Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6

Pull cifs fixes from Steve French: "SMB3 "validate negotiate" is needed to prevent certain types of downgrade attacks. Also changes SMB2/SMB3 copy offload from using the BTRFS copy ioctl (BTRFS_IOC_CLONE) to a cifs specific ioctl (CIFS_IOC_COPYCHUNK_FILE) to address Christoph's comment that there are semantic differences between requesting copy offload in which copy-on-write is mandatory (as in the BTRFS ioctl) and optional in the SMB2/SMB3 case. Also fixes SMB2/SMB3 copychunk for large files" * 'for-next' of git://git.samba.org/sfrench/cifs-2.6: [CIFS] Do not use btrfs refcopy ioctl for SMB2 copy offload Check SMB3 dialects against downgrade attacks Removed duplicated (and unneeded) goto CIFS: Fix SMB2/SMB3 Copy offload support (refcopy) for large files
author: Linus Torvalds <torvalds@linux-foundation.org> 2013-11-28 12:50:25 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2013-11-28 12:50:25 -0500
commit: 3bad8bb5cd3048a67df43ac6b1e2f191f19d9ff0 (patch)
tree: bc18e38958f63b6ffb8514e16729f094925e4d5b /fs
parent: 5ecbe3c3c690b5ab493c730c317475287a9e8b45 (diff)
parent: f19e84df37bda502a2248d507a9cf2b9e693279e (diff)
7 files changed, 189 insertions, 24 deletions
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index d9ea7ada1378..f918a998a087 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -384,6 +384,7 @@ struct smb_version_operations {
        int (*clone_range)(const unsigned int, struct cifsFileInfo *src_file,
                        struct cifsFileInfo *target_file, u64 src_off, u64 len,
                        u64 dest_off);
+        int (*validate_negotiate)(const unsigned int, struct cifs_tcon *);
 };
 struct smb_version_values {
diff --git a/fs/cifs/ioctl.c b/fs/cifs/ioctl.c
index 409b45eefe70..77492301cc2b 100644
--- a/fs/cifs/ioctl.c
+++ b/fs/cifs/ioctl.c
@@ -26,13 +26,15 @@
 #include <linux/mount.h>
 #include <linux/mm.h>
 #include <linux/pagemap.h>
-#include <linux/btrfs.h>
 #include "cifspdu.h"
 #include "cifsglob.h"
 #include "cifsproto.h"
 #include "cifs_debug.h"
 #include "cifsfs.h"
+#define CIFS_IOCTL_MAGIC        0xCF
+#define CIFS_IOC_COPYCHUNK_FILE _IOW(CIFS_IOCTL_MAGIC, 3, int)
 static long cifs_ioctl_clone(unsigned int xid, struct file *dst_file,
                        unsigned long srcfd, u64 off, u64 len, u64 destoff)
 {
@@ -213,7 +215,7 @@ long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg)
                                cifs_dbg(FYI, "set compress flag rc %d\n", rc);
                        }
                        break;
-                case BTRFS_IOC_CLONE:
+                case CIFS_IOC_COPYCHUNK_FILE:
                        rc = cifs_ioctl_clone(xid, filep, arg, 0, 0, 0);
                        break;
                default:
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 11dde4b24f8a..757da3e54d3d 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -532,7 +532,10 @@ smb2_clone_range(const unsigned int xid,
        int rc;
        unsigned int ret_data_len;
        struct copychunk_ioctl *pcchunk;
-        char *retbuf = NULL;
+        struct copychunk_ioctl_rsp *retbuf = NULL;
+        struct cifs_tcon *tcon;
+        int chunks_copied = 0;
+        bool chunk_sizes_updated = false;
        pcchunk = kmalloc(sizeof(struct copychunk_ioctl), GFP_KERNEL);
@@ -547,27 +550,96 @@ smb2_clone_range(const unsigned int xid,
        /* Note: request_res_key sets res_key null only if rc !=0 */
        if (rc)
-                return rc;
+                goto cchunk_out;
        /* For now array only one chunk long, will make more flexible later */
        pcchunk->ChunkCount = __constant_cpu_to_le32(1);
        pcchunk->Reserved = 0;
-        pcchunk->SourceOffset = cpu_to_le64(src_off);
-        pcchunk->TargetOffset = cpu_to_le64(dest_off);
-        pcchunk->Length = cpu_to_le32(len);
        pcchunk->Reserved2 = 0;
-        /* Request that server copy to target from src file identified by key */
+        tcon = tlink_tcon(trgtfile->tlink);
-        rc = SMB2_ioctl(xid, tlink_tcon(trgtfile->tlink),
-                        trgtfile->fid.persistent_fid,
-                        trgtfile->fid.volatile_fid, FSCTL_SRV_COPYCHUNK_WRITE,
-                        true /* is_fsctl */, (char *)pcchunk,
-                        sizeof(struct copychunk_ioctl), &retbuf, &ret_data_len);
-        /* BB need to special case rc = EINVAL to alter chunk size */
+        while (len > 0) {
+                pcchunk->SourceOffset = cpu_to_le64(src_off);
+                pcchunk->TargetOffset = cpu_to_le64(dest_off);
+                pcchunk->Length =
+                        cpu_to_le32(min_t(u32, len, tcon->max_bytes_chunk));
-        cifs_dbg(FYI, "rc %d data length out %d\n", rc, ret_data_len);
+                /* Request server copy to target from src identified by key */
+                rc = SMB2_ioctl(xid, tcon, trgtfile->fid.persistent_fid,
