[{"id":3674528,"web_url":"http://patchwork.ozlabs.org/comment/3674528/","msgid":"","list_archive_url":null,"date":"2026-04-08T02:51:12","subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","submitter":{"id":88754,"url":"http://patchwork.ozlabs.org/api/people/88754/","name":"ChenXiaoSong","email":"chenxiaosong@chenxiaosong.com"},"content":"Sashiko reported another out-of-bounds issue: \nhttps://sashiko.dev/#/patchset/2026040635-banking-unsoiled-3250@gregkh\n\nShould we add the following checks in check_wsl_eas()?\n\n```\n--- a/fs/smb/client/smb2inode.c\n+++ b/fs/smb/client/smb2inode.c\n@@ -121,6 +121,9 @@ static int check_wsl_eas(struct kvec *rsp_iov)\n ea = (void *)((u8 *)rsp_iov->iov_base +\n le16_to_cpu(rsp->OutputBufferOffset));\n end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len;\n+ if (ea + outlen > end)\n+ return -EINVAL;\n+\n for (;;) {\n if ((u8 *)ea > end - sizeof(*ea))\n return -EINVAL;\n```\n\nOn 4/6/26 21:49, Greg Kroah-Hartman wrote:\n> The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA\n> name and value, but ea_data sits at offset sizeof(struct\n> smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp()\n> later reads ea->ea_data[0..nlen-1] and the value bytes follow at\n> ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1\n> + vlen. Isn't pointer math fun?\n> \n> The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the\n> 8-byte header is in bounds, but since the last EA is placed within 8\n> bytes of the end of the response, the name and value bytes are read past\n> the end of iov.\n> \n> Fix this mess all up by using ea->ea_data as the base for the bounds\n> check.\n> \n> An \"untrusted\" server can use this to leak up to 8 bytes of kernel heap\n> into the EA name comparison and influence which WSL xattr the data is\n> interpreted as.\n> \n> Cc: Steve French \n> Cc: Paulo Alcantara \n> Cc: Ronnie Sahlberg \n> Cc: Shyam Prasad N \n> Cc: Tom Talpey \n> Cc: Bharath SM \n> Cc: linux-cifs@vger.kernel.org\n> Cc: samba-technical@lists.samba.org\n> Cc: stable \n> Assisted-by: gregkh_clanker_t1000\n> Signed-off-by: Greg Kroah-Hartman \n> ---\n> fs/smb/client/smb2inode.c | 2 +-\n> 1 file changed, 1 insertion(+), 1 deletion(-)\n> \n> diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c\n> index 364bdcff9c9d..fe1c9d776580 100644\n> --- a/fs/smb/client/smb2inode.c\n> +++ b/fs/smb/client/smb2inode.c\n> @@ -128,7 +128,7 @@ static int check_wsl_eas(struct kvec *rsp_iov)\n> \t\tnlen = ea->ea_name_length;\n> \t\tvlen = le16_to_cpu(ea->ea_value_length);\n> \t\tif (nlen != SMB2_WSL_XATTR_NAME_LEN ||\n> -\t\t (u8 *)ea + nlen + 1 + vlen > end)\n> +\t\t (u8 *)ea->ea_data + nlen + 1 + vlen > end)\n> \t\t\treturn -EINVAL;\n> \n> \t\tswitch (vlen) {","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.a=rsa-sha256 header.s=key1 header.b=K3gra1ms;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10705-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.b=\"K3gra1ms\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.218.175.181","smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=chenxiaosong.