GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/1.0/patches/2220133/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2220133,
    "url": "http://patchwork.ozlabs.org/api/1.0/patches/2220133/?format=api",
    "project": {
        "id": 12,
        "url": "http://patchwork.ozlabs.org/api/1.0/projects/12/?format=api",
        "name": "Linux CIFS Client",
        "link_name": "linux-cifs-client",
        "list_id": "linux-cifs.vger.kernel.org",
        "list_email": "linux-cifs@vger.kernel.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": ""
    },
    "msgid": "<2026040636-unsigned-jackal-e239@gregkh>",
    "date": "2026-04-06T13:49:37",
    "name": "[1/2] smb: client: fix off-by-8 bounds check in check_wsl_eas()",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "16404bc22f1e4decfe8d6d5037c312cb0dd0e9b4",
    "submitter": {
        "id": 11800,
        "url": "http://patchwork.ozlabs.org/api/1.0/people/11800/?format=api",
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/2026040636-unsigned-jackal-e239@gregkh/mbox/",
    "series": [
        {
            "id": 498856,
            "url": "http://patchwork.ozlabs.org/api/1.0/series/498856/?format=api",
            "date": "2026-04-06T13:49:37",
            "name": "smb: some potential bugfixes",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/498856/mbox/"
        }
    ],
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2220133/checks/",
    "tags": {},
    "headers": {
        "Return-Path": "\n <linux-cifs+bounces-10679-incoming=patchwork.ozlabs.org@vger.kernel.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "linux-cifs@vger.kernel.org"
        ],
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=linuxfoundation.org header.i=@linuxfoundation.org\n header.a=rsa-sha256 header.s=korg header.b=To6h9XC5;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10679-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)",
            "smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=linuxfoundation.org\n header.i=@linuxfoundation.org header.b=\"To6h9XC5\"",
            "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"
        ],
        "Received": [
            "from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fq9gG4HFmz1xy1\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 06 Apr 2026 23:49:46 +1000 (AEST)",
            "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 5FE8630146BD\n\tfor <incoming@patchwork.ozlabs.org>; Mon,  6 Apr 2026 13:49:44 +0000 (UTC)",
            "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id A0198175A9E;\n\tMon,  6 Apr 2026 13:49:41 +0000 (UTC)",
            "from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 7BC4412F585;\n\tMon,  6 Apr 2026 13:49:41 +0000 (UTC)",
            "by smtp.kernel.org (Postfix) with ESMTPSA id B03D6C4CEF7;\n\tMon,  6 Apr 2026 13:49:40 +0000 (UTC)"
        ],
        "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775483381; cv=none;\n b=brNjZnXoSiJPpPkpz5mQATk4R0nQ6UVI8myQ2rZwfs8DAQpowfuaduOHH/wxiqfDSEU1773n5c4uDFI2bBKRNr+03fjk0MvixGtDTjdBfPA1oddIWqZEJgauLfVW51P6/GBekpgMIgp7HfC0FvCO444xCdaOBMAvAo6JT4HHy6s=",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775483381; c=relaxed/simple;\n\tbh=9BU9EIZ0xpSJhe6BLo5bEcq83MnOBqIILZ9FwVVRilI=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=u5C6Ye1JK+N7bxSbbEI36yJm1JnWaCYvt/fFCSCDMy3K3tW44unhpQu21ueCkCavqXbUkOhrwzuzfpHCzSF53gAFZadPh0x3HTyiyk6DXX6kFcBGdr6Y6+rgMg+iJ3/RLPENlkSyhF1sj+7Min8pGY8WMi2stjj+CSNx3G4mjFs=",
        "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dkim=pass (1024-bit key) header.d=linuxfoundation.org\n header.i=@linuxfoundation.org header.b=To6h9XC5;\n arc=none smtp.client-ip=10.30.226.201",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;\n\ts=korg; t=1775483381;\n\tbh=9BU9EIZ0xpSJhe6BLo5bEcq83MnOBqIILZ9FwVVRilI=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=To6h9XC5zP+xWBz0FzFGxcHhdJiVt7QI1Vq9SU297CnmbumwIuUx3EZTpmP1fihB1\n\t iQLu5GNl/TLRxXOf+HGpB60h3/kd/cMpbPp5R6WRDk4Gv2I1McfDfi49yfPm2SxRWF\n\t Wbz/f4FCxG6xmntVxIB6Qt/qW+KmUp9Dn/tzASKg=",
