diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-02-17 16:50:11 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-02-17 16:50:11 -0500 |
commit | 351a7934c0e788262f83380188f18e575f6bc63f (patch) | |
tree | e9edae6b05459ce1aa4f045be5eb53f705d026ae | |
parent | 7026f1929e18921fd67bf478f475a8fdfdff16ae (diff) | |
parent | 2365c4eaf077c48574ab6f143960048fc0f31518 (diff) |
Merge branch 'for-linus' of git://git.samba.org/sfrench/cifs-2.6
Pull CIFS fixes from Steve French:
"Three cifs fixes, the most important fixing the problem with passing
bogus pointers with writev (CVE-2014-0069).
Two additional cifs fixes are still in review (including the fix for
an append problem which Al also discovered)"
* 'for-linus' of git://git.samba.org/sfrench/cifs-2.6:
CIFS: Fix too big maxBuf size for SMB3 mounts
cifs: ensure that uncached writes handle unmapped areas correctly
[CIFS] Fix cifsacl mounts over smb2 to not call cifs
-rw-r--r-- | fs/cifs/cifsacl.c | 33 | ||||
-rw-r--r-- | fs/cifs/cifsglob.h | 2 | ||||
-rw-r--r-- | fs/cifs/cifsproto.h | 6 | ||||
-rw-r--r-- | fs/cifs/dir.c | 2 | ||||
-rw-r--r-- | fs/cifs/file.c | 39 | ||||
-rw-r--r-- | fs/cifs/inode.c | 2 | ||||
-rw-r--r-- | fs/cifs/smb1ops.c | 1 | ||||
-rw-r--r-- | fs/cifs/smb2glob.h | 3 | ||||
-rw-r--r-- | fs/cifs/smb2ops.c | 14 | ||||
-rw-r--r-- | fs/cifs/smb2pdu.c | 4 |
10 files changed, 78 insertions, 28 deletions
diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c index c819b0bd491a..7ff866dbb89e 100644 --- a/fs/cifs/cifsacl.c +++ b/fs/cifs/cifsacl.c | |||
@@ -865,8 +865,8 @@ static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd, | |||
865 | return rc; | 865 | return rc; |
866 | } | 866 | } |
867 | 867 | ||
868 | static struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *cifs_sb, | 868 | struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *cifs_sb, |
869 | __u16 fid, u32 *pacllen) | 869 | const struct cifs_fid *cifsfid, u32 *pacllen) |
870 | { | 870 | { |
871 | struct cifs_ntsd *pntsd = NULL; | 871 | struct cifs_ntsd *pntsd = NULL; |
872 | unsigned int xid; | 872 | unsigned int xid; |
@@ -877,7 +877,8 @@ static struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *cifs_sb, | |||
877 | return ERR_CAST(tlink); | 877 | return ERR_CAST(tlink); |
878 | 878 | ||
879 | xid = get_xid(); | 879 | xid = get_xid(); |
880 | rc = CIFSSMBGetCIFSACL(xid, tlink_tcon(tlink), fid, &pntsd, pacllen); | 880 | rc = CIFSSMBGetCIFSACL(xid, tlink_tcon(tlink), cifsfid->netfid, &pntsd, |
881 | pacllen); | ||
881 | free_xid(xid); | 882 | free_xid(xid); |
882 | 883 | ||
883 | cifs_put_tlink(tlink); | 884 | cifs_put_tlink(tlink); |
@@ -946,7 +947,7 @@ struct cifs_ntsd *get_cifs_acl(struct cifs_sb_info *cifs_sb, | |||
946 | if (!open_file) | 947 | if (!open_file) |
947 | return get_cifs_acl_by_path(cifs_sb, path, pacllen); | 948 | return get_cifs_acl_by_path(cifs_sb, path, pacllen); |
948 | 949 | ||
949 | pntsd = get_cifs_acl_by_fid(cifs_sb, open_file->fid.netfid, pacllen); | 950 | pntsd = get_cifs_acl_by_fid(cifs_sb, &open_file->fid, pacllen); |
950 | cifsFileInfo_put(open_file); | 951 | cifsFileInfo_put(open_file); |
951 | return pntsd; | 952 | return pntsd; |
952 | } | 953 | } |
@@ -1006,19 +1007,31 @@ out: | |||
1006 | /* Translate the CIFS ACL (simlar to NTFS ACL) for a file into mode bits */ | 1007 | /* Translate the CIFS ACL (simlar to NTFS ACL) for a file into mode bits */ |
1007 | int | 1008 | int |