+                        trgtfile->fid.volatile_fid, FSCTL_SRV_COPYCHUNK_WRITE,
+                        true /* is_fsctl */, (char *)pcchunk,
+                        sizeof(struct copychunk_ioctl), (char **)&retbuf,
+                        &ret_data_len);
+                if (rc == 0) {
+                        if (ret_data_len !=
+                                        sizeof(struct copychunk_ioctl_rsp)) {
+                                cifs_dbg(VFS, "invalid cchunk response size\n");
+                                rc = -EIO;
+                                goto cchunk_out;
+                        }
+                        if (retbuf->TotalBytesWritten == 0) {
+                                cifs_dbg(FYI, "no bytes copied\n");
+                                rc = -EIO;
+                                goto cchunk_out;
+                        }
+                        /*
+                         * Check if server claimed to write more than we asked
+                         */
+                        if (le32_to_cpu(retbuf->TotalBytesWritten) >
+                            le32_to_cpu(pcchunk->Length)) {
+                                cifs_dbg(VFS, "invalid copy chunk response\n");
+                                rc = -EIO;
+                                goto cchunk_out;
+                        }
+                        if (le32_to_cpu(retbuf->ChunksWritten) != 1) {
+                                cifs_dbg(VFS, "invalid num chunks written\n");
+                                rc = -EIO;
+                                goto cchunk_out;
+                        }
+                        chunks_copied++;
+                        src_off += le32_to_cpu(retbuf->TotalBytesWritten);
+                        dest_off += le32_to_cpu(retbuf->TotalBytesWritten);
+                        len -= le32_to_cpu(retbuf->TotalBytesWritten);
+                        cifs_dbg(FYI, "Chunks %d PartialChunk %d Total %d\n",
+                                le32_to_cpu(retbuf->ChunksWritten),
+                                le32_to_cpu(retbuf->ChunkBytesWritten),
+                                le32_to_cpu(retbuf->TotalBytesWritten));
+                } else if (rc == -EINVAL) {
+                        if (ret_data_len != sizeof(struct copychunk_ioctl_rsp))
+                                goto cchunk_out;
+                        cifs_dbg(FYI, "MaxChunks %d BytesChunk %d MaxCopy %d\n",
+                                le32_to_cpu(retbuf->ChunksWritten),
+                                le32_to_cpu(retbuf->ChunkBytesWritten),
+                                le32_to_cpu(retbuf->TotalBytesWritten));
+                        /*
+                         * Check if this is the first request using these sizes,
+                         * (ie check if copy succeed once with original sizes
+                         * and check if the server gave us different sizes after
+                         * we already updated max sizes on previous request).
+                         * if not then why is the server returning an error now
+                         */
+                        if ((chunks_copied != 0) || chunk_sizes_updated)
+                                goto cchunk_out;
+                        /* Check that server is not asking us to grow size */
+                        if (le32_to_cpu(retbuf->ChunkBytesWritten) <
+                                        tcon->max_bytes_chunk)
+                                tcon->max_bytes_chunk =
+                                        le32_to_cpu(retbuf->ChunkBytesWritten);
+                        else
+                                goto cchunk_out; /* server gave us bogus size */
+                        /* No need to change MaxChunks since already set to 1 */
+                        chunk_sizes_updated = true;
+                }
+        }
+cchunk_out:
        kfree(pcchunk);
        return rc;
 }
@@ -1247,6 +1319,7 @@ struct smb_version_operations smb30_operations = {
        .create_lease_buf = smb3_create_lease_buf,
        .parse_lease_buf = smb3_parse_lease_buf,
        .clone_range = smb2_clone_range,
+        .validate_negotiate = smb3_validate_negotiate,
 };
 struct smb_version_values smb20_values = {
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index d65270c290a1..2013234b73ad 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -454,6 +454,81 @@ neg_exit:
        return rc;
 }
+int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
+{
+        int rc = 0;
+        struct validate_negotiate_info_req vneg_inbuf;
+        struct validate_negotiate_info_rsp *pneg_rsp;
+        u32 rsplen;
+        cifs_dbg(FYI, "validate negotiate\n");
+        /*
+         * validation ioctl must be signed, so no point sending this if we
+         * can not sign it.  We could eventually change this to selectively
+         * sign just this, the first and only signed request on a connection.
