<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/cifs, branch linux-3.6.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>cifs: Do not lookup hashed negative dentry in cifs_atomic_open</title>
<updated>2012-11-26T20:14:07+00:00</updated>
<author>
<name>Sachin Prabhu</name>
<email>sprabhu@redhat.com</email>
</author>
<published>2012-11-05T11:39:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=50d4bcc3701d7f6173e3e8727234a4dd81518a3d'/>
<id>50d4bcc3701d7f6173e3e8727234a4dd81518a3d</id>
<content type='text'>
commit 3798f47aa276b332c30da499cb4df4577e2f8872 upstream.

We do not need to lookup a hashed negative directory since we have
already revalidated it before and have found it to be fine.

This also prevents a crash in cifs_lookup() when it attempts to rehash
the already hashed negative lookup dentry.

The patch has been tested using the reproducer at
https://bugzilla.redhat.com/show_bug.cgi?id=867344#c28

Reported-by: Vit Zahradka &lt;vit.zahradka@tiscali.cz&gt;
Signed-off-by: Sachin Prabhu &lt;sprabhu@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3798f47aa276b332c30da499cb4df4577e2f8872 upstream.

We do not need to lookup a hashed negative directory since we have
already revalidated it before and have found it to be fine.

This also prevents a crash in cifs_lookup() when it attempts to rehash
the already hashed negative lookup dentry.

The patch has been tested using the reproducer at
https://bugzilla.redhat.com/show_bug.cgi?id=867344#c28

Reported-by: Vit Zahradka &lt;vit.zahradka@tiscali.cz&gt;
Signed-off-by: Sachin Prabhu &lt;sprabhu@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: fix potential buffer overrun in cifs.idmap handling code</title>
<updated>2012-11-26T20:14:06+00:00</updated>
<author>
<name>Jeff Layton</name>
<email>jlayton@redhat.com</email>
</author>
<published>2012-11-03T13:37:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ea617a2c5150f9914c57215545575abf394df7bc'/>
<id>ea617a2c5150f9914c57215545575abf394df7bc</id>
<content type='text'>
commit 36960e440ccf94349c09fb944930d3bfe4bc473f upstream.

The userspace cifs.idmap program generally works with the wbclient libs
to generate binary SIDs in userspace. That program defines the struct
that holds these values as having a max of 15 subauthorities. The kernel
idmapping code however limits that value to 5.

When the kernel copies those values around though, it doesn't sanity
check the num_subauths value handed back from userspace or from the
server. It's possible therefore for userspace to hand us back a bogus
num_subauths value (or one that's valid, but greater than 5) that could
cause the kernel to walk off the end of the cifs_sid-&gt;sub_auths array.

Fix this by defining a new routine for copying sids and using that in
all of the places that copy it. If we end up with a sid that's longer
than expected then this approach will just lop off the "extra" subauths,
but that's basically what the code does today already. Better approaches
might be to fix this code to reject SIDs with &gt;5 subauths, or fix it
to handle the subauths array dynamically.

At the same time, change the kernel to check the length of the data
returned by userspace. If it's shorter than struct cifs_sid, reject it
and return -EIO. If that happens we'll end up with fields that are
basically uninitialized.

Long term, it might make sense to redefine cifs_sid using a flexarray at
the end, to allow for variable-length subauth lists, and teach the code
to handle the case where the subauths array being passed in from
userspace is shorter than 5 elements.

Note too, that I don't consider this a security issue since you'd need
a compromised cifs.idmap program. If you have that, you can do all sorts
of nefarious stuff. Still, this is probably reasonable for stable.

Reviewed-by: Shirish Pargaonkar &lt;shirishpargaonkar@gmail.com&gt;
Signed-off-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 36960e440ccf94349c09fb944930d3bfe4bc473f upstream.

The userspace cifs.idmap program generally works with the wbclient libs
to generate binary SIDs in userspace. That program defines the struct
that holds these values as having a max of 15 subauthorities. The kernel
idmapping code however limits that value to 5.

When the kernel copies those values around though, it doesn't sanity
check the num_subauths value handed back from userspace or from the
server. It's possible therefore for userspace to hand us back a bogus
num_subauths value (or one that's valid, but greater than 5) that could
cause the kernel to walk off the end of the cifs_sid-&gt;sub_auths array.

