Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.2/patches/2223490/?format=api
{ "id": 2223490, "url": "http://patchwork.ozlabs.org/api/1.2/patches/2223490/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260415112501.116426-2-michael.bommarito@gmail.com/", "project": { "id": 12, "url": "http://patchwork.ozlabs.org/api/1.2/projects/12/?format=api", "name": "Linux CIFS Client", "link_name": "linux-cifs-client", "list_id": "linux-cifs.vger.kernel.org", "list_email": "linux-cifs@vger.kernel.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260415112501.116426-2-michael.bommarito@gmail.com>", "list_archive_url": null, "date": "2026-04-15T11:25:00", "name": "[v2,1/2] ksmbd: validate response sizes in ipc_validate_msg()", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "79e7b421b0b2c75603734519bc7bd2d0e6c1ce53", "submitter": { "id": 93078, "url": "http://patchwork.ozlabs.org/api/1.2/people/93078/?format=api", "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260415112501.116426-2-michael.bommarito@gmail.com/mbox/", "series": [ { "id": 499975, "url": "http://patchwork.ozlabs.org/api/1.2/series/499975/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=499975", "date": "2026-04-15T11:24:59", "name": "ksmbd: harden ipc_validate_msg() and smb_check_perm_dacl()", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/499975/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2223490/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2223490/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <linux-cifs+bounces-10834-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "linux-cifs@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=jmfFjiR7;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10834-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"jmfFjiR7\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.160.177", "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com" ], "Received": [ "from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwf2n43tRz1yHM\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 21:25:37 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 35D2E306FC0E\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 11:25:23 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id E74CA342524;\n\tWed, 15 Apr 2026 11:25:22 +0000 (UTC)", "from mail-qt1-f177.google.com (mail-qt1-f177.google.com\n [209.85.160.177])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 73EC8379998\n\tfor <linux-cifs@vger.kernel.org>; Wed, 15 Apr 2026 11:25:21 +0000 (UTC)", "by mail-qt1-f177.google.com with SMTP id\n d75a77b69052e-50d75bfb259so44073491cf.1\n for <linux-cifs@vger.kernel.org>;\n Wed, 15 Apr 2026 04:25:21 -0700 (PDT)", "from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net.