CVE-2022-49271

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: prevent bad output lengths in smb2_ioctl_query_info()<br /> <br /> When calling smb2_ioctl_query_info() with<br /> smb_query_info::flags=PASSTHRU_FSCTL and<br /> smb_query_info::output_buffer_length=0, the following would return<br /> 0x10<br /> <br /> buffer = memdup_user(arg + sizeof(struct smb_query_info),<br /> qi.output_buffer_length);<br /> if (IS_ERR(buffer)) {<br /> kfree(vars);<br /> return PTR_ERR(buffer);<br /> }<br /> <br /> rather than a valid pointer thus making IS_ERR() check fail. This<br /> would then cause a NULL ptr deference in @buffer when accessing it<br /> later in smb2_ioctl_query_ioctl(). While at it, prevent having a<br /> @buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO<br /> FileEndOfFileInformation requests when<br /> smb_query_info::flags=PASSTHRU_SET_INFO.<br /> <br /> Here is a small C reproducer which triggers a NULL ptr in @buffer when<br /> passing an invalid smb_query_info::flags<br /> <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> <br /> #define die(s) perror(s), exit(1)<br /> #define QUERY_INFO 0xc018cf07<br /> <br /> int main(int argc, char *argv[])<br /> {<br /> int fd;<br /> <br /> if (argc