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=chenxiaosong.com"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fr72d6sSZz1xtJ\n\tfor ; Wed, 08 Apr 2026 12:54:49 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 2EC10302D51A\n\tfor ; Wed, 8 Apr 2026 02:52:18 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id AFF803624B7;\n\tWed, 8 Apr 2026 02:52:17 +0000 (UTC)","from out-181.mta0.migadu.com (out-181.mta0.migadu.com\n [91.218.175.181])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C6101C8603\n\tfor ; Wed, 8 Apr 2026 02:52:15 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775616737; cv=none;\n b=TKwxMEeG8pF/ZbU1I7dgUTxjXeHBxCyEMeKPsJG9v8g7JFTk7ja8PiWfSyQQH8oe+Cbxx8b0YD66BPZ67L3YagaOe1P4kYkj7g3Adyqpp2lbGog3LGRXKzDcf53mbYiizbgnH5mhlSSrAkZIqmnwJrlOD5ptoHOQf+K5VgaZBII=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775616737; c=relaxed/simple;\n\tbh=nme6FxSTc7mbRbT3LshL26jQ/13hHiD9tkseTjOp5VA=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=t/e+PGmU5xRQmonBkDbNdrS/JdlIX7xPDwugAm1UTOsXTrpNVkxLME78wMbgiDcXglV94xD6lu6Q7rILpS72+Z8XznC/V2S43Clx6HDw8kd4FwlGYXfdNuy3HtJfIu35jJ0imzBK9jqLWdxMLM8oYBo2d/c28L4LPc3VuTjHaUs=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=chenxiaosong.com;\n spf=pass smtp.mailfrom=chenxiaosong.com;\n dkim=pass (2048-bit key) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.b=K3gra1ms; arc=none smtp.client-ip=91.218.175.181","Message-ID":"","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=chenxiaosong.com;\n\ts=key1; t=1775616723;\n\th=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n\t to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=VZeZ/621orAKRtRcih+/9fcqr8O8xVLcE0ya2RhxK08=;\n\tb=K3gra1msscHwZphZX7LSr6dVxFD8tU0jkMMJB5ci9nLjTA1DAelpdoyFPQonDyX5QrJtGx\n\tqrk9CcVDuvaryef9hGD1IHvMgwm6enRx9zIaZGKxc51e/2BD4ugTrXQQIzMRrShck98E7z\n\tQ+sSmM/fOBX6Atr5iMX5ULs6GlctktMlsg2EPZzojH+ZP7citxN9BIas3VMgQnv3cNUi0L\n\tJXrglFsbUdOpROw8TlUnfZXc00unqp4maKtXlS9made9tYHunCMcZ5aWG3g5ZEQOX0hQg2\n\t8TlB0V1rXDQtanCJfrK0hSW8CUr1YMQw7GOJCPx/zBrpkt/zLjQD7z+1lZJwJQ==","Date":"Wed, 8 Apr 2026 10:51:12 +0800","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","To":"Greg Kroah-Hartman ,\n linux-cifs@vger.kernel.org","Cc":"linux-kernel@vger.kernel.org, Steve French ,\n Paulo Alcantara ,\n Ronnie Sahlberg ,\n Shyam Prasad N , Tom Talpey ,\n Bharath SM , samba-technical@lists.samba.org,\n stable ","References":"<2026040635-banking-unsoiled-3250@gregkh>\n <2026040636-unsigned-jackal-e239@gregkh>","Content-Language":"en-US","X-Report-Abuse":"Please report any abuse attempt to abuse@migadu.com and\n include these headers.","From":"ChenXiaoSong ","In-Reply-To":"<2026040636-unsigned-jackal-e239@gregkh>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Migadu-Flow":"FLOW_OUT"}},{"id":3674563,"web_url":"http://patchwork.ozlabs.org/comment/3674563/","msgid":"<2026040822-shortly-chump-8518@gregkh>","list_archive_url":null,"date":"2026-04-08T05:39:08","subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","submitter":{"id":11800,"url":"http://patchwork.ozlabs.org/api/people/11800/","name":"Greg Kroah-Hartman","email":"gregkh@linuxfoundation.org"},"content":"On Wed, Apr 08, 2026 at 10:51:12AM +0800, ChenXiaoSong wrote:\n> Sashiko reported another out-of-bounds issue:\n> https://sashiko.dev/#/patchset/2026040635-banking-unsoiled-3250@gregkh\n> \n> Should we add the following checks in check_wsl_eas()?