+         * This is good enough for now since a user who wants better security
+         * would also enable signing on the mount. Having validation of
+         * negotiate info for signed connections helps reduce attack vectors
+         */
+        if (tcon->ses->server->sign == false)
+                return 0; /* validation requires signing */
+        vneg_inbuf.Capabilities =
+                        cpu_to_le32(tcon->ses->server->vals->req_capabilities);
+        memcpy(vneg_inbuf.Guid, cifs_client_guid, SMB2_CLIENT_GUID_SIZE);
+        if (tcon->ses->sign)
+                vneg_inbuf.SecurityMode =
+                        cpu_to_le16(SMB2_NEGOTIATE_SIGNING_REQUIRED);
+        else if (global_secflags & CIFSSEC_MAY_SIGN)
+                vneg_inbuf.SecurityMode =
+                        cpu_to_le16(SMB2_NEGOTIATE_SIGNING_ENABLED);
+        else
+                vneg_inbuf.SecurityMode = 0;
+        vneg_inbuf.DialectCount = cpu_to_le16(1);
+        vneg_inbuf.Dialects[0] =
+                cpu_to_le16(tcon->ses->server->vals->protocol_id);
+        rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,
+                FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */,
+                (char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req),
+                (char **)&pneg_rsp, &rsplen);
+        if (rc != 0) {
+                cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc);
+                return -EIO;
+        }
+        if (rsplen != sizeof(struct validate_negotiate_info_rsp)) {
+                cifs_dbg(VFS, "invalid size of protocol negotiate response\n");
+                return -EIO;
+        }
+        /* check validate negotiate info response matches what we got earlier */
+        if (pneg_rsp->Dialect !=
+                        cpu_to_le16(tcon->ses->server->vals->protocol_id))
+                goto vneg_out;
+        if (pneg_rsp->SecurityMode != cpu_to_le16(tcon->ses->server->sec_mode))
+                goto vneg_out;
+        /* do not validate server guid because not saved at negprot time yet */
+        if ((le32_to_cpu(pneg_rsp->Capabilities) | SMB2_NT_FIND |
+              SMB2_LARGE_FILES) != tcon->ses->server->capabilities)
+                goto vneg_out;
+        /* validate negotiate successful */
+        cifs_dbg(FYI, "validate negotiate info successful\n");
+        return 0;
+vneg_out:
+        cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
+        return -EIO;
+}
 int
 SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
                const struct nls_table *nls_cp)
@@ -829,6 +904,8 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
            ((tcon->share_flags & SHI1005_FLAGS_DFS) == 0))
                cifs_dbg(VFS, "DFS capability contradicts DFS flag\n");
        init_copy_chunk_defaults(tcon);
+        if (tcon->ses->server->ops->validate_negotiate)
+                rc = tcon->ses->server->ops->validate_negotiate(xid, tcon);
 tcon_exit:
        free_rsp_buf(resp_buftype, rsp);
        kfree(unc_path);
@@ -1214,10 +1291,17 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
        rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
        rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;
-        if (rc != 0) {
+        if ((rc != 0) && (rc != -EINVAL)) {
                if (tcon)
                        cifs_stats_fail_inc(tcon, SMB2_IOCTL_HE);
                goto ioctl_exit;
+        } else if (rc == -EINVAL) {
+                if ((opcode != FSCTL_SRV_COPYCHUNK_WRITE) &&
+                    (opcode != FSCTL_SRV_COPYCHUNK)) {
+                        if (tcon)
+                                cifs_stats_fail_inc(tcon, SMB2_IOCTL_HE);
+                        goto ioctl_exit;