1008 | cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, struct cifs_fattr *fattr, | 1009 | cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, struct cifs_fattr *fattr, |
1009 | struct inode *inode, const char *path, const __u16 *pfid) | 1010 | struct inode *inode, const char *path, |
1011 | const struct cifs_fid *pfid) | ||
1010 | { | 1012 | { |
1011 | struct cifs_ntsd *pntsd = NULL; | 1013 | struct cifs_ntsd *pntsd = NULL; |
1012 | u32 acllen = 0; | 1014 | u32 acllen = 0; |
1013 | int rc = 0; | 1015 | int rc = 0; |
1016 | struct tcon_link *tlink = cifs_sb_tlink(cifs_sb); | ||
1017 | struct cifs_tcon *tcon; | ||
1014 | 1018 | ||
1015 | cifs_dbg(NOISY, "converting ACL to mode for %s\n", path); | 1019 | cifs_dbg(NOISY, "converting ACL to mode for %s\n", path); |
1016 | 1020 | ||
1017 | if (pfid) | 1021 | if (IS_ERR(tlink)) |
1018 | pntsd = get_cifs_acl_by_fid(cifs_sb, *pfid, &acllen); | 1022 | return PTR_ERR(tlink); |
1019 | else | 1023 | tcon = tlink_tcon(tlink); |
1020 | pntsd = get_cifs_acl(cifs_sb, inode, path, &acllen); | ||
1021 | 1024 | ||
1025 | if (pfid && (tcon->ses->server->ops->get_acl_by_fid)) | ||
1026 | pntsd = tcon->ses->server->ops->get_acl_by_fid(cifs_sb, pfid, | ||
1027 | &acllen); | ||
1028 | else if (tcon->ses->server->ops->get_acl) | ||
1029 | pntsd = tcon->ses->server->ops->get_acl(cifs_sb, inode, path, | ||
1030 | &acllen); | ||
1031 | else { | ||
1032 | cifs_put_tlink(tlink); | ||
1033 | return -EOPNOTSUPP; | ||
1034 | } | ||
1022 | /* if we can retrieve the ACL, now parse Access Control Entries, ACEs */ | 1035 | /* if we can retrieve the ACL, now parse Access Control Entries, ACEs */ |
1023 | if (IS_ERR(pntsd)) { | 1036 | if (IS_ERR(pntsd)) { |
1024 | rc = PTR_ERR(pntsd); | 1037 | rc = PTR_ERR(pntsd); |
@@ -1030,6 +1043,8 @@ cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, struct cifs_fattr *fattr, | |||
1030 | cifs_dbg(VFS, "parse sec desc failed rc = %d\n", rc); | 1043 | cifs_dbg(VFS, "parse sec desc failed rc = %d\n", rc); |
1031 | } | 1044 | } |
1032 | 1045 | ||
1046 | cifs_put_tlink(tlink); | ||
1047 | |||
1033 | return rc; | 1048 | return rc; |
1034 | } | 1049 | } |
1035 | 1050 | ||
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 86dc28c7aa5c..cf32f0393369 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h | |||
@@ -398,6 +398,8 @@ struct smb_version_operations { | |||
398 | const struct nls_table *, int); | 398 | const struct nls_table *, int); |
399 | struct cifs_ntsd * (*get_acl)(struct cifs_sb_info *, struct inode *, | 399 | struct cifs_ntsd * (*get_acl)(struct cifs_sb_info *, struct inode *, |
400 | const char *, u32 *); | 400 | const char *, u32 *); |
401 | struct cifs_ntsd * (*get_acl_by_fid)(struct cifs_sb_info *, | ||
402 | const struct cifs_fid *, u32 *); | ||
401 | int (*set_acl)(struct cifs_ntsd *, __u32, struct inode *, const char *, | 403 | int (*set_acl)(struct cifs_ntsd *, __u32, struct inode *, const char *, |
402 | int); | 404 | int); |
403 | }; | 405 | }; |
diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h index d00e09dfc452..acc4ee8ed075 100644 --- a/fs/cifs/cifsproto.h +++ b/fs/cifs/cifsproto.h | |||
@@ -151,7 +151,7 @@ extern struct inode *cifs_iget(struct super_block *sb, | |||
151 | 151 | ||
152 | extern int cifs_get_inode_info(struct inode **inode, const char *full_path, | 152 | extern int cifs_get_inode_info(struct inode **inode, const char *full_path, |
153 | FILE_ALL_INFO *data, struct super_block *sb, | 153 | FILE_ALL_INFO *data, struct super_block *sb, |
154 | int xid, const __u16 *fid); | 154 | int xid, const struct cifs_fid *fid); |