Fix this by defining a new routine for copying sids and using that in
all of the places that copy it. If we end up with a sid that's longer
than expected then this approach will just lop off the "extra" subauths,
but that's basically what the code does today already. Better approaches
might be to fix this code to reject SIDs with &gt;5 subauths, or fix it
to handle the subauths array dynamically.

At the same time, change the kernel to check the length of the data
returned by userspace. If it's shorter than struct cifs_sid, reject it
and return -EIO. If that happens we'll end up with fields that are
basically uninitialized.

Long term, it might make sense to redefine cifs_sid using a flexarray at
the end, to allow for variable-length subauth lists, and teach the code
to handle the case where the subauths array being passed in from
userspace is shorter than 5 elements.

Note too, that I don't consider this a security issue since you'd need
a compromised cifs.idmap program. If you have that, you can do all sorts
of nefarious stuff. Still, this is probably reasonable for stable.

Reviewed-by: Shirish Pargaonkar &lt;shirishpargaonkar@gmail.com&gt;
Signed-off-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Convert properly UTF-8 to UTF-16</title>
<updated>2012-10-12T20:50:35+00:00</updated>
<author>
<name>Frediano Ziglio</name>
<email>frediano.ziglio@citrix.com</email>
</author>
<published>2012-08-07T09:33:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=049917d4843acf4b024f1721d83fbe2875cdd937'/>
<id>049917d4843acf4b024f1721d83fbe2875cdd937</id>
<content type='text'>
commit fd3ba42c76d3d4b776120c2b24c1791e7bb3deb1 upstream.

wchar_t is currently 16bit so converting a utf8 encoded characters not
in plane 0 (&gt;= 0x10000) to wchar_t (that is calling char2uni) lead to a
-EINVAL return. This patch detect utf8 in cifs_strtoUTF16 and add special
code calling utf8s_to_utf16s.

Signed-off-by: Frediano Ziglio &lt;frediano.ziglio@citrix.com&gt;
Acked-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit fd3ba42c76d3d4b776120c2b24c1791e7bb3deb1 upstream.

wchar_t is currently 16bit so converting a utf8 encoded characters not
in plane 0 (&gt;= 0x10000) to wchar_t (that is calling char2uni) lead to a
-EINVAL return. This patch detect utf8 in cifs_strtoUTF16 and add special
code calling utf8s_to_utf16s.

Signed-off-by: Frediano Ziglio &lt;frediano.ziglio@citrix.com&gt;
Acked-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: reinstate the forcegid option</title>
<updated>2012-10-12T20:50:35+00:00</updated>
<author>
<name>Jeff Layton</name>
<email>jlayton@redhat.com</email>
</author>
<published>2012-10-03T20:02:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b034312000118d88ddb6027c262bf898440448ae'/>
<id>b034312000118d88ddb6027c262bf898440448ae</id>
<content type='text'>
commit 72bd481f860f0125c810bb43d878ce5f9c060c58 upstream.

Apparently this was lost when we converted to the standard option
parser in 8830d7e07a5e38bc47650a7554b7c1cfd49902bf

Reported-by: Gregory Lee Bartholomew &lt;gregory.lee.bartholomew@gmail.com&gt;
Cc: Sachin Prabhu &lt;sprabhu@redhat.com&gt;
Signed-off-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 72bd481f860f0125c810bb43d878ce5f9c060c58 upstream.

Apparently this was lost when we converted to the standard option
parser in 8830d7e07a5e38bc47650a7554b7c1cfd49902bf

Reported-by: Gregory Lee Bartholomew &lt;gregory.lee.bartholomew@gmail.com&gt;
Cc: Sachin Prabhu &lt;sprabhu@redhat.com&gt;
Signed-off-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: fix return value in cifsConvertToUTF16</title>
<updated>2012-09-18T20:35:25+00:00</updated>
<author>
<name>Jeff Layton</name>
<email>jlayton@redhat.com</email>
</author>
<published>2012-09-18T18:21:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c73f693989d7a7d99ec66a7065295a0c93d0b127'/>
<id>c73f693989d7a7d99ec66a7065295a0c93d0b127</id>
<content type='text'>
This function returns the wrong value, which causes the callers to get
the length of the resulting pathname wrong when it contains non-ASCII
characters.

This seems to fix https://bugzilla.samba.org/show_bug.cgi?id=6767

Cc: &lt;stable@vger.kernel.org&gt;
Reported-by: Baldvin Kovacs &lt;baldvin.kovacs@gmail.com&gt;
Reported-and-Tested-by: Nicolas Lefebvre &lt;nico.lefebvre@gmail.com&gt;
Signed-off-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This function returns the wrong value, which causes the callers to get
the length of the resulting pathname wrong when it contains non-ASCII
characters.