\n [68.48.65.54])\n by smtp.gmail.com with ESMTPSA id\n d75a77b69052e-50e1af9dc5fsm10621191cf.16.2026.04.15.04.25.18\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 15 Apr 2026 04:25:19 -0700 (PDT)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776252322; cv=none;\n b=mw5/HZZ8ZFAsCstkAHAxsdTrCUg6TuLWwuOwXwsdf9s2m0+eqK7D+co5DgKnQVzkozYbPVFTUliJE9iA7TNm3onFvEvmNFwGq8VQ0bslYL+unSTdRUd9BPkds9frAXp9KkQwPUNM3P7EpIahk/2pi92+3J6jGUSnNvFEZ5toSDk=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776252322; c=relaxed/simple;\n\tbh=tYeUIH6LHvR6PIC/sVosrXxrgB8XX9duPCDm7zG4+V4=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=PNtdAIutp+ACdwOFmaCZAxOVZVuu4YlTow09VaAMfjTVM+mf1+pjW6fDFuQenuNGca1fXUieJi8BtOac9z1foMLuAMufG4jMw8zLDJG6b22w/gOCnillRtPWUz7gBQkAt60Xe9yjSyspc2C+BR0rpyYYnyUfQcgYluKv18WBVMk=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=jmfFjiR7; arc=none smtp.client-ip=209.85.160.177", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776252320; x=1776857120;\n darn=vger.kernel.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=u0HEvKnsU+8vNgxOY8boDbMT5EKcWTf7YNZVr8Eae3g=;\n b=jmfFjiR7S5WPZGy0zay8UiiiFHribsglpkPjflRUgiYjg/ouZegLovO4l5kFCV/Tul\n YAlu5IQuXaCmWxDXv6f5au41u+KA9/audYXFiGFzSxLCwcylDdm3sDoniNembRptveKb\n WiqUsZKYQhyyTE4B6nSJmqc2AyKoQ2iLWouDNDOKy0dPbta/lyNlvt60/NRq47hLTA6M\n vjoN3hQCu961wPnRiUZRrXkCfzFv86Kjog99j/LWQpsHSXkhGBzvpUnXkGMtB27divHP\n BS5RH8hjUHGVx+/vtcDtotUtD9c+Ndqhu75d+UtyrdVcHZOwVTkILHVlRTuIjTjtM9xE\n 5nDg==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776252320; x=1776857120;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=u0HEvKnsU+8vNgxOY8boDbMT5EKcWTf7YNZVr8Eae3g=;\n b=mUNkaO+CE8PfLio7bXXQCgIWrP2Efiw0wCifNgXmMZGoQpz3YlhQ9WjMzJKU1QENM5\n jLXJTxUvQrGpiivPcpQUXCDmWCfjg0QPDcVUC2cdGB9SW9feHbL6IUcj4oK0emY5y1yT\n kMDBF70T5OshVVXq0UjXm5ZHUlcoeRFv+wCGBDgTcouzyVubMIrgs3N/tjtxohez0vJF\n S1oDsNXrks+K0vwg9XJnPv5CjJ/k8GT3LSmn8LldGwoIqQKh0zX5+JwTGuSjuyrsmMje\n IsbM220u3OShz/4n0dzra1epJj9fXXw/ivmsBRjl49z0O2TnQmijYSZIpcwob1bsZHkB\n 2GPA==", "X-Gm-Message-State": "AOJu0Yz9jWQKJlGaPSGGMTkSMUoyaYYmNr2EM7OXol2aG/DA1jxWlfYr\n\tO48EN1RwSII7WsrV3iDE8kFE1aIqs/9++eyYdNfppanxS5MeNcknnd2zRxkpAg==", "X-Gm-Gg": "AeBDiesEdpToqsvk3xyRvk9OnMJHSBFlwOiZSd4Dd4Hl13J+B1I3zd3VV2zVkcx8EIW\n\tCSfmZfmtqTwXH0zPbCS8hIGuYJrZAxSnz7FWaDFCgrk/DY8X5M5tvceYaPDy/aOyuS1X2Fw44a5\n\tuOhahUcHqVUheEAV1JOd5nCs/jyu5GEkMeBLtXnZT0hFygYD7ceZ19OiuIWwZKxmX15JzWrmaD2\n\ta832ZA8GmgqIqSqiOD7uJwnt3nVE5sfQw4PZaT+2fEKxfTYWQcUDtpF7G3O/6MsoPduihi9FsR4\n\tYjQzYKs6pTBiZn7pwYVityl5uiH3FV19v86J7K9BRg4KIUJp0SnjnOZxb5PFa/kwiRi0m4tvNLt\n\tksmY6X+Soz0T9tAEFR5dKa1Nta5f72xY3E70QfZbknNCyRdzKb1UuLCbTVRMx6pbsRVFJdkTTs1\n\tM4BtoH5neV4eH5nGyxczzXZkspN9wQwtDt/o6RpC/c5T215WTRCCSGn5mpjA7YPZU+g/BORNdVK\n\tbS2RMdWQTQT8oxYj4JSx4GVEth0PTdyiMBfJFjTq/so+w+Ka8hvm6dEOjZ4oCR3", "X-Received": "by 2002:a05:622a:8a0b:b0:50d:8c22:47f2 with SMTP id\n d75a77b69052e-50dd5bdb454mr250054181cf.44.1776252320060;\n Wed, 15 Apr 2026 04:25:20 -0700 (PDT)", "From": "Michael Bommarito <michael.bommarito@gmail.com>", "To": "linux-cifs@vger.kernel.org,\n\tNamjae