** Description changed:
[Impact]
* We got reports of a kernel crash in cifs module with the following
signature:
detected buffer overflow in strcat
kernel BUG at <...>/lib/string.c:1052!
invalid opcode: 0000 [#1] SMP PTI
RIP: 0010:fortify_panic+0x13/0x1f
Call Trace:
- smb21_set_oplock_level+0xde/0x190 [cifs]
- smb3_set_oplock_level+0x22/0x90 [cifs]
- smb2_set_fid+0x76/0xb0 [cifs]
- cifs_new_fileinfo+0x268/0x3c0 [cifs]
- ? smb2_get_lease_key+0x40/0x40 [cifs]
- ? cifs_new_fileinfo+0x268/0x3c0 [cifs]
- cifs_open+0x57c/0x8d0 [cifs]
- do_dentry_open+0x1fe/0x320
+ smb21_set_oplock_level+0xde/0x190 [cifs]
+ smb3_set_oplock_level+0x22/0x90 [cifs]
+ smb2_set_fid+0x76/0xb0 [cifs]
+ cifs_new_fileinfo+0x268/0x3c0 [cifs]
+ ? smb2_get_lease_key+0x40/0x40 [cifs]
+ ? cifs_new_fileinfo+0x268/0x3c0 [cifs]
+ cifs_open+0x57c/0x8d0 [cifs]
+ do_dentry_open+0x1fe/0x320
[...]
* By analyzing the code of smb21_set_oplock_level(), we've noticed the
only way fortify function strcat() would get overflow was if the value
of cinode->oplock got corrupted in a another thread leading to a buffer
write bigger then buffer size. In this function, the 'message' buffer
writes are governed by cinode->oplock, so only a different thread
cleaning the oplock value would lead to 'message' overflow.
* By the same time we worked this analysis, a fix was proposed upstream
for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat
buffer overflow and reduce raciness in smb21_set_oplock_level()"), by
the same reporter of this LP. The fix is simple and directly addresses
this problem, so we hereby request its SRU into Bionic kernel - it's
- already present in Ubuntu kernel version 5.0 and newer, as well as linux
- stable branches.
+ already present in linux stable branches and will soon be in Ubuntu
+ kernel version 5.0 (when it gets rebased with 5.0.19).
[Test case]
* Unfortunately we cannot reproduce the issue. The patch proposed here was
- validated by us with xfstests (instructions followed from
+ validated by us with xfstests (instructions followed from
https://wiki.samba.org/index.php/Xfstesting-cifs) and fio.
* Using xfstest with the exclusions proposed in the link above we
managed to get the same results as a non-patched kernel, i.e., the same
tests failed in both kernels, we didn't get worse results with the
patch. Fio also didn't show noticeable performance regression with the
patch.
[Regression potential]
* The patch was validated by the cifs filesystem maintainers and by the
aforementioned tests; also, the scope is restricted to cifs only so the
likelihood of regressions is considered low. The commit introduces no
functional changes and the only affected path was just refactored in a
way to prevent overflow and reduce race potential.
** Description changed:
[Impact]
* We got reports of a kernel crash in cifs module with the following
signature:
detected buffer overflow in strcat
kernel BUG at <...>/lib/string.c:1052!
invalid opcode: 0000 [#1] SMP PTI
RIP: 0010:fortify_panic+0x13/0x1f
Call Trace:
smb21_set_oplock_level+0xde/0x190 [cifs]
smb3_set_oplock_level+0x22/0x90 [cifs]
smb2_set_fid+0x76/0xb0 [cifs]
cifs_new_fileinfo+0x268/0x3c0 [cifs]
? smb2_get_lease_key+0x40/0x40 [cifs]
? cifs_new_fileinfo+0x268/0x3c0 [cifs]
cifs_open+0x57c/0x8d0 [cifs]
do_dentry_open+0x1fe/0x320
[...]
