CVE-2022-50341

In the Linux kernel, the following vulnerability has been resolved:

cifs: fix oops during encryption

When running xfstests against Azure the following oops occurred on an arm64 system

Unable to handle kernel write to read-only memory at virtual address ffff0001221cf000 Mem abort info: ESR = 0x9600004f EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x0f: level 3 permission fault Data abort info: ISV = 0, ISS = 0x0000004f CM = 0, WnR = 1 swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000294f3000 [ffff0001221cf000] pgd=18000001ffff8003, p4d=18000001ffff8003, pud=18000001ff82e003, pmd=18000001ff71d003, pte=00600001221cf787 Internal error: Oops: 9600004f [#1] PREEMPT SMP ... pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--) pc : __memcpy+0x40/0x230 lr : scatterwalk_copychunks+0xe0/0x200 sp : ffff800014e92de0 x29: ffff800014e92de0 x28: ffff000114f9de80 x27: 0000000000000008 x26: 0000000000000008 x25: ffff800014e92e78 x24: 0000000000000008 x23: 0000000000000001 x22: 0000040000000000 x21: ffff000000000000 x20: 0000000000000001 x19: ffff0001037c4488 x18: 0000000000000014 x17: 235e1c0d6efa9661 x16: a435f9576b6edd6c x15: 0000000000000058 x14: 0000000000000001 x13: 0000000000000008 x12: ffff000114f2e590 x11: ffffffffffffffff x10: 0000040000000000 x9 : ffff8000105c3580 x8 : 2e9413b10000001a x7 : 534b4410fb86b005 x6 : 534b4410fb86b005 x5 : ffff0001221cf008 x4 : ffff0001037c4490 x3 : 0000000000000001 x2 : 0000000000000008 x1 : ffff0001037c4488 x0 : ffff0001221cf000 Call trace: __memcpy+0x40/0x230 scatterwalkmapandcopy+0x98/0x100 cryptoccmencrypt+0x150/0x180 cryptoaeadencrypt+0x2c/0x40 cryptmessage+0x750/0x880 smb3inittransformrq+0x298/0x340 smbsendrqst.part.11+0xd8/0x180 smbsendrqst+0x3c/0x100 compoundsendrecv+0x534/0xbc0 smb2queryinfocompound+0x32c/0x440 smb2setea+0x438/0x4c0 cifsxattrset+0x5d4/0x7c0

This is because in scatterwalkcopychunks(), we attempted to write to a buffer (@sign) that was allocated in the stack (vmalloc area) by cryptmessage() and thus accessing its remaining 8 (x2) bytes ended up crossing a page boundary.

To simply fix it, we could just pass @sign kmalloc'd from cryptmessage() and then we're done. Luckily, we don't seem to pass any other vmalloc'd buffers in smbrqst::rq_iov...

Instead, let's map the correct pages and offsets from vmalloc buffers as well in cifssgset_buf() and then avoiding such oopses.