Jeon <linkinjeon@kernel.org>,\n\tSteve French <smfrench@gmail.com>", "Cc": "Sergey Senozhatsky <senozhatsky@chromium.org>,\n\tTom Talpey <tom@talpey.com>,\n\tstable@vger.kernel.org", "Subject": "[PATCH v2 1/2] ksmbd: validate response sizes in ipc_validate_msg()", "Date": "Wed, 15 Apr 2026 07:25:00 -0400", "Message-ID": "<20260415112501.116426-2-michael.bommarito@gmail.com>", "X-Mailer": "git-send-email 2.53.0", "In-Reply-To": "<20260415112501.116426-1-michael.bommarito@gmail.com>", "References": "<20260414191533.1467353-1-michael.bommarito@gmail.com>\n <CAKYAXd9EBFBcy9bJ3=sJiYVYHAYjKYqOqD53UCJ8zWKXF0sAeg@mail.gmail.com>\n <CAKYAXd8B78Gde_7+Ph0cSL998k4qqs_okB0jky0m5h8i25_AGQ@mail.gmail.com>\n <20260415112501.116426-1-michael.bommarito@gmail.com>", "Precedence": "bulk", "X-Mailing-List": "linux-cifs@vger.kernel.org", "List-Id": "<linux-cifs.vger.kernel.org>", "List-Subscribe": "<mailto:linux-cifs+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:linux-cifs+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "ipc_validate_msg() computes the expected message size for each\nresponse type by adding (or multiplying) attacker-controlled fields\nfrom the daemon response to a fixed struct size in unsigned int\narithmetic. Three cases can overflow:\n\n KSMBD_EVENT_RPC_REQUEST:\n msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz;\n KSMBD_EVENT_SHARE_CONFIG_REQUEST:\n msg_sz = sizeof(struct ksmbd_share_config_response) +\n resp->payload_sz;\n KSMBD_EVENT_LOGIN_REQUEST_EXT:\n msg_sz = sizeof(struct ksmbd_login_response_ext) +\n resp->ngroups * sizeof(gid_t);\n\nresp->payload_sz is __u32 and resp->ngroups is __s32. Each addition\ncan wrap in unsigned int; the multiplication by sizeof(gid_t) mixes\nsigned and size_t, so a negative ngroups is converted to SIZE_MAX\nbefore the multiply. A wrapped value of msg_sz that happens to\nequal entry->msg_sz bypasses the size check on the next line, and\ndownstream consumers (smb2pdu.c:6742 memcpy using rpc_resp->payload_sz,\nkmemdup in ksmbd_alloc_user using resp_ext->ngroups) then trust the\nunverified length.\n\nUse check_add_overflow() on the RPC_REQUEST and SHARE_CONFIG_REQUEST\npaths to detect integer overflow without constraining functional\npayload size; userspace ksmbd-tools grows NDR responses in 4096-byte\nchunks for calls like NetShareEnumAll, so a hard transport cap is\nunworkable on the response side. For LOGIN_REQUEST_EXT, reject\nresp->ngroups outside the signed [0, NGROUPS_MAX] range up front and\nreport the error from ipc_validate_msg() so it fires at the IPC\nboundary; with that bound the subsequent multiplication and addition\nstay well below UINT_MAX. The now-redundant ngroups check and\npr_err in ksmbd_alloc_user() are removed.\n\nThis is the response-side analogue of aab98e2dbd64 (\"ksmbd: fix\ninteger overflows on 32 bit systems\"), which hardened the request\nside.