+                }
        }
        /* check if caller wants to look at return data or just return rc */
@@ -2154,11 +2238,9 @@ send_set_info(const unsigned int xid, struct cifs_tcon *tcon,
        rc = SendReceive2(xid, ses, iov, num, &resp_buftype, 0);
        rsp = (struct smb2_set_info_rsp *)iov[0].iov_base;
-        if (rc != 0) {
+        if (rc != 0)
                cifs_stats_fail_inc(tcon, SMB2_SET_INFO_HE);
-                goto out;
-        }
-out:
        free_rsp_buf(resp_buftype, rsp);
        kfree(iov);
        return rc;
diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
index f88320bbb477..2022c542ea3a 100644
--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -577,13 +577,19 @@ struct copychunk_ioctl_rsp {
        __le32 TotalBytesWritten;
 } __packed;
-/* Response and Request are the same format */
+struct validate_negotiate_info_req {
-struct validate_negotiate_info {
        __le32 Capabilities;
        __u8   Guid[SMB2_CLIENT_GUID_SIZE];
        __le16 SecurityMode;
        __le16 DialectCount;
-        __le16 Dialect[1];
+        __le16 Dialects[1]; /* dialect (someday maybe list) client asked for */
+} __packed;
+struct validate_negotiate_info_rsp {
+        __le32 Capabilities;
+        __u8   Guid[SMB2_CLIENT_GUID_SIZE];
+        __le16 SecurityMode;
+        __le16 Dialect; /* Dialect in use for the connection */
 } __packed;
 #define RSS_CAPABLE     0x00000001
diff --git a/fs/cifs/smb2proto.h b/fs/cifs/smb2proto.h
index b4eea105b08c..93adc64666f3 100644
--- a/fs/cifs/smb2proto.h
+++ b/fs/cifs/smb2proto.h
@@ -162,5 +162,6 @@ extern int smb2_lockv(const unsigned int xid, struct cifs_tcon *tcon,
                      struct smb2_lock_element *buf);
 extern int SMB2_lease_break(const unsigned int xid, struct cifs_tcon *tcon,
                            __u8 *lease_key, const __le32 lease_state);
+extern int smb3_validate_negotiate(const unsigned int, struct cifs_tcon *);
 #endif                  /* _SMB2PROTO_H */
diff --git a/fs/cifs/smbfsctl.h b/fs/cifs/smbfsctl.h
index a4b2391fe66e..0e538b5c9622 100644
--- a/fs/cifs/smbfsctl.h
+++ b/fs/cifs/smbfsctl.h
@@ -90,7 +90,7 @@
 #define FSCTL_LMR_REQUEST_RESILIENCY 0x001401D4 /* BB add struct */
 #define FSCTL_LMR_GET_LINK_TRACK_INF 0x001400E8 /* BB add struct */
 #define FSCTL_LMR_SET_LINK_TRACK_INF 0x001400EC /* BB add struct */
-#define FSCTL_VALIDATE_NEGOTIATE_INFO 0x00140204 /* BB add struct */
+#define FSCTL_VALIDATE_NEGOTIATE_INFO 0x00140204
 /* Perform server-side data movement */
 #define FSCTL_SRV_COPYCHUNK 0x001440F2
 #define FSCTL_SRV_COPYCHUNK_WRITE 0x001480F2
author	Linus Torvalds <torvalds@linux-foundation.org>	2013-11-28 12:50:25 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2013-11-28 12:50:25 -0500
commit	3bad8bb5cd3048a67df43ac6b1e2f191f19d9ff0 (patch)
tree	bc18e38958f63b6ffb8514e16729f094925e4d5b /fs
parent	5ecbe3c3c690b5ab493c730c317475287a9e8b45 (diff)
parent	f19e84df37bda502a2248d507a9cf2b9e693279e (diff)

diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index d9ea7ada1378..f918a998a087 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h
@@ -384,6 +384,7 @@ struct smb_version_operations {
384	int (clone_range)(const unsigned int, struct cifsFileInfo src_file,	384	int (clone_range)(const unsigned int, struct cifsFileInfo src_file,
385	struct cifsFileInfo *target_file, u64 src_off, u64 len,	385	struct cifsFileInfo *target_file, u64 src_off, u64 len,
386	u64 dest_off);	386	u64 dest_off);
		387	int (validate_negotiate)(const unsigned int, struct cifs_tcon );
387	};	388	};
388		389
389	struct smb_version_values {	390	struct smb_version_values {


diff --git a/fs/cifs/ioctl.c b/fs/cifs/ioctl.c index 409b45eefe70..77492301cc2b 100644 --- a/fs/cifs/ioctl.c +++ b/fs/cifs/ioctl.c
