Thanks @Kleber. I've just done it. I'll report any issue.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1824981
Title:
cifs set_oplock buffer overflow in strcat
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Cosmic:
Won't Fix
Status in linux source package in Disco:
Fix Committed
Status in linux source package in Eoan:
Fix Released
Bug description:
[Impact]
* We got reports of a kernel crash in cifs module with the following
signature:
detected buffer overflow in strcat
kernel BUG at <...>/lib/string.c:1052!
invalid opcode: 0000 [#1] SMP PTI
RIP: 0010:fortify_panic+0x13/0x1f
Call Trace:
smb21_set_oplock_level+0xde/0x190 [cifs]
smb3_set_oplock_level+0x22/0x90 [cifs]
smb2_set_fid+0x76/0xb0 [cifs]
cifs_new_fileinfo+0x268/0x3c0 [cifs]
? smb2_get_lease_key+0x40/0x40 [cifs]
? cifs_new_fileinfo+0x268/0x3c0 [cifs]
cifs_open+0x57c/0x8d0 [cifs]
do_dentry_open+0x1fe/0x320
[...]
* By analyzing the code of smb21_set_oplock_level(), we've noticed the
only way fortify function strcat() would get overflow was if the value
of cinode->oplock got corrupted in a another thread leading to a
buffer write bigger then buffer size. In this function, the 'message'
buffer writes are governed by cinode->oplock, so only a different
thread cleaning the oplock value would lead to 'message' overflow.
* By the same time we worked this analysis, a fix was proposed
upstream for this issue in the form of commit 6a54b2e002c9 ("cifs:
fix strcat buffer overflow and reduce raciness in
smb21_set_oplock_level()"), by the same reporter of this LP. The fix
is simple and directly addresses this problem, so we hereby request
its SRU into Bionic kernel - it's already present in linux stable
branches.
[Test case]
* Unfortunately we cannot reproduce the issue. The patch proposed here was
validated by us with xfstests (instructions followed from
https://wiki.samba.org/index.php/Xfstesting-cifs) and fio.
* Using xfstest with the exclusions proposed in the link above we
managed to get the same results as a non-patched kernel, i.e., the
same tests failed in both kernels, we didn't get worse results with
the patch. Fio also didn't show noticeable performance regression with
the patch.
[Regression potential]
* The patch was validated by the cifs filesystem maintainers and by
the aforementioned tests; also, the scope is restricted to cifs only
so the likelihood of regressions is considered low. The commit
introduces no functional changes and the only affected path was just
refactored in a way to prevent overflow and reduce race potential.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
