smbacl.c:1213 smb_check_perm_dacl() warn: variable dereferenced before check 'pntsd' (see line 1212)

Dan Carpenter Wed, 03 Aug 2022 14:33:25 -0700

tree:   git://git.samba.org/ksmbd.git ksmbd-for-next-next
head:   d0b73d20ca9100c7b969b65d8a1ff49cdd1fa9c9
commit: d0b73d20ca9100c7b969b65d8a1ff49cdd1fa9c9 [12/12] ksmbd: fix heap-based 
overflow in set_ntacl_dacl()
config: arc-randconfig-m041-20220731 
(https://download.01.org/0day-ci/archive/20220801/202208010716.io52cjih-...@intel.com/config)
compiler: arceb-elf-gcc (GCC) 12.1.0


If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <l...@intel.com>
Reported-by: Dan Carpenter <dan.carpen...@oracle.com>

New smatch warnings:
fs/ksmbd/smbacl.c:1213 smb_check_perm_dacl() warn: variable dereferenced before 
check 'pntsd' (see line 1212)
fs/ksmbd/smb2pdu.c:5182 smb2_get_info_sec() error: uninitialized symbol 
'secdesclen'.

Old smatch warnings:
fs/ksmbd/smb2pdu.c:549 smb2_allocate_rsp_buf() warn: Please consider using 
kvzalloc instead of kvmalloc
fs/ksmbd/smb2pdu.c:6123 smb2_read_pipe() warn: Please consider using kvzalloc 
instead of kvmalloc
fs/ksmbd/smb2pdu.c:6275 smb2_read() warn: Please consider using kvzalloc 
instead of kvmalloc
fs/ksmbd/smb2pdu.c:6424 smb2_write_rdma_channel() warn: Please consider using 
kvzalloc instead of kvmalloc

vim +/pntsd +1213 fs/ksmbd/smbacl.c

ef24c962d0f290 fs/ksmbd/smbacl.c Hyunchul Lee      2021-06-30  1188  int 
smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path,
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1189             
        __le32 *pdaccess, int uid)
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1190  {
465d720485eff1 fs/ksmbd/smbacl.c Hyunchul Lee      2021-07-03  1191     struct 
user_namespace *user_ns = mnt_user_ns(path->mnt);
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1192     struct 
smb_ntsd *pntsd = NULL;
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1193     struct 
smb_acl *pdacl;
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1194     struct 
posix_acl *posix_acls;
d0b73d20ca9100 fs/ksmbd/smbacl.c Namjae Jeon       2022-07-28  1195     int rc 
= 0, pntsd_size, acl_size, aces_size, pdacl_size, dacl_offset;
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1196     struct 
smb_sid sid;
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1197     int 
granted = le32_to_cpu(*pdaccess & ~FILE_MAXIMAL_ACCESS_LE);
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1198     struct 
smb_ace *ace;
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1199     int i, 
found = 0;
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1200     
unsigned int access_bits = 0;
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1201     struct 
smb_ace *others_ace = NULL;
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1202     struct 
posix_acl_entry *pa_entry;
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1203     
unsigned int sid_type = SIDOWNER;
d0b73d20ca9100 fs/ksmbd/smbacl.c Namjae Jeon       2022-07-28  1204     
unsigned short ace_size;
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1205  
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1206     
ksmbd_debug(SMB, "check permission using windows acl\n");
d0b73d20ca9100 fs/ksmbd/smbacl.c Namjae Jeon       2022-07-28  1207     
pntsd_size = ksmbd_vfs_get_sd_xattr(conn, user_ns,
af34983e831587 fs/ksmbd/smbacl.c Hyunchul Lee      2021-06-30  1208             
                            path->dentry, &pntsd);
d0b73d20ca9100 fs/ksmbd/smbacl.c Namjae Jeon       2022-07-28  1209     if 
(pntsd_size <= 0)
d0b73d20ca9100 fs/ksmbd/smbacl.c Namjae Jeon       2022-07-28  1210             
goto err_out;
d0b73d20ca9100 fs/ksmbd/smbacl.c Namjae Jeon       2022-07-28  1211  
d0b73d20ca9100 fs/ksmbd/smbacl.c Namjae Jeon       2022-07-28 @1212     
dacl_offset = le32_to_cpu(pntsd->dacloffset);
                                                                                
                  ^^^^^^^^^^^^^^^^^
Dereference

d0b73d20ca9100 fs/ksmbd/smbacl.c Namjae Jeon       2022-07-28 @1213     if 
(!pntsd || !pntsd->dacloffset ||
                                                                             
^^^^^
Checked too late

d0b73d20ca9100 fs/ksmbd/smbacl.c Namjae Jeon       2022-07-28  1214         
(dacl_offset + sizeof(struct smb_acl) > pntsd_size))
d0b73d20ca9100 fs/ksmbd/smbacl.c Namjae Jeon       2022-07-28  1215             
goto err_out;
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1216  
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1217     pdacl = 
(struct smb_acl *)((char *)pntsd + le32_to_cpu(pntsd->dacloffset));
d0b73d20ca9100 fs/ksmbd/smbacl.c Namjae Jeon       2022-07-28  1218     
acl_size = pntsd_size - dacl_offset;
d0b73d20ca9100 fs/ksmbd/smbacl.c Namjae Jeon       2022-07-28  1219     
pdacl_size = le16_to_cpu(pdacl->size);
50355b0b20103a fs/cifsd/smbacl.c Namjae Jeon       2021-03-19  1220  
d0b73d20ca9100 fs/ksmbd/smbacl.c Namjae Jeon       2022-07-28  1221     if 
(pdacl_size > acl_size || pdacl_size < sizeof(struct smb_acl))
d0b73d20ca9100 fs/ksmbd/smbacl.c Namjae Jeon       2022-07-28  1222             
goto err_out;
50355b0b20103a fs/cifsd/smbacl.c Namjae Jeon       2021-03-19  1223  
e2f34481b24db2 fs/cifsd/smbacl.c Namjae Jeon       2021-03-16  1224     if 
(!pdacl->num_aces) {

-- 
0-DAY CI Kernel Test Service
https://01.org/lkp
_______________________________________________
kbuild mailing list -- kbuild@lists.01.org
To unsubscribe send an email to kbuild-le...@lists.01.org

[kbuild] [samba-ksmbd:ksmbd-for-next-next 12/12] fs/ksmbd/smbacl.c:1213 smb_check_perm_dacl() warn: variable dereferenced before check 'pntsd' (see line 1212)

Reply via email to