Hi Guilherme, Apologies if I missed it, but could you elaborate on the issues you're experiencing with the Disco kernel that are preventing you from verifying this fix? I saw in an earlier comment you were waiting for 5.0.0-24 but that kernel should be available in -updates now.
Thanks, Connor -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: 0000 [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
