cifs set_oplock buffer overflow in strcat
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Christoph Probst | ||
Bionic |
Fix Released
|
High
|
Guilherme G. Piccoli | ||
Cosmic |
Won't Fix
|
High
|
Guilherme G. Piccoli | ||
Disco |
Fix Released
|
High
|
Guilherme G. Piccoli | ||
Eoan |
Fix Released
|
High
|
Christoph Probst |
Bug Description
[Impact]
* We got reports of a kernel crash in cifs module with the following signature:
detected buffer overflow in strcat
kernel BUG at <...>/lib/
invalid opcode: 0000 [#1] SMP PTI
RIP: 0010:fortify_
Call Trace:
smb21_
smb3_set_
smb2_set_
cifs_new_
? smb2_get_
? cifs_new_
cifs_open+
do_dentry_
[...]
* By analyzing the code of smb21_set_
* By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_
[Test case]
* Unfortunately we cannot reproduce the issue. The patch proposed here was
validated by us with xfstests (instructions followed from
https:/
* Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch.
[Regression potential]
* The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential.
summary: |
- cifs related buffer overflow in strcat + cifs set_oplock overflow in strcat |
summary: |
- cifs set_oplock overflow in strcat + cifs set_oplock buffer overflow in strcat |
tags: | added: sts |
Changed in linux (Ubuntu Eoan): | |
status: | Fix Released → Fix Committed |
Changed in linux (Ubuntu Disco): | |
status: | New → In Progress |
Changed in linux (Ubuntu Cosmic): | |
status: | New → In Progress |
Changed in linux (Ubuntu Bionic): | |
status: | New → In Progress |
assignee: | nobody → Guilherme G. Piccoli (gpiccoli) |
Changed in linux (Ubuntu Cosmic): | |
assignee: | nobody → Guilherme G. Piccoli (gpiccoli) |
Changed in linux (Ubuntu Disco): | |
assignee: | nobody → Guilherme G. Piccoli (gpiccoli) |
Changed in linux (Ubuntu Eoan): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Disco): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Cosmic): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Cosmic): | |
status: | In Progress → Won't Fix |
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Eoan): | |
status: | Fix Committed → Fix Released |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Disco): | |
status: | In Progress → Fix Committed |
tags: | added: cscc |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1824981
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.