155 | extern int cifs_get_inode_info_unix(struct inode **pinode, | 155 | extern int cifs_get_inode_info_unix(struct inode **pinode, |
156 | const unsigned char *search_path, | 156 | const unsigned char *search_path, |
157 | struct super_block *sb, unsigned int xid); | 157 | struct super_block *sb, unsigned int xid); |
@@ -162,11 +162,13 @@ extern int cifs_rename_pending_delete(const char *full_path, | |||
162 | const unsigned int xid); | 162 | const unsigned int xid); |
163 | extern int cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, | 163 | extern int cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, |
164 | struct cifs_fattr *fattr, struct inode *inode, | 164 | struct cifs_fattr *fattr, struct inode *inode, |
165 | const char *path, const __u16 *pfid); | 165 | const char *path, const struct cifs_fid *pfid); |
166 | extern int id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64, | 166 | extern int id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64, |
167 | kuid_t, kgid_t); | 167 | kuid_t, kgid_t); |
168 | extern struct cifs_ntsd *get_cifs_acl(struct cifs_sb_info *, struct inode *, | 168 | extern struct cifs_ntsd *get_cifs_acl(struct cifs_sb_info *, struct inode *, |
169 | const char *, u32 *); | 169 | const char *, u32 *); |
170 | extern struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *, | ||
171 | const struct cifs_fid *, u32 *); | ||
170 | extern int set_cifs_acl(struct cifs_ntsd *, __u32, struct inode *, | 172 | extern int set_cifs_acl(struct cifs_ntsd *, __u32, struct inode *, |
171 | const char *, int); | 173 | const char *, int); |
172 | 174 | ||
diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c index d3a6796caa5a..3db0c5fd9a11 100644 --- a/fs/cifs/dir.c +++ b/fs/cifs/dir.c | |||
@@ -378,7 +378,7 @@ cifs_create_get_file_info: | |||
378 | xid); | 378 | xid); |
379 | else { | 379 | else { |
380 | rc = cifs_get_inode_info(&newinode, full_path, buf, inode->i_sb, | 380 | rc = cifs_get_inode_info(&newinode, full_path, buf, inode->i_sb, |
381 | xid, &fid->netfid); | 381 | xid, fid); |
382 | if (newinode) { | 382 | if (newinode) { |
383 | if (server->ops->set_lease_key) | 383 | if (server->ops->set_lease_key) |
384 | server->ops->set_lease_key(newinode, fid); | 384 | server->ops->set_lease_key(newinode, fid); |
diff --git a/fs/cifs/file.c b/fs/cifs/file.c index 755584684f6c..53c15074bb36 100644 --- a/fs/cifs/file.c +++ b/fs/cifs/file.c | |||
@@ -244,7 +244,7 @@ cifs_nt_open(char *full_path, struct inode *inode, struct cifs_sb_info *cifs_sb, | |||
244 | xid); | 244 | xid); |
245 | else | 245 | else |
246 | rc = cifs_get_inode_info(&inode, full_path, buf, inode->i_sb, | 246 | rc = cifs_get_inode_info(&inode, full_path, buf, inode->i_sb, |
247 | xid, &fid->netfid); | 247 | xid, fid); |
248 | 248 | ||
249 | out: | 249 | out: |
250 | kfree(buf); | 250 | kfree(buf); |
@@ -2389,7 +2389,7 @@ cifs_iovec_write(struct file *file, const struct iovec *iov, | |||
2389 | unsigned long nr_segs, loff_t *poffset) | 2389 | unsigned long nr_segs, loff_t *poffset) |
2390 | { | 2390 | { |
2391 | unsigned long nr_pages, i; | 2391 | unsigned long nr_pages, i; |
2392 | size_t copied, len, cur_len; | 2392 | size_t bytes, copied, len, cur_len; |
2393 | ssize_t total_written = 0; | 2393 | ssize_t total_written = 0; |
2394 | loff_t offset; | 2394 | loff_t offset; |
2395 | struct iov_iter it; | 2395 | struct iov_iter it; |
@@ -2444,14 +2444,45 @@ cifs_iovec_write(struct file *file, const struct iovec *iov, | |||