        "From": "Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
        "To": "linux-cifs@vger.kernel.org",
        "Cc": "linux-kernel@vger.kernel.org,\n\tGreg Kroah-Hartman <gregkh@linuxfoundation.org>,\n\tSteve French <sfrench@samba.org>,\n\tPaulo Alcantara <pc@manguebit.org>,\n\tRonnie Sahlberg <ronniesahlberg@gmail.com>,\n\tShyam Prasad N <sprasad@microsoft.com>,\n\tTom Talpey <tom@talpey.com>,\n\tBharath SM <bharathsm@microsoft.com>,\n\tsamba-technical@lists.samba.org,\n\tstable <stable@kernel.org>",
        "Subject": "[PATCH 1/2] smb: client: fix off-by-8 bounds check in check_wsl_eas()",
        "Date": "Mon,  6 Apr 2026 15:49:37 +0200",
        "Message-ID": "<2026040636-unsigned-jackal-e239@gregkh>",
        "X-Mailer": "git-send-email 2.53.0",
        "In-Reply-To": "<2026040635-banking-unsoiled-3250@gregkh>",
        "References": "<2026040635-banking-unsoiled-3250@gregkh>",
        "Precedence": "bulk",
        "X-Mailing-List": "linux-cifs@vger.kernel.org",
        "List-Id": "<linux-cifs.vger.kernel.org>",
        "List-Subscribe": "<mailto:linux-cifs+subscribe@vger.kernel.org>",
        "List-Unsubscribe": "<mailto:linux-cifs+unsubscribe@vger.kernel.org>",
        "MIME-Version": "1.0",
        "Lines": "49",
        "X-Developer-Signature": "v=1; a=openpgp-sha256; l=1895;\n i=gregkh@linuxfoundation.org; h=from:subject:message-id;\n bh=9BU9EIZ0xpSJhe6BLo5bEcq83MnOBqIILZ9FwVVRilI=;\n b=owGbwMvMwCRo6H6F97bub03G02pJDJmXd37YvON0Y+CLz8fKbul+Pt/QzS5tbfrrpeC17U+3n\n 5Pe+GPJxY5YFgZBJgZZMUWWL9t4ju6vOKToZWh7GmYOKxPIEAYuTgGYSPcxhvklT4Lt51b5zRRO\n /3AqezXzJP1TBlcYFlyZd2OJ5PuqTwc9jvWucA059fXE/yUA",
        "X-Developer-Key": "i=gregkh@linuxfoundation.org; a=openpgp;\n fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29",
        "Content-Transfer-Encoding": "8bit"
    },
    "content": "The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA\nname and value, but ea_data sits at offset sizeof(struct\nsmb2_file_full_ea_info) = 8 from ea, not at offset 0.  The strncmp()\nlater reads ea->ea_data[0..nlen-1] and the value bytes follow at\nea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1\n+ vlen.  Isn't pointer math fun?\n\nThe earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the\n8-byte header is in bounds, but since the last EA is placed within 8\nbytes of the end of the response, the name and value bytes are read past\nthe end of iov.\n\nFix this mess all up by using ea->ea_data as the base for the bounds\ncheck.\n\nAn \"untrusted\" server can use this to leak up to 8 bytes of kernel heap\ninto the EA name comparison and influence which WSL xattr the data is\ninterpreted as.\n\nCc: Steve French <sfrench@samba.org>\nCc: Paulo Alcantara <pc@manguebit.org>\nCc: Ronnie Sahlberg <ronniesahlberg@gmail.com>\nCc: Shyam Prasad N <sprasad@microsoft.com>\nCc: Tom Talpey <tom@talpey.com>\nCc: Bharath SM <bharathsm@microsoft.com>\nCc: linux-cifs@vger.kernel.org\nCc: samba-technical@lists.samba.org\nCc: stable <stable@kernel.org>\nAssisted-by: gregkh_clanker_t1000\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\n---\n fs/smb/client/smb2inode.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)",
    "diff": "diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c\nindex 364bdcff9c9d..fe1c9d776580 100644\n--- a/fs/smb/client/smb2inode.c\n+++ b/fs/smb/client/smb2inode.c\n@@ -128,7 +128,7 @@ static int check_wsl_eas(struct kvec *rsp_iov)\n \t\tnlen = ea->ea_name_length;\n \t\tvlen = le16_to_cpu(ea->ea_value_length);\n \t\tif (nlen != SMB2_WSL_XATTR_NAME_LEN ||\n-\t\t    (u8 *)ea + nlen + 1 + vlen > end)\n+\t\t    (u8 *)ea->ea_data + nlen + 1 + vlen > end)\n \t\t\treturn -EINVAL;\n \n \t\tswitch (vlen) {\n",
    "prefixes": [
        "1/2"
    ]
}