\n> \n> ```\n> --- a/fs/smb/client/smb2inode.c\n> +++ b/fs/smb/client/smb2inode.c\n> @@ -121,6 +121,9 @@ static int check_wsl_eas(struct kvec *rsp_iov)\n> ea = (void *)((u8 *)rsp_iov->iov_base +\n> le16_to_cpu(rsp->OutputBufferOffset));\n> end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len;\n> + if (ea + outlen > end)\n> + return -EINVAL;\n\nThen you would miss any \"first\" structures here, as I think the for loop\ncatches this later on with the line:\n\n\n> +\n> for (;;) {\n> if ((u8 *)ea > end - sizeof(*ea))\n> return -EINVAL;\n\nThat one, right?\n\nOr am I misreading this?\n\nPointer math is \"fun\" :(\n\nthanks,\n\ngreg k-h","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=linuxfoundation.org header.i=@linuxfoundation.org\n header.a=rsa-sha256 header.s=korg header.b=ejM+kWyA;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10706-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=linuxfoundation.org\n header.i=@linuxfoundation.org header.b=\"ejM+kWyA\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frBhR6mFWz1yD3\n\tfor ; Wed, 08 Apr 2026 15:39:19 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 268B9302B502\n\tfor ; Wed, 8 Apr 2026 05:39:15 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 9DC8F35AC31;\n\tWed, 8 Apr 2026 05:39:11 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 7517235AC1C;\n\tWed, 8 Apr 2026 05:39:11 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id B6D9AC19424;\n\tWed, 8 Apr 2026 05:39:10 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775626751; cv=none;\n b=g7oxeLuOE7zkN/+vVoRF+yx32r7mF0eyJm2CNFzkkLQAloWrDj54au1RxG2uGS5ke0aThq6dFs4vh8wwvyAjcGG3hojoSNGJRxIJkKJGTqvJDS6EFhvZBP5ILCFPMF6RTig1reL+TCx3tlmld+h7NUJCWtwmfg5QukxKjorjfzw=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775626751; c=relaxed/simple;\n\tbh=OkZvr+eCSst2bY3IG17Uk5qWPQqKNgOnupWO0q74pVY=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=lymLWfSxJRBzAu9Ag5HY264rAGDjdmIPkiFz3v+x09ROsA0PwdgXNT2f1BKbi6Uze1RNH+RE3H6574nT8rIpl5uptm6seH8OjLp99SwtJ/EaFvPjUTmSfR9poyj9romVOC7d0csgVUbXUGoQFIFZRNJtEVWPh6LEcGo2iwOsieo=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (1024-bit key) header.d=linuxfoundation.org\n header.i=@linuxfoundation.org header.b=ejM+kWyA;\n arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;\n\ts=korg; t=1775626751;\n\tbh=OkZvr+eCSst2bY3IG17Uk5qWPQqKNgOnupWO0q74pVY=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=ejM+kWyA7B31Cy0GSrnTOym8PFt+eHbZLk+WWxr/pkUrgrqAqBJ2HahAyQYri9uJE\n\t cHtEpPkeNZbt/nZVEesKsD2OU8ZhVdewN8H2q+KcWSerU6LEO/ZyUL8qZ8MVZ8l5cz\n\t DFAYpRZgEnAs+qjg+VMuFzb1UUB5j38ME1wk9+gc=","Date":"Wed, 8 Apr 2026 07:39:08 +0200","From":"Greg Kroah-Hartman ","To":"ChenXiaoSong ","Cc":"linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org,\n\tSteve French ,\n\tPaulo Alcantara ,\n\tRonnie Sahlberg ,\n\tShyam Prasad N , Tom Talpey ,\n\tBharath SM ,\n\tsamba-technical@lists.samba.org, stable ","Subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","Message-ID":"<2026040822-shortly-chump-8518@gregkh>","References":"<2026040635-banking-unsoiled-3250@gregkh>\n <2026040636-unsigned-jackal-e239@gregkh>\n ","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":""}},{"id":3674568,"web_url":"http://patchwork.ozlabs.org/comment/3674568/","msgid":"<68bc86cc-1c57-4734-9c75-14c9de80bd71@chenxiaosong.com>","list_archive_url":null,"date":"2026-04-08T05:58:27","subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","submitter":{"id":88754,"url":"http://patchwork.ozlabs.org/api/people/88754/","name":"ChenXiaoSong","email":"chenxiaosong@chenxiaosong.com"},"content":"The for loop does not seem to catch cases where `outlen` is excessively \nlarge. In such cases, smb2_compound_op() would use this large `outlen` \nto `memcpy()`, which could lead to OOB.\n\n```\nsmb2_compound_op()\n{\n\t...\n\tsize[0] = outlen; // very large\n\tcheck_wsl_eas()\n\tmemcpy(..., outlen) // out-of-bounds\n\t...\n}\n```\n\nOn 4/8/26 13:39, Greg Kroah-Hartman wrote:\n> On Wed, Apr 08, 2026 at 10:51:12AM +0800, ChenXiaoSong wrote:\n>> Sashiko reported another out-of-bounds issue:\n>> https://sashiko.dev/#/patchset/2026040635-banking-unsoiled-3250@gregkh\n>>\n>> Should we add the following checks in check_wsl_eas()?\n>>\n>> ```\n>> --- a/fs/smb/client/smb2inode.c\n>> +++ b/fs/smb/client/smb2inode.c\n>> @@ -121,6 +121,9 @@ static int check_wsl_eas(struct kvec *rsp_iov)\n>> ea = (void *)((u8 *)rsp_iov->iov_base +\n>> le16_to_cpu(rsp->OutputBufferOffset));\n>> end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len;\n>> + if (ea + outlen > end)\n>> + return -EINVAL;\n> \n> Then you would miss any \"first\" structures here, as I think the for loop\n> catches this later on with the line:\n> \n> \n>> +\n>> for (;;) {\n>> if ((u8 *)ea > end - sizeof(*ea))\n>> return -EINVAL;\n> \n> That one, right?\n> \n> Or am I misreading this?\n> \n> Pointer math is \"fun\" :(\n> \n> thanks,\n> \n> greg k-h","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.a=rsa-sha256 header.s=key1 header.b=hgzBT5Q3;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10708-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.b=\"hgzBT5Q3\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.218.175.173","smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=chenxiaosong.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=chenxiaosong.com"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frC7v7308z1xv0\n\tfor ; Wed, 08 Apr 2026 15:59:39 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 89ECB302D94B\n\tfor ; Wed, 8 Apr 2026 05:59:36 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 9F1F8361DA5;\n\tWed, 8 Apr 2026 05:59:34 +0000 (UTC)","from out-173.mta0.migadu.com (out-173.mta0.migadu.com\n [91.218.175.173])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 2FD96361668\n\tfor ; Wed, 8 Apr 2026 05:59:32 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775627974; cv=none;\n b=OrFXUseaO3MwwmfceduEI+JGJ85JgInnhcOREUktTNPdAo0hc+I3u/c3z3yZ42dKrz1xYUPm+5y4kDeXDVH5L5PTEMI9V3LiV/3li8vsjkVtRsk+98Qo930vfw6fWUoROqbigN8zrOWDNmWaWKSDfl3tPGaJWfpjhOw0hid2eog=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775627974; c=relaxed/simple;\n\tbh=xVIxbtIea2Zy2XrpkRKCbatOYUs0i15XfkSqs6z80Lg=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=MGpHQaOUQjHC0HLP6WuzNqJyeulb+LQ25g9RueDoR1ISHKlWzNuJH1RvxNK5PDs5vbQJAPzgSDv4XnvesCkePtmjvZczYOEIdR0kLVR0Hth7ousSI9A3+OHvJY9hsXKjfdZM0K/lzJ9aXEf6X/xEriycbt6U/0xpBohFca9qh9M=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=chenxiaosong.com;\n