@@ -26,13 +26,15 @@
26	#include <linux/mount.h>	26	#include <linux/mount.h>
27	#include <linux/mm.h>	27	#include <linux/mm.h>
28	#include <linux/pagemap.h>	28	#include <linux/pagemap.h>
29	#include <linux/btrfs.h>
30	#include "cifspdu.h"	29	#include "cifspdu.h"
31	#include "cifsglob.h"	30	#include "cifsglob.h"
32	#include "cifsproto.h"	31	#include "cifsproto.h"
33	#include "cifs_debug.h"	32	#include "cifs_debug.h"
34	#include "cifsfs.h"	33	#include "cifsfs.h"
35		34
		35	#define CIFS_IOCTL_MAGIC 0xCF
		36	#define CIFS_IOC_COPYCHUNK_FILE _IOW(CIFS_IOCTL_MAGIC, 3, int)
		37
36	static long cifs_ioctl_clone(unsigned int xid, struct file *dst_file,	38	static long cifs_ioctl_clone(unsigned int xid, struct file *dst_file,
37	unsigned long srcfd, u64 off, u64 len, u64 destoff)	39	unsigned long srcfd, u64 off, u64 len, u64 destoff)
38	{	40	{
@@ -213,7 +215,7 @@ long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg)
213	cifs_dbg(FYI, "set compress flag rc %d\n", rc);	215	cifs_dbg(FYI, "set compress flag rc %d\n", rc);
214	}	216	}
215	break;	217	break;
216	case BTRFS_IOC_CLONE:	218	case CIFS_IOC_COPYCHUNK_FILE:
217	rc = cifs_ioctl_clone(xid, filep, arg, 0, 0, 0);	219	rc = cifs_ioctl_clone(xid, filep, arg, 0, 0, 0);
218	break;	220	break;
219	default:	221	default:


diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 11dde4b24f8a..757da3e54d3d 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c
@@ -532,7 +532,10 @@ smb2_clone_range(const unsigned int xid,
532	int rc;	532	int rc;
533	unsigned int ret_data_len;	533	unsigned int ret_data_len;
534	struct copychunk_ioctl *pcchunk;	534	struct copychunk_ioctl *pcchunk;
535	char *retbuf = NULL;	535	struct copychunk_ioctl_rsp *retbuf = NULL;
		536	struct cifs_tcon *tcon;
		537	int chunks_copied = 0;
		538	bool chunk_sizes_updated = false;
536		539
537	pcchunk = kmalloc(sizeof(struct copychunk_ioctl), GFP_KERNEL);	540	pcchunk = kmalloc(sizeof(struct copychunk_ioctl), GFP_KERNEL);
538		541
@@ -547,27 +550,96 @@ smb2_clone_range(const unsigned int xid,
547		550
548	/* Note: request_res_key sets res_key null only if rc !=0 */	551	/* Note: request_res_key sets res_key null only if rc !=0 */
549	if (rc)	552	if (rc)
550	return rc;	553	goto cchunk_out;
551		554
552	/* For now array only one chunk long, will make more flexible later */	555	/* For now array only one chunk long, will make more flexible later */
553	pcchunk->ChunkCount = __constant_cpu_to_le32(1);	556	pcchunk->ChunkCount = __constant_cpu_to_le32(1);
554	pcchunk->Reserved = 0;	557	pcchunk->Reserved = 0;
555	pcchunk->SourceOffset = cpu_to_le64(src_off);
556	pcchunk->TargetOffset = cpu_to_le64(dest_off);
557	pcchunk->Length = cpu_to_le32(len);
558	pcchunk->Reserved2 = 0;	558	pcchunk->Reserved2 = 0;
559		559
560	/* Request that server copy to target from src file identified by key */	560	tcon = tlink_tcon(trgtfile->tlink);
561	rc = SMB2_ioctl(xid, tlink_tcon(trgtfile->tlink),
562	trgtfile->fid.persistent_fid,
563	trgtfile->fid.volatile_fid, FSCTL_SRV_COPYCHUNK_WRITE,
564	true /* is_fsctl /, (char )pcchunk,
565	sizeof(struct copychunk_ioctl), &retbuf, &ret_data_len);
566		561
567	/* BB need to special case rc = EINVAL to alter chunk size */	562	while (len > 0) {
		563	pcchunk->SourceOffset = cpu_to_le64(src_off);
		564	pcchunk->TargetOffset = cpu_to_le64(dest_off);
		565	pcchunk->Length =
		566	cpu_to_le32(min_t(u32, len, tcon->max_bytes_chunk));
568		567
569	cifs_dbg(FYI, "rc %d data length out %d\n", rc, ret_data_len);	568	/* Request server copy to target from src identified by key */
		569	rc = SMB2_ioctl(xid, tcon, trgtfile->fid.persistent_fid,
		570	trgtfile->fid.volatile_fid, FSCTL_SRV_COPYCHUNK_WRITE,
		571	true /* is_fsctl /, (char )pcchunk,