\n\nFixes: 0626e6641f6b (\"cifsd: add server handler for central processing and tranport layers\")\nFixes: a77e0e02af1c (\"ksmbd: add support for supplementary groups\")\nCc: stable@vger.kernel.org\nAssisted-by: Claude:claude-opus-4-6\nAssisted-by: Codex:gpt-5-4\nSigned-off-by: Michael Bommarito <michael.bommarito@gmail.com>\n---\n fs/smb/server/mgmt/user_config.c | 6 ------\n fs/smb/server/transport_ipc.c | 16 +++++++++++++---\n 2 files changed, 13 insertions(+), 9 deletions(-)", "diff": "diff --git a/fs/smb/server/mgmt/user_config.c b/fs/smb/server/mgmt/user_config.c\nindex a3183fe5c536..cf45841d9d1b 100644\n--- a/fs/smb/server/mgmt/user_config.c\n+++ b/fs/smb/server/mgmt/user_config.c\n@@ -56,12 +56,6 @@ struct ksmbd_user *ksmbd_alloc_user(struct ksmbd_login_response *resp,\n \t\tgoto err_free;\n \n \tif (resp_ext) {\n-\t\tif (resp_ext->ngroups > NGROUPS_MAX) {\n-\t\t\tpr_err(\"ngroups(%u) from login response exceeds max groups(%d)\\n\",\n-\t\t\t\t\tresp_ext->ngroups, NGROUPS_MAX);\n-\t\t\tgoto err_free;\n-\t\t}\n-\n \t\tuser->sgid = kmemdup(resp_ext->____payload,\n \t\t\t\t resp_ext->ngroups * sizeof(gid_t),\n \t\t\t\t KSMBD_DEFAULT_GFP);\ndiff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c\nindex 2dbabe2d8005..1c5645238bd3 100644\n--- a/fs/smb/server/transport_ipc.c\n+++ b/fs/smb/server/transport_ipc.c\n@@ -13,6 +13,7 @@\n #include <net/genetlink.h>\n #include <linux/socket.h>\n #include <linux/workqueue.h>\n+#include <linux/overflow.h>\n \n #include \"vfs_cache.h\"\n #include \"transport_ipc.h\"\n@@ -497,7 +498,9 @@ static int ipc_validate_msg(struct ipc_msg_table_entry *entry)\n \t{\n \t\tstruct ksmbd_rpc_command *resp = entry->response;\n \n-\t\tmsg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz;\n+\t\tif (check_add_overflow(sizeof(struct ksmbd_rpc_command),\n+\t\t\t\t resp->payload_sz, &msg_sz))\n+\t\t\treturn -EINVAL;\n \t\tbreak;\n \t}\n \tcase KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST:\n@@ -516,8 +519,9 @@ static int ipc_validate_msg(struct ipc_msg_table_entry *entry)\n \t\t\tif (resp->payload_sz < resp->veto_list_sz)\n \t\t\t\treturn -EINVAL;\n \n-\t\t\tmsg_sz = sizeof(struct ksmbd_share_config_response) +\n-\t\t\t\t\tresp->payload_sz;\n+\t\t\tif (check_add_overflow(sizeof(struct ksmbd_share_config_response),\n+\t\t\t\t\t resp->payload_sz, &msg_sz))\n+\t\t\t\treturn -EINVAL;\n \t\t}\n \t\tbreak;\n \t}\n@@ -526,6 +530,12 @@ static int ipc_validate_msg(struct ipc_msg_table_entry *entry)\n \t\tstruct ksmbd_login_response_ext *resp = entry->response;\n \n \t\tif (resp->ngroups) {\n+\t\t\tif (resp->ngroups < 0 ||\n+\t\t\t resp->ngroups > NGROUPS_MAX) {\n+\t\t\t\tpr_err(\"ngroups(%d) from login response exceeds max groups(%d)\\n\",\n+\t\t\t\t resp->ngroups, NGROUPS_MAX);\n+\t\t\t\treturn -EINVAL;\n+\t\t\t}\n \t\t\tmsg_sz = sizeof(struct ksmbd_login_response_ext) +\n \t\t\t\t\tresp->ngroups * sizeof(gid_t);\n \t\t}\n", "prefixes": [ "v2", "1/2" ] }