【openEuler-1.0-LTS】【cifs】2024年1月 4.19 LTS补丁回合

### 补丁信息

~~~
commit 832c20fc4cc82c497566db35996ea488661fc764
Author: Paulo Alcantara <pc@manguebit.com>
Date:   Mon Dec 11 10:26:42 2023 -0300

smb: client: fix NULL deref in asn1_ber_decoder()
    
    [ Upstream commit 90d025c2e953c11974e76637977c473200593a46 ]
    
    If server replied SMB2_NEGOTIATE with a zero SecurityBufferOffset,
    smb2_get_data_area() sets @len to non-zero but return NULL, so
    decode_negTokeninit() ends up being called with a NULL @security_blob:
~~~

#### 流程分析

~~~
smb2_negotiate
SMB2_negotiate
  smb2_get_data_area_len
  decode_negTokenInit

~~~

smb2_get_data_area_len()中对len和offs检查不充分，导致len != 0 并且 return NULL

~~~c
char *
smb2_get_data_area_len(int *off, int *len, struct smb2_sync_hdr *shdr)
{
    *off = 0;
    *len = 0;

/* error responses do not have data area */
    if (shdr->Status && shdr->Status != STATUS_MORE_PROCESSING_REQUIRED &&
        (((struct smb2_err_rsp *)shdr)->StructureSize) ==
                        SMB2_ERROR_STRUCTURE_SIZE2)
        return NULL;

/*
     * Following commands have data areas so we have to get the location
     * of the data buffer offset and data buffer length for the particular
     * command.
     */
    switch (shdr->Command) {
    case SMB2_NEGOTIATE:
        *off = le16_to_cpu(
          ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferOffset);  // offs 为 0
        *len = le16_to_cpu(
          ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferLength);  // len 不为 0
        break;
......
    /*   // ==========  offs == 0  会导致下面的检查全部通过，并且len != 0  ==============
     * Invalid length or offset probably means data area is invalid, but
     * we have little choice but to ignore the data area in this case.
     */
    if (*off > 4096) {
        cifs_dbg(VFS, "offset %d too large, data area ignored\n", *off);
        *len = 0;
        *off = 0;
    } else if (*off < 0) {
        cifs_dbg(VFS, "negative offset %d to data invalid ignore data area\n",
             *off);
        *off = 0;
        *len = 0;
    } else if (*len < 0) {
        cifs_dbg(VFS, "negative data length %d invalid, data area ignored\n",
             *len);
        *len = 0;
    } else if (*len > 128 * 1024) {
        cifs_dbg(VFS, "data area larger than 128K: %d\n", *len);
        *len = 0;
    }

/* return pointer to beginning of data area, ie offset from SMB start */
    if ((*off != 0) && (*len != 0))      // offs == 0 
        return (char *)shdr + *off;
    else
        return NULL;                    // 返回NULL，并且len不为0 
}
~~~

随后进入decode_negTokenInit()所在分支

~~~c
int
SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
.......
    security_blob = smb2_get_data_area_len(&blob_offset, &blob_length,
                           (struct smb2_sync_hdr *)rsp);
......
    if (blob_length) {
        rc = decode_negTokenInit(security_blob, blob_length, server);  // security_blob 为 NULL 
        if (rc == 1)
            rc = 0;
        else if (rc == 0)
            rc = -EIO;
    }

~~~

对空指针进行操作

~~~
decode_negTokenInit
  asn1_open
    ctx->pointer = NULL  -> 初始化为NULL
  asn1_header_decode
    *eoc = ctx->pointer + len; // 非法地址
~~~

GVP openEuler/kernel
Closed

Content Risk Flag

Comments (1)

GVPopenEuler/kernelClosed

Content Risk Flag