		572	sizeof(struct copychunk_ioctl), (char **)&retbuf,
		573	&ret_data_len);
		574	if (rc == 0) {
		575	if (ret_data_len !=
		576	sizeof(struct copychunk_ioctl_rsp)) {
		577	cifs_dbg(VFS, "invalid cchunk response size\n");
		578	rc = -EIO;
		579	goto cchunk_out;
		580	}
		581	if (retbuf->TotalBytesWritten == 0) {
		582	cifs_dbg(FYI, "no bytes copied\n");
		583	rc = -EIO;
		584	goto cchunk_out;
		585	}
		586	/*
		587	* Check if server claimed to write more than we asked
		588	*/
		589	if (le32_to_cpu(retbuf->TotalBytesWritten) >
		590	le32_to_cpu(pcchunk->Length)) {
		591	cifs_dbg(VFS, "invalid copy chunk response\n");
		592	rc = -EIO;
		593	goto cchunk_out;
		594	}
		595	if (le32_to_cpu(retbuf->ChunksWritten) != 1) {
		596	cifs_dbg(VFS, "invalid num chunks written\n");
		597	rc = -EIO;
		598	goto cchunk_out;
		599	}
		600	chunks_copied++;
		601
		602	src_off += le32_to_cpu(retbuf->TotalBytesWritten);
		603	dest_off += le32_to_cpu(retbuf->TotalBytesWritten);
		604	len -= le32_to_cpu(retbuf->TotalBytesWritten);
		605
		606	cifs_dbg(FYI, "Chunks %d PartialChunk %d Total %d\n",
		607	le32_to_cpu(retbuf->ChunksWritten),
		608	le32_to_cpu(retbuf->ChunkBytesWritten),
		609	le32_to_cpu(retbuf->TotalBytesWritten));
		610	} else if (rc == -EINVAL) {
		611	if (ret_data_len != sizeof(struct copychunk_ioctl_rsp))
		612	goto cchunk_out;
		613
		614	cifs_dbg(FYI, "MaxChunks %d BytesChunk %d MaxCopy %d\n",
		615	le32_to_cpu(retbuf->ChunksWritten),
		616	le32_to_cpu(retbuf->ChunkBytesWritten),
		617	le32_to_cpu(retbuf->TotalBytesWritten));
		618
		619	/*
		620	* Check if this is the first request using these sizes,
		621	* (ie check if copy succeed once with original sizes
		622	* and check if the server gave us different sizes after
		623	* we already updated max sizes on previous request).
		624	* if not then why is the server returning an error now
		625	*/
		626	if ((chunks_copied != 0) \|\| chunk_sizes_updated)
		627	goto cchunk_out;
		628
		629	/* Check that server is not asking us to grow size */
		630	if (le32_to_cpu(retbuf->ChunkBytesWritten) <
		631	tcon->max_bytes_chunk)
		632	tcon->max_bytes_chunk =
		633	le32_to_cpu(retbuf->ChunkBytesWritten);
		634	else
		635	goto cchunk_out; /* server gave us bogus size */
		636
		637	/* No need to change MaxChunks since already set to 1 */
		638	chunk_sizes_updated = true;
		639	}
		640	}
570		641
		642	cchunk_out:
571	kfree(pcchunk);	643	kfree(pcchunk);
572	return rc;	644	return rc;
573	}	645	}
@@ -1247,6 +1319,7 @@ struct smb_version_operations smb30_operations = {
1247	.create_lease_buf = smb3_create_lease_buf,	1319	.create_lease_buf = smb3_create_lease_buf,
1248	.parse_lease_buf = smb3_parse_lease_buf,	1320	.parse_lease_buf = smb3_parse_lease_buf,
1249	.clone_range = smb2_clone_range,	1321	.clone_range = smb2_clone_range,
		1322	.validate_negotiate = smb3_validate_negotiate,
1250	};	1323	};
1251		1324
1252	struct smb_version_values smb20_values = {	1325	struct smb_version_values smb20_values = {


diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index d65270c290a1..2013234b73ad 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c
@@ -454,6 +454,81 @@ neg_exit:
454	return rc;	454	return rc;
455	}	455	}
456		456
		457	int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
		458	{
		459	int rc = 0;
		460	struct validate_negotiate_info_req vneg_inbuf;
		461	struct validate_negotiate_info_rsp *pneg_rsp;
		462	u32 rsplen;
		463
		464	cifs_dbg(FYI, "validate negotiate\n");
		465
		466	/*
		467	* validation ioctl must be signed, so no point sending this if we
		468	* can not sign it. We could eventually change this to selectively
		469	* sign just this, the first and only signed request on a connection.