spf=pass smtp.mailfrom=chenxiaosong.com;\n dkim=pass (2048-bit key) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.b=hgzBT5Q3; arc=none smtp.client-ip=91.218.175.173","Message-ID":"<68bc86cc-1c57-4734-9c75-14c9de80bd71@chenxiaosong.com>","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=chenxiaosong.com;\n\ts=key1; t=1775627960;\n\th=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n\t to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=kyizpbPf2SethJLAQustHYCjGlsy/KWMQjDIkCTOE2E=;\n\tb=hgzBT5Q3PyhXBEPxettMPAjFiAW0z0nPmKwzFioY+x7KR0NROPbZLxDGPAcmdXTt8phAo/\n\tNPS3j2HZF6kmOibTRlzkXUiSLovhdx8rF5G6pPjze6BQnaH+enF0RZysjPmLKUaECsdyA3\n\tc/GZHvcM5ScTgQ6nw54RWW0bpupxfX0LqHhySG4t5q+TwCYQDjZP4SnkUCZB1ZRI3TWEk+\n\tGtqhxM4qgGPHoZUZWqRYWKKqch1dcN0kc4uaJn2UoNIsDdZT84kTUqgifGdXMh70CENUnD\n\tp46EGshgi9px2ENwxUBQgfy2DWzooG8JCKOdEttxUdpq+5SofkTpj4ciZCMtXg==","Date":"Wed, 8 Apr 2026 13:58:27 +0800","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","To":"Greg Kroah-Hartman ","Cc":"linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org,\n Steve French , Paulo Alcantara ,\n Ronnie Sahlberg ,\n Shyam Prasad N , Tom Talpey ,\n Bharath SM , samba-technical@lists.samba.org,\n stable ","References":"<2026040635-banking-unsoiled-3250@gregkh>\n <2026040636-unsigned-jackal-e239@gregkh>\n \n <2026040822-shortly-chump-8518@gregkh>","Content-Language":"en-US","X-Report-Abuse":"Please report any abuse attempt to abuse@migadu.com and\n include these headers.","From":"ChenXiaoSong ","In-Reply-To":"<2026040822-shortly-chump-8518@gregkh>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Migadu-Flow":"FLOW_OUT"}},{"id":3674571,"web_url":"http://patchwork.ozlabs.org/comment/3674571/","msgid":"<2026040833-espresso-triangle-425d@gregkh>","list_archive_url":null,"date":"2026-04-08T06:15:53","subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","submitter":{"id":11800,"url":"http://patchwork.ozlabs.org/api/people/11800/","name":"Greg Kroah-Hartman","email":"gregkh@linuxfoundation.org"},"content":"On Wed, Apr 08, 2026 at 01:58:27PM +0800, ChenXiaoSong wrote:\n> The for loop does not seem to catch cases where `outlen` is excessively\n> large. In such cases, smb2_compound_op() would use this large `outlen` to\n> `memcpy()`, which could lead to OOB.\n> \n> ```\n> smb2_compound_op()\n> {\n> \t...\n> \tsize[0] = outlen; // very large\n> \tcheck_wsl_eas()\n> \tmemcpy(..., outlen) // out-of-bounds\n> \t...\n> }\n> ```\n\nAh, I missed the caller site. Yeah, probably a good thing to check as\nwell, want to make up a patch?\n\nthanks,\ngreg k-h","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=linuxfoundation.org header.i=@linuxfoundation.org\n header.a=rsa-sha256 header.s=korg header.b=EypEXkgV;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10709-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=linuxfoundation.org\n header.i=@linuxfoundation.org header.b=\"EypEXkgV\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frCVq1hdwz1xtJ\n\tfor ; Wed, 08 Apr 2026 16:16:03 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 41089300D371\n\tfor ; Wed, 8 Apr 2026 06:15:58 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id D272F3612F6;\n\tWed, 8 