2444 | 2444 | ||
2445 | save_len = cur_len; | 2445 | save_len = cur_len; |
2446 | for (i = 0; i < nr_pages; i++) { | 2446 | for (i = 0; i < nr_pages; i++) { |
2447 | copied = min_t(const size_t, cur_len, PAGE_SIZE); | 2447 | bytes = min_t(const size_t, cur_len, PAGE_SIZE); |
2448 | copied = iov_iter_copy_from_user(wdata->pages[i], &it, | 2448 | copied = iov_iter_copy_from_user(wdata->pages[i], &it, |
2449 | 0, copied); | 2449 | 0, bytes); |
2450 | cur_len -= copied; | 2450 | cur_len -= copied; |
2451 | iov_iter_advance(&it, copied); | 2451 | iov_iter_advance(&it, copied); |
2452 | /* | ||
2453 | * If we didn't copy as much as we expected, then that | ||
2454 | * may mean we trod into an unmapped area. Stop copying | ||
2455 | * at that point. On the next pass through the big | ||
2456 | * loop, we'll likely end up getting a zero-length | ||
2457 | * write and bailing out of it. | ||
2458 | */ | ||
2459 | if (copied < bytes) | ||
2460 | break; | ||
2452 | } | 2461 | } |
2453 | cur_len = save_len - cur_len; | 2462 | cur_len = save_len - cur_len; |
2454 | 2463 | ||
2464 | /* | ||
2465 | * If we have no data to send, then that probably means that | ||
2466 | * the copy above failed altogether. That's most likely because | ||
2467 | * the address in the iovec was bogus. Set the rc to -EFAULT, | ||
2468 | * free anything we allocated and bail out. | ||
2469 | */ | ||
2470 | if (!cur_len) { | ||
2471 | for (i = 0; i < nr_pages; i++) | ||
2472 | put_page(wdata->pages[i]); | ||
2473 | kfree(wdata); | ||
2474 | rc = -EFAULT; | ||
2475 | break; | ||
2476 | } | ||
2477 | |||
2478 | /* | ||
2479 | * i + 1 now represents the number of pages we actually used in | ||
2480 | * the copy phase above. Bring nr_pages down to that, and free | ||
2481 | * any pages that we didn't use. | ||
2482 | */ | ||
2483 | for ( ; nr_pages > i + 1; nr_pages--) | ||
2484 | put_page(wdata->pages[nr_pages - 1]); | ||
2485 | |||
2455 | wdata->sync_mode = WB_SYNC_ALL; | 2486 | wdata->sync_mode = WB_SYNC_ALL; |
2456 | wdata->nr_pages = nr_pages; | 2487 | wdata->nr_pages = nr_pages; |
2457 | wdata->offset = (__u64)offset; | 2488 | wdata->offset = (__u64)offset; |
diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c index be58b8fcdb3c..aadc2b68678b 100644 --- a/fs/cifs/inode.c +++ b/fs/cifs/inode.c | |||
@@ -677,7 +677,7 @@ cgfi_exit: | |||
677 | int | 677 | int |
678 | cifs_get_inode_info(struct inode **inode, const char *full_path, | 678 | cifs_get_inode_info(struct inode **inode, const char *full_path, |
679 | FILE_ALL_INFO *data, struct super_block *sb, int xid, | 679 | FILE_ALL_INFO *data, struct super_block *sb, int xid, |
680 | const __u16 *fid) | 680 | const struct cifs_fid *fid) |
681 | { | 681 | { |
682 | bool validinum = false; | 682 | bool validinum = false; |
683 | __u16 srchflgs; | 683 | __u16 srchflgs; |
diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c index bfd66d84831e..526fb89f9230 100644 --- a/fs/cifs/smb1ops.c +++ b/fs/cifs/smb1ops.c | |||
@@ -1073,6 +1073,7 @@ struct smb_version_operations smb1_operations = { | |||
1073 | #endif /* CIFS_XATTR */ | 1073 | #endif /* CIFS_XATTR */ |
1074 | #ifdef CONFIG_CIFS_ACL | 1074 | #ifdef CONFIG_CIFS_ACL |
1075 | .get_acl = get_cifs_acl, | 1075 | .get_acl = get_cifs_acl, |
1076 | .get_acl_by_fid = get_cifs_acl_by_fid, | ||
1076 | .set_acl = set_cifs_acl, | 1077 | .set_acl = set_cifs_acl, |
1077 | #endif /* CIFS_ACL */ | 1078 | #endif /* CIFS_ACL */ |
1078 | }; | 1079 | }; |