		470	* This is good enough for now since a user who wants better security
		471	* would also enable signing on the mount. Having validation of
		472	* negotiate info for signed connections helps reduce attack vectors
		473	*/
		474	if (tcon->ses->server->sign == false)
		475	return 0; /* validation requires signing */
		476
		477	vneg_inbuf.Capabilities =
		478	cpu_to_le32(tcon->ses->server->vals->req_capabilities);
		479	memcpy(vneg_inbuf.Guid, cifs_client_guid, SMB2_CLIENT_GUID_SIZE);
		480
		481	if (tcon->ses->sign)
		482	vneg_inbuf.SecurityMode =
		483	cpu_to_le16(SMB2_NEGOTIATE_SIGNING_REQUIRED);
		484	else if (global_secflags & CIFSSEC_MAY_SIGN)
		485	vneg_inbuf.SecurityMode =
		486	cpu_to_le16(SMB2_NEGOTIATE_SIGNING_ENABLED);
		487	else
		488	vneg_inbuf.SecurityMode = 0;
		489
		490	vneg_inbuf.DialectCount = cpu_to_le16(1);
		491	vneg_inbuf.Dialects[0] =
		492	cpu_to_le16(tcon->ses->server->vals->protocol_id);
		493
		494	rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,
		495	FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */,
		496	(char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req),
		497	(char **)&pneg_rsp, &rsplen);
		498
		499	if (rc != 0) {
		500	cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc);
		501	return -EIO;
		502	}
		503
		504	if (rsplen != sizeof(struct validate_negotiate_info_rsp)) {
		505	cifs_dbg(VFS, "invalid size of protocol negotiate response\n");
		506	return -EIO;
		507	}
		508
		509	/* check validate negotiate info response matches what we got earlier */
		510	if (pneg_rsp->Dialect !=
		511	cpu_to_le16(tcon->ses->server->vals->protocol_id))
		512	goto vneg_out;
		513
		514	if (pneg_rsp->SecurityMode != cpu_to_le16(tcon->ses->server->sec_mode))
		515	goto vneg_out;
		516
		517	/* do not validate server guid because not saved at negprot time yet */
		518
		519	if ((le32_to_cpu(pneg_rsp->Capabilities) \| SMB2_NT_FIND \|
		520	SMB2_LARGE_FILES) != tcon->ses->server->capabilities)
		521	goto vneg_out;
		522
		523	/* validate negotiate successful */
		524	cifs_dbg(FYI, "validate negotiate info successful\n");
		525	return 0;
		526
		527	vneg_out:
		528	cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
		529	return -EIO;
		530	}
		531
457	int	532	int
458	SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,	533	SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
459	const struct nls_table *nls_cp)	534	const struct nls_table *nls_cp)
@@ -829,6 +904,8 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses ses, const char tree,
829	((tcon->share_flags & SHI1005_FLAGS_DFS) == 0))	904	((tcon->share_flags & SHI1005_FLAGS_DFS) == 0))
830	cifs_dbg(VFS, "DFS capability contradicts DFS flag\n");	905	cifs_dbg(VFS, "DFS capability contradicts DFS flag\n");
831	init_copy_chunk_defaults(tcon);	906	init_copy_chunk_defaults(tcon);
		907	if (tcon->ses->server->ops->validate_negotiate)
		908	rc = tcon->ses->server->ops->validate_negotiate(xid, tcon);
832	tcon_exit:	909	tcon_exit:
833	free_rsp_buf(resp_buftype, rsp);	910	free_rsp_buf(resp_buftype, rsp);
834	kfree(unc_path);	911	kfree(unc_path);
@@ -1214,10 +1291,17 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
1214	rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);	1291	rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
1215	rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;	1292	rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;
1216		1293
1217	if (rc != 0) {	1294	if ((rc != 0) && (rc != -EINVAL)) {
1218	if (tcon)	1295	if (tcon)
1219	cifs_stats_fail_inc(tcon, SMB2_IOCTL_HE);	1296	cifs_stats_fail_inc(tcon, SMB2_IOCTL_HE);
1220	goto ioctl_exit;	1297	goto ioctl_exit;
		1298	} else if (rc == -EINVAL) {
		1299	if ((opcode != FSCTL_SRV_COPYCHUNK_WRITE) &&