Apr 2026 06:15:56 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id AFA58359A9F;\n\tWed, 8 Apr 2026 06:15:56 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id 0F34EC19424;\n\tWed, 8 Apr 2026 06:15:55 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775628956; cv=none;\n b=O5GRGjdG0sEN+7nDV+/usKzOq+tYEyAHOW1sUkIXffQNJ+ElVK4TGq1uH+1aUOrgKg6P8bF0P6ctXatpwkvd7N1bhuLnnaFwkEaYaa3hApzuO/bLY04abU555e0fu/uEqan4wYgkAv3OpOFICql7N6nNEfqJebWep3RvYsjr7Tk=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775628956; c=relaxed/simple;\n\tbh=DQbMRzTIQItd1odYO0Fm8Amjj0W3G7NcMs8kUqbYEvE=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=eYwdb3/irZt6/JDCVMisB06fGvHgMtyj4h+kbBdJDpVJwOwb6JoOYzZlwZGqbDpPdIV1CEAR93s0DjwtpxPCNPl9UgG1okngJmmw3V9FfAVhjU18Bw+iohDQ6v6gr6mivT6vueHtl53aCzyx5pyIoYp5sx7Rs3gZjvjQGT4fO/k=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (1024-bit key) header.d=linuxfoundation.org\n header.i=@linuxfoundation.org header.b=EypEXkgV;\n arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;\n\ts=korg; t=1775628956;\n\tbh=DQbMRzTIQItd1odYO0Fm8Amjj0W3G7NcMs8kUqbYEvE=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=EypEXkgV03LCwF7TXZpW3hKHLhu95MXvIKWDD6mWXPJ7TdchDJxbcy7HOR+gepGju\n\t mRMGkceI84mR2VEcNASL+snL4RrI2/0ssHSWmz85StE+3xP0E8pGK1gAijWw9D0Vj1\n\t zbglMt4y95RBZEHfOD5NF2uD1TmTOv2tBXf8gZx4=","Date":"Wed, 8 Apr 2026 08:15:53 +0200","From":"Greg Kroah-Hartman ","To":"ChenXiaoSong ","Cc":"linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org,\n\tSteve French ,\n\tPaulo Alcantara ,\n\tRonnie Sahlberg ,\n\tShyam Prasad N , Tom Talpey ,\n\tBharath SM ,\n\tsamba-technical@lists.samba.org, stable ","Subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","Message-ID":"<2026040833-espresso-triangle-425d@gregkh>","References":"<2026040635-banking-unsoiled-3250@gregkh>\n <2026040636-unsigned-jackal-e239@gregkh>\n \n <2026040822-shortly-chump-8518@gregkh>\n <68bc86cc-1c57-4734-9c75-14c9de80bd71@chenxiaosong.com>","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<68bc86cc-1c57-4734-9c75-14c9de80bd71@chenxiaosong.com>"}},{"id":3674573,"web_url":"http://patchwork.ozlabs.org/comment/3674573/","msgid":"","list_archive_url":null,"date":"2026-04-08T06:19:48","subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","submitter":{"id":88754,"url":"http://patchwork.ozlabs.org/api/people/88754/","name":"ChenXiaoSong","email":"chenxiaosong@chenxiaosong.com"},"content":"Could you send v2 with this check added?\n\nI am currently reviewing another patch. Perhaps you could wait until I \nhave finished reviewing it.\n\nOn 4/8/26 14:15, Greg Kroah-Hartman wrote:\n> Ah, I missed the caller site. Yeah, probably a good thing to check as\n> well, want to make up a patch?","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.a=rsa-sha256 header.s=key1 header.b=mOKZfd/9;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10710-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.b=\"mOKZfd/9\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.218.175.186","smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=chenxiaosong.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=chenxiaosong.com"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frCcK2gXWz1yD3\n\tfor ; Wed, 08 