android/android_kernel_samsung_sm8650
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

UPSTREAM: libceph: harden msgr2.1 frame segment length checks

Browse Source 
commit a282a2f10539dce2aa619e71e1817570d557fc97 upstream.

ceph_frame_desc::fd_lens is an int array.  decode_preamble() thus
effectively casts u32 -> int but the checks for segment lengths are
written as if on unsigned values.  While reading in HELLO or one of the
AUTH frames (before authentication is completed), arithmetic in
head_onwire_len() can get duped by negative ctrl_len and produce
head_len which is less than CEPH_PREAMBLE_LEN but still positive.
This would lead to a buffer overrun in prepare_read_control() as the
preamble gets copied to the newly allocated buffer of size head_len.

Bug: 303173400
Cc: stable@vger.kernel.org
Fixes: cd1a677cad ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)")
Reported-by: Thelford Williams <thelford@google.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit db8ca8d9b4dfce6d8cded796f0e671ef2c782613)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I49eacd72317664d920b13e3fec087d0e14802b93
This commit is contained in:
Ilya Dryomov 2023-07-10 20:39:29 +02:00 committed by Treehugger Robot
parent debc1e0486
commit 367ce30ddc
1 changed files with 29 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
net/ceph/messenger_v2.c
View File

@ -392,6 +392,8 @@ static int head_onwire_len(int ctrl_len, bool secure)
int head_len;
int rem_len;
BUG_ON(ctrl_len < 0 || ctrl_len > CEPH_MSG_MAX_CONTROL_LEN);
if (secure) {
head_len = CEPH_PREAMBLE_SECURE_LEN;
if (ctrl_len > CEPH_PREAMBLE_INLINE_LEN) {
@ -410,6 +412,10 @@ static int head_onwire_len(int ctrl_len, bool secure)
static int __tail_onwire_len(int front_len, int middle_len, int data_len,
bool secure)
{
BUG_ON(front_len < 0 || front_len > CEPH_MSG_MAX_FRONT_LEN ||
middle_len < 0 || middle_len > CEPH_MSG_MAX_MIDDLE_LEN ||
data_len < 0 || data_len > CEPH_MSG_MAX_DATA_LEN);
if (!front_len && !middle_len && !data_len)
return 0;
@ -522,29 +528,34 @@ static int decode_preamble(void *p, struct ceph_frame_desc *desc)
desc->fd_aligns[i] = ceph_decode_16(&p);
}
if (desc->fd_lens[0] < 0 ||
desc->fd_lens[0] > CEPH_MSG_MAX_CONTROL_LEN) {
pr_err("bad control segment length %d\n", desc->fd_lens[0]);
return -EINVAL;
}
if (desc->fd_lens[1] < 0 ||
desc->fd_lens[1] > CEPH_MSG_MAX_FRONT_LEN) {
pr_err("bad front segment length %d\n", desc->fd_lens[1]);
return -EINVAL;
}
if (desc->fd_lens[2] < 0 ||
desc->fd_lens[2] > CEPH_MSG_MAX_MIDDLE_LEN) {
pr_err("bad middle segment length %d\n", desc->fd_lens[2]);
return -EINVAL;
}
if (desc->fd_lens[3] < 0 ||
desc->fd_lens[3] > CEPH_MSG_MAX_DATA_LEN) {
pr_err("bad data segment length %d\n", desc->fd_lens[3]);
return -EINVAL;
}
/*
* This would fire for FRAME_TAG_WAIT (it has one empty
* segment), but we should never get it as client.
*/
if (!desc->fd_lens[desc->fd_seg_cnt - 1]) {
pr_err("last segment empty\n");
return -EINVAL;
}
if (desc->fd_lens[0] > CEPH_MSG_MAX_CONTROL_LEN) {
pr_err("control segment too big %d\n", desc->fd_lens[0]);
return -EINVAL;
}
if (desc->fd_lens[1] > CEPH_MSG_MAX_FRONT_LEN) {
pr_err("front segment too big %d\n", desc->fd_lens[1]);
return -EINVAL;
}
if (desc->fd_lens[2] > CEPH_MSG_MAX_MIDDLE_LEN) {
pr_err("middle segment too big %d\n", desc->fd_lens[2]);
return -EINVAL;
}
if (desc->fd_lens[3] > CEPH_MSG_MAX_DATA_LEN) {
pr_err("data segment too big %d\n", desc->fd_lens[3]);
pr_err("last segment empty, segment count %d\n",
desc->fd_seg_cnt);
return -EINVAL;
}