		1300	(opcode != FSCTL_SRV_COPYCHUNK)) {
		1301	if (tcon)
		1302	cifs_stats_fail_inc(tcon, SMB2_IOCTL_HE);
		1303	goto ioctl_exit;
		1304	}
1221	}	1305	}
1222		1306
1223	/* check if caller wants to look at return data or just return rc */	1307	/* check if caller wants to look at return data or just return rc */
@@ -2154,11 +2238,9 @@ send_set_info(const unsigned int xid, struct cifs_tcon *tcon,
2154	rc = SendReceive2(xid, ses, iov, num, &resp_buftype, 0);	2238	rc = SendReceive2(xid, ses, iov, num, &resp_buftype, 0);
2155	rsp = (struct smb2_set_info_rsp *)iov[0].iov_base;	2239	rsp = (struct smb2_set_info_rsp *)iov[0].iov_base;
2156		2240
2157	if (rc != 0) {	2241	if (rc != 0)
2158	cifs_stats_fail_inc(tcon, SMB2_SET_INFO_HE);	2242	cifs_stats_fail_inc(tcon, SMB2_SET_INFO_HE);
2159	goto out;	2243
2160	}
2161	out:
2162	free_rsp_buf(resp_buftype, rsp);	2244	free_rsp_buf(resp_buftype, rsp);
2163	kfree(iov);	2245	kfree(iov);
2164	return rc;	2246	return rc;


diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h index f88320bbb477..2022c542ea3a 100644 --- a/fs/cifs/smb2pdu.h +++ b/fs/cifs/smb2pdu.h
@@ -577,13 +577,19 @@ struct copychunk_ioctl_rsp {
577	__le32 TotalBytesWritten;	577	__le32 TotalBytesWritten;
578	} __packed;	578	} __packed;
579		579
580	/* Response and Request are the same format */	580	struct validate_negotiate_info_req {
581	struct validate_negotiate_info {
582	__le32 Capabilities;	581	__le32 Capabilities;
583	__u8 Guid[SMB2_CLIENT_GUID_SIZE];	582	__u8 Guid[SMB2_CLIENT_GUID_SIZE];
584	__le16 SecurityMode;	583	__le16 SecurityMode;
585	__le16 DialectCount;	584	__le16 DialectCount;
586	__le16 Dialect[1];	585	__le16 Dialects[1]; /* dialect (someday maybe list) client asked for */
		586	} __packed;
		587
		588	struct validate_negotiate_info_rsp {
		589	__le32 Capabilities;
		590	__u8 Guid[SMB2_CLIENT_GUID_SIZE];
		591	__le16 SecurityMode;
		592	__le16 Dialect; /* Dialect in use for the connection */
587	} __packed;	593	} __packed;
588		594
589	#define RSS_CAPABLE 0x00000001	595	#define RSS_CAPABLE 0x00000001


diff --git a/fs/cifs/smb2proto.h b/fs/cifs/smb2proto.h index b4eea105b08c..93adc64666f3 100644 --- a/fs/cifs/smb2proto.h +++ b/fs/cifs/smb2proto.h
@@ -162,5 +162,6 @@ extern int smb2_lockv(const unsigned int xid, struct cifs_tcon *tcon,
162	struct smb2_lock_element *buf);	162	struct smb2_lock_element *buf);
163	extern int SMB2_lease_break(const unsigned int xid, struct cifs_tcon *tcon,	163	extern int SMB2_lease_break(const unsigned int xid, struct cifs_tcon *tcon,
164	__u8 *lease_key, const __le32 lease_state);	164	__u8 *lease_key, const __le32 lease_state);
		165	extern int smb3_validate_negotiate(const unsigned int, struct cifs_tcon *);
165		166
166	#endif /* _SMB2PROTO_H */	167	#endif /* _SMB2PROTO_H */


diff --git a/fs/cifs/smbfsctl.h b/fs/cifs/smbfsctl.h index a4b2391fe66e..0e538b5c9622 100644 --- a/fs/cifs/smbfsctl.h +++ b/fs/cifs/smbfsctl.h
@@ -90,7 +90,7 @@
90	#define FSCTL_LMR_REQUEST_RESILIENCY 0x001401D4 /* BB add struct */	90	#define FSCTL_LMR_REQUEST_RESILIENCY 0x001401D4 /* BB add struct */
91	#define FSCTL_LMR_GET_LINK_TRACK_INF 0x001400E8 /* BB add struct */	91	#define FSCTL_LMR_GET_LINK_TRACK_INF 0x001400E8 /* BB add struct */
92	#define FSCTL_LMR_SET_LINK_TRACK_INF 0x001400EC /* BB add struct */	92	#define FSCTL_LMR_SET_LINK_TRACK_INF 0x001400EC /* BB add struct */
93	#define FSCTL_VALIDATE_NEGOTIATE_INFO 0x00140204 /* BB add struct */	93	#define FSCTL_VALIDATE_NEGOTIATE_INFO 0x00140204
94	/* Perform server-side data movement */	94	/* Perform server-side data movement */
95	#define FSCTL_SRV_COPYCHUNK 0x001440F2	95	#define FSCTL_SRV_COPYCHUNK 0x001440F2
96	#define FSCTL_SRV_COPYCHUNK_WRITE 0x001480F2	96	#define FSCTL_SRV_COPYCHUNK_WRITE 0x001480F2