search

KSPP / linux

Linux kernel source tree (Kernel Self Protection Project)
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
Other
80 stars 5 forks source link

Replace a couple of 1-element arrays in fs/cifs/cifspdu.h #229

Closed GustavoARSilva closed 1 year ago

GustavoARSilva commented 1 year ago

Replace a couple of one-element arrays with flexible-array members in fs/cifs/cifspdu.h

 483 typedef struct negotiate_req {                                                                      
 484         struct smb_hdr hdr;     /* wct = 0 */                                                       
 485         __le16 ByteCount;                                                                           
 486         unsigned char DialectsArray[1];                                                             
 487 } __attribute__((packed)) NEGOTIATE_REQ;                                                            
 488                                                                                                     
 489 #define MIN_TZ_ADJ (15 * 60) /* minimum grid for timezones in seconds */                            
 490                                                                                                     
 491 #define READ_RAW_ENABLE 1                                                                           
 492 #define WRITE_RAW_ENABLE 2                                                                          
 493 #define RAW_ENABLE (READ_RAW_ENABLE | WRITE_RAW_ENABLE)                                             
 494 #define SMB1_CLIENT_GUID_SIZE (16)                                                                  
 495 typedef struct negotiate_rsp {                                                                      
 496         struct smb_hdr hdr;     /* wct = 17 */                                                      
...                                                                    
 508         __u8 EncryptionKeyLength;                                                                   
 509         __u16 ByteCount;                                                                            
 510         union {                                                                                     
 511                 unsigned char EncryptionKey[1]; /* cap extended security off */                     
 512                 /* followed by Domain name - if extended security is off */                         
 513                 /* followed by 16 bytes of server GUID */                                           
 514                 /* then security blob if cap_extended_security negotiated */                        
 515                 struct {                                                                            
 516                         unsigned char GUID[SMB1_CLIENT_GUID_SIZE];                                  
 517                         unsigned char SecurityBlob[1];                                              
 518                 } __attribute__((packed)) extended_response;                                        
 519         } __attribute__((packed)) u;                                                                
 520 } __attribute__((packed)) NEGOTIATE_RSP;

Audit (at least) all these places where the flex array is being used:

diff -u -p ./fs/cifs/cifssmb.c /tmp/nothing/fs/cifs/cifssmb.c
--- ./fs/cifs/cifssmb.c
+++ /tmp/nothing/fs/cifs/cifssmb.c
@@ -465,7 +465,6 @@ CIFSSMBNegotiate(const unsigned int xid,
        for (i = 0; i < CIFS_NUM_PROT; i++) {
                size_t len = strlen(protocols[i].name) + 1;

-               memcpy(pSMB->DialectsArray+count, protocols[i].name, len);
                count += len;
        }
        inc_rfc1001_len(pSMB, count);
GustavoARSilva commented 1 year ago

Patch for this: https://lore.kernel.org/linux-hardening/YzzjKyHDuFoQAVCu@work/