larger than blob, see smb2_allocate_rsp_buf() */); ++ memcpy(rsp->Buffer, spnego_blob, spnego_blob_len); + rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len); + kfree(spnego_blob); + } diff --git a/queue-6.6/ksmbd-use-unsafe_memcpy-for-ntlm_negotiate.patch b/queue-6.6/ksmbd-use-unsafe_memcpy-for-ntlm_negotiate.patch new file mode 100644 index 00000000000..29ca0de2961 --- /dev/null +++ b/queue-6.6/ksmbd-use-unsafe_memcpy-for-ntlm_negotiate.patch @@ -0,0 +1,42 @@ +From dfd046d0ced19b6ff5f11ec4ceab0a83de924771 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon <linkinjeon@kernel.org> +Date: Thu, 15 Aug 2024 08:56:35 +0900 +Subject: ksmbd: Use unsafe_memcpy() for ntlm_negotiate + +From: Namjae Jeon <linkinjeon@kernel.org> + +commit dfd046d0ced19b6ff5f11ec4ceab0a83de924771 upstream. + +rsp buffer is allocated larger than spnego_blob from +smb2_allocate_rsp_buf(). + +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/server/smb2pdu.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1380,7 +1380,8 @@ static int ntlm_negotiate(struct ksmbd_w + } + + sz = le16_to_cpu(rsp->SecurityBufferOffset); +- memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len); ++ unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len, ++ /* alloc is larger than blob, see smb2_allocate_rsp_buf() */); + rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len); + + out: +@@ -1463,7 +1464,9 @@ static int ntlm_authenticate(struct ksmb + return -ENOMEM; + + sz = le16_to_cpu(rsp->SecurityBufferOffset); +- memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len); ++ unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, ++ spnego_blob_len, ++ /* alloc is larger than blob, see smb2_allocate_rsp_buf() */); + rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len); + kfree(spnego_blob); + } diff --git a/queue-6.6/series b/queue-6.6/series index 96ad774cac9..bbcd83936d6 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -134,3 +134,5 @@ drm-amdgpu-amdgpu_vram_mgr_new-clamp-lpfn-to-total-vram.patch drm-i915-gem-allow-exec_capture-on-recoverable-contexts-on-dg1.patch drm-amdgpu-add-kicker-device-detection.patch drm-amdgpu-switch-job-hw_fence-to-amdgpu_fence.patch +ksmbd-use-unsafe_memcpy-for-ntlm_negotiate.patch +ksmbd-remove-unsafe_memcpy-use-in-session-setup.patch |