This seems to fix https://bugzilla.samba.org/show_bug.cgi?id=6767

Cc: &lt;stable@vger.kernel.org&gt;
Reported-by: Baldvin Kovacs &lt;baldvin.kovacs@gmail.com&gt;
Reported-and-Tested-by: Nicolas Lefebvre &lt;nico.lefebvre@gmail.com&gt;
Signed-off-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>CIFS: Fix endianness conversion</title>
<updated>2012-09-06T17:42:35+00:00</updated>
<author>
<name>Pavel Shilovsky</name>
<email>pshilovsky@etersoft.ru</email>
</author>
<published>2012-09-04T11:49:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b2ede58e98c87c7f0f44a926f974262f65c3402f'/>
<id>b2ede58e98c87c7f0f44a926f974262f65c3402f</id>
<content type='text'>
Signed-off-by: Pavel Shilovsky &lt;pshilovsky@etersoft.ru&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Pavel Shilovsky &lt;pshilovsky@etersoft.ru&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>CIFS: Fix error handling in cifs_push_mandatory_locks</title>
<updated>2012-09-06T17:42:31+00:00</updated>
<author>
<name>Pavel Shilovsky</name>
<email>pshilovsky@etersoft.ru</email>
</author>
<published>2012-08-29T17:13:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e2f2886a824ff0a56da1eaa13019fde86aa89fa6'/>
<id>e2f2886a824ff0a56da1eaa13019fde86aa89fa6</id>
<content type='text'>
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Pavel Shilovsky &lt;pshilovsky@etersoft.ru&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Pavel Shilovsky &lt;pshilovsky@etersoft.ru&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>CIFS: Fix cifs_do_create error hadnling</title>
<updated>2012-08-20T03:30:18+00:00</updated>
<author>
<name>Pavel Shilovsky</name>
<email>pshilovsky@samba.org</email>
</author>
<published>2012-08-17T14:02:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ea7b4887e7266b93fa0c203cc452a926a0fef4f0'/>
<id>ea7b4887e7266b93fa0c203cc452a926a0fef4f0</id>
<content type='text'>
Commit d2c127197dfc0b2bae62a52e1e0d3e3ff493919e caused a regression
in cifs_do_create error handling. Fix this by closing a file handle
in the case of a get_inode_info(_unix) error. Also remove unnecessary
checks for newinode being NULL.

Signed-off-by: Pavel Shilovsky &lt;pshilovsky@samba.org&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit d2c127197dfc0b2bae62a52e1e0d3e3ff493919e caused a regression
in cifs_do_create error handling. Fix this by closing a file handle
in the case of a get_inode_info(_unix) error. Also remove unnecessary
checks for newinode being NULL.

Signed-off-by: Pavel Shilovsky &lt;pshilovsky@samba.org&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: print error code if smb signature verification fails</title>
<updated>2012-08-20T03:30:13+00:00</updated>
<author>
<name>Steve French</name>
<email>smfrench@gmail.com</email>
</author>
<published>2012-08-03T14:42:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=985e4ff016b5f3d95c12fe8073d1df89300dab3d'/>
<id>985e4ff016b5f3d95c12fe8073d1df89300dab3d</id>
<content type='text'>
While trying to debug a SMB signature related issue with Windows Servers
figured out it might be easier to debug if we print the error code from
cifs_verify_signature(). Also, fix indendation while at it.

Signed-off-by: Suresh Jayaraman &lt;sjayaraman@suse.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
While trying to debug a SMB signature related issue with Windows Servers
figured out it might be easier to debug if we print the error code from
cifs_verify_signature(). Also, fix indendation while at it.

Signed-off-by: Suresh Jayaraman &lt;sjayaraman@suse.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>CIFS: Fix log messages in packet checking for SMB2</title>
<updated>2012-08-20T03:30:07+00:00</updated>
<author>
<name>Pavel Shilovsky</name>
<email>pshilovsky@samba.org</email>
</author>
<published>2012-07-26T21:20:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7411286088d5ba879e9ffcaaa296f657642ef2c4'/>
<id>7411286088d5ba879e9ffcaaa296f657642ef2c4</id>
<content type='text'>
Signed-off-by: Pavel Shilovsky &lt;pshilovsky@samba.org&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Pavel Shilovsky &lt;pshilovsky@samba.org&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