* By analyzing the code of smb21_set_oplock_level(), we've noticed the
only way fortify function strcat() would get overflow was if the value
of cinode->oplock got corrupted in a another thread leading to a buffer
write bigger then buffer size. In this function, the 'message' buffer
writes are governed by cinode->oplock, so only a different thread
cleaning the oplock value would lead to 'message' overflow.
* By the same time we worked this analysis, a fix was proposed upstream
for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat
buffer overflow and reduce raciness in smb21_set_oplock_level()"), by
the same reporter of this LP. The fix is simple and directly addresses
this problem, so we hereby request its SRU into Bionic kernel - it's
- already present in linux stable branches and will soon be in Ubuntu
- kernel version 5.0 (when it gets rebased with 5.0.19).
+ already present in linux stable branches.
[Test case]
* Unfortunately we cannot reproduce the issue. The patch proposed here was
validated by us with xfstests (instructions followed from
https://wiki.samba.org/index.php/Xfstesting-cifs) and fio.
* Using xfstest with the exclusions proposed in the link above we
managed to get the same results as a non-patched kernel, i.e., the same
tests failed in both kernels, we didn't get worse results with the
patch. Fio also didn't show noticeable performance regression with the
patch.
[Regression potential]
* The patch was validated by the cifs filesystem maintainers and by the
aforementioned tests; also, the scope is restricted to cifs only so the
likelihood of regressions is considered low. The commit introduces no
functional changes and the only affected path was just refactored in a
way to prevent overflow and reduce race potential.
** Changed in: linux (Ubuntu Eoan)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1824981
Title:
cifs set_oplock buffer overflow in strcat
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Bionic:
In Progress
Status in linux source package in Cosmic:
Won't Fix
Status in linux source package in Disco:
In Progress
Status in linux source package in Eoan:
Fix Released
Bug description:
[Impact]
* We got reports of a kernel crash in cifs module with the following
signature:
detected buffer overflow in strcat
kernel BUG at <...>/lib/string.c:1052!
invalid opcode: 0000 [#1] SMP PTI
RIP: 0010:fortify_panic+0x13/0x1f
Call Trace:
smb21_set_oplock_level+0xde/0x190 [cifs]
smb3_set_oplock_level+0x22/0x90 [cifs]
smb2_set_fid+0x76/0xb0 [cifs]
cifs_new_fileinfo+0x268/0x3c0 [cifs]
? smb2_get_lease_key+0x40/0x40 [cifs]
? cifs_new_fileinfo+0x268/0x3c0 [cifs]
cifs_open+0x57c/0x8d0 [cifs]
do_dentry_open+0x1fe/0x320
[...]
* By analyzing the code of smb21_set_oplock_level(), we've noticed the
only way fortify function strcat() would get overflow was if the value
of cinode->oplock got corrupted in a another thread leading to a
buffer write bigger then buffer size. In this function, the 'message'
buffer writes are governed by cinode->oplock, so only a different
thread cleaning the oplock value would lead to 'message' overflow.
* By the same time we worked this analysis, a fix was proposed
upstream for this issue in the form of commit 6a54b2e002c9 ("cifs:
fix strcat buffer overflow and reduce raciness in
smb21_set_oplock_level()"), by the same reporter of this LP. The fix
is simple and directly addresses this problem, so we hereby request
its SRU into Bionic kernel - it's already present in linux stable
branches.
[Test case]
* Unfortunately we cannot reproduce the issue. The patch proposed here was
validated by us with xfstests (instructions followed from
https://wiki.samba.org/index.php/Xfstesting-cifs) and fio.
* Using xfstest with the exclusions proposed in the link above we
managed to get the same results as a non-patched kernel, i.e., the
same tests failed in both kernels, we didn't get worse results with
the patch. Fio also didn't show noticeable performance regression with
the patch.
[Regression potential]
* The patch was validated by the cifs filesystem maintainers and by
the aforementioned tests; also, the scope is restricted to cifs only
so the likelihood of regressions is considered low. The commit
introduces no functional changes and the only affected path was just
refactored in a way to prevent overflow and reduce race potential.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