diff --git a/fs/cifs/smb2glob.h b/fs/cifs/smb2glob.h index c38350851b08..bc0bb9c34f72 100644 --- a/fs/cifs/smb2glob.h +++ b/fs/cifs/smb2glob.h | |||
@@ -57,4 +57,7 @@ | |||
57 | #define SMB2_CMACAES_SIZE (16) | 57 | #define SMB2_CMACAES_SIZE (16) |
58 | #define SMB3_SIGNKEY_SIZE (16) | 58 | #define SMB3_SIGNKEY_SIZE (16) |
59 | 59 | ||
60 | /* Maximum buffer size value we can send with 1 credit */ | ||
61 | #define SMB2_MAX_BUFFER_SIZE 65536 | ||
62 | |||
60 | #endif /* _SMB2_GLOB_H */ | 63 | #endif /* _SMB2_GLOB_H */ |
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 757da3e54d3d..192f51a12cf1 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c | |||
@@ -182,11 +182,8 @@ smb2_negotiate_wsize(struct cifs_tcon *tcon, struct smb_vol *volume_info) | |||
182 | /* start with specified wsize, or default */ | 182 | /* start with specified wsize, or default */ |
183 | wsize = volume_info->wsize ? volume_info->wsize : CIFS_DEFAULT_IOSIZE; | 183 | wsize = volume_info->wsize ? volume_info->wsize : CIFS_DEFAULT_IOSIZE; |
184 | wsize = min_t(unsigned int, wsize, server->max_write); | 184 | wsize = min_t(unsigned int, wsize, server->max_write); |
185 | /* | 185 | /* set it to the maximum buffer size value we can send with 1 credit */ |
186 | * limit write size to 2 ** 16, because we don't support multicredit | 186 | wsize = min_t(unsigned int, wsize, SMB2_MAX_BUFFER_SIZE); |
187 | * requests now. | ||
188 | */ | ||
189 | wsize = min_t(unsigned int, wsize, 2 << 15); | ||
190 | 187 | ||
191 | return wsize; | 188 | return wsize; |
192 | } | 189 | } |
@@ -200,11 +197,8 @@ smb2_negotiate_rsize(struct cifs_tcon *tcon, struct smb_vol *volume_info) | |||
200 | /* start with specified rsize, or default */ | 197 | /* start with specified rsize, or default */ |
201 | rsize = volume_info->rsize ? volume_info->rsize : CIFS_DEFAULT_IOSIZE; | 198 | rsize = volume_info->rsize ? volume_info->rsize : CIFS_DEFAULT_IOSIZE; |
202 | rsize = min_t(unsigned int, rsize, server->max_read); | 199 | rsize = min_t(unsigned int, rsize, server->max_read); |
203 | /* | 200 | /* set it to the maximum buffer size value we can send with 1 credit */ |
204 | * limit write size to 2 ** 16, because we don't support multicredit | 201 | rsize = min_t(unsigned int, rsize, SMB2_MAX_BUFFER_SIZE); |
205 | * requests now. | ||
206 | */ | ||
207 | rsize = min_t(unsigned int, rsize, 2 << 15); | ||
208 | 202 | ||
209 | return rsize; | 203 | return rsize; |
210 | } | 204 | } |
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index a3f7a9c3cc69..860344701067 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c | |||
@@ -413,7 +413,9 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) | |||
413 | 413 | ||
414 | /* SMB2 only has an extended negflavor */ | 414 | /* SMB2 only has an extended negflavor */ |
415 | server->negflavor = CIFS_NEGFLAVOR_EXTENDED; | 415 | server->negflavor = CIFS_NEGFLAVOR_EXTENDED; |
416 | server->maxBuf = le32_to_cpu(rsp->MaxTransactSize); | 416 | /* set it to the maximum buffer size value we can send with 1 credit */ |
417 | server->maxBuf = min_t(unsigned int, le32_to_cpu(rsp->MaxTransactSize), | ||
418 | SMB2_MAX_BUFFER_SIZE); | ||
417 | server->max_read = le32_to_cpu(rsp->MaxReadSize); | 419 | server->max_read = le32_to_cpu(rsp->MaxReadSize); |
418 | server->max_write = le32_to_cpu(rsp->MaxWriteSize); | 420 | server->max_write = le32_to_cpu(rsp->MaxWriteSize); |
419 | /* BB Do we need to validate the SecurityMode? */ | 421 | /* BB Do we need to validate the SecurityMode? */ |