diff --git a/package/kernel/ksmbd/Makefile b/package/kernel/ksmbd/Makefile index 8a0ebc54f89..feeace9340c 100644 --- a/package/kernel/ksmbd/Makefile +++ b/package/kernel/ksmbd/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ksmbd -PKG_VERSION:=3.4.6 -PKG_RELEASE:=2 +PKG_VERSION:=3.4.7 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://codeload.github.com/cifsd-team/cifsd/tar.gz/$(PKG_VERSION)? -PKG_HASH:=d742992692dbe164060d2a0ea668895ed2b86252f10427db3d3a002df44c445b +PKG_SOURCE_URL:=https://github.com/cifsd-team/ksmbd/releases/download/$(PKG_VERSION) +PKG_HASH:=ed9ecb2232046054bf0c1fef41690890f99d93b1d72b7e7d158746ac9be18c7f PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=COPYING diff --git a/package/kernel/ksmbd/patches/10-ksmbd-check-nt_len-to-be-at-least-CIFS_ENCPWD_SIZE-i.patch b/package/kernel/ksmbd/patches/10-ksmbd-check-nt_len-to-be-at-least-CIFS_ENCPWD_SIZE-i.patch deleted file mode 100644 index 198e7521061..00000000000 --- a/package/kernel/ksmbd/patches/10-ksmbd-check-nt_len-to-be-at-least-CIFS_ENCPWD_SIZE-i.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 8824b7af409f51f1316e92e9887c2fd48c0b26d6 Mon Sep 17 00:00:00 2001 -From: William Liu -Date: Fri, 30 Dec 2022 09:13:35 +0900 -Subject: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in - ksmbd_decode_ntlmssp_auth_blob -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -"nt_len - CIFS_ENCPWD_SIZE" is passed directly from -ksmbd_decode_ntlmssp_auth_blob to ksmbd_auth_ntlmv2. Malicious requests -can set nt_len to less than CIFS_ENCPWD_SIZE, which results in a negative -number (or large unsigned value) used for a subsequent memcpy in -ksmbd_auth_ntlvm2 and can cause a panic. - -Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3") -Cc: stable@vger.kernel.org -Signed-off-by: William Liu -Signed-off-by: Hrvoje Mišetić -Signed-off-by: Namjae Jeon ---- - auth.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/auth.c -+++ b/auth.c -@@ -583,7 +583,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struc - dn_off = le32_to_cpu(authblob->DomainName.BufferOffset); - dn_len = le16_to_cpu(authblob->DomainName.Length); - -- if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len) -+ if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len || -+ nt_len < CIFS_ENCPWD_SIZE) - return -EINVAL; - - #ifdef CONFIG_SMB_INSECURE_SERVER diff --git a/package/kernel/ksmbd/patches/11-ksmbd-fix-infinite-loop-in-ksmbd_conn_handler_loop.patch b/package/kernel/ksmbd/patches/11-ksmbd-fix-infinite-loop-in-ksmbd_conn_handler_loop.patch deleted file mode 100644 index 1b3c5c1aaba..00000000000 --- a/package/kernel/ksmbd/patches/11-ksmbd-fix-infinite-loop-in-ksmbd_conn_handler_loop.patch +++ /dev/null @@ -1,63 +0,0 @@ -From cc4f3b5a6ab4693aba94a45cc073188df4d67175 Mon Sep 17 00:00:00 2001 -From: Namjae Jeon -Date: Mon, 26 Dec 2022 01:28:52 +0900 -Subject: ksmbd: fix infinite loop in ksmbd_conn_handler_loop() - -If kernel_recvmsg() return -EAGAIN in ksmbd_tcp_readv() and go round -again, It will cause infinite loop issue. And all threads from next -connections would be doing that. This patch add max retry count(2) to -avoid it. kernel_recvmsg() will wait during 7sec timeout and try to -retry two time if -EAGAIN is returned. And add flags of kvmalloc to -__GFP_NOWARN and __GFP_NORETRY to disconnect immediately without -retrying on memory alloation failure. - -Fixes: 0626e66 ("cifsd: add server handler for central processing and tranport layers") -Cc: stable@vger.kernel.org -Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18259 -Reviewed-by: Sergey Senozhatsky -Signed-off-by: Namjae Jeon ---- - connection.c | 7 +++++-- - transport_tcp.c | 5 ++++- - 2 files changed, 9 insertions(+), 3 deletions(-) - ---- a/connection.c -+++ b/connection.c -@@ -337,9 +337,12 @@ int ksmbd_conn_handler_loop(void *p) - - /* 4 for rfc1002 length field */ - size = pdu_size + 4; -- conn->request_buf = kvmalloc(size, GFP_KERNEL); -+ conn->request_buf = kvmalloc(size, -+ GFP_KERNEL | -+ __GFP_NOWARN | -+ __GFP_NORETRY); - if (!conn->request_buf) -- continue; -+ break; - - memcpy(conn->request_buf, hdr_buf, sizeof(hdr_buf)); - if (!ksmbd_smb_request(conn)) ---- a/transport_tcp.c -+++ b/transport_tcp.c -@@ -323,6 +323,7 @@ static int ksmbd_tcp_readv(struct tcp_tr - struct msghdr ksmbd_msg; - struct kvec *iov; - struct ksmbd_conn *conn = KSMBD_TRANS(t)->conn; -+ int max_retry = 2; - - iov = get_conn_iovec(t, nr_segs); - if (!iov) -@@ -349,9 +350,11 @@ static int ksmbd_tcp_readv(struct tcp_tr - } else if (conn->status == KSMBD_SESS_NEED_RECONNECT) { - total_read = -EAGAIN; - break; -- } else if (length == -ERESTARTSYS || length == -EAGAIN) { -+ } else if ((length == -ERESTARTSYS || length == -EAGAIN) && -+ max_retry) { - usleep_range(1000, 2000); - length = 0; -+ max_retry--; - continue; - } else if (length <= 0) { - total_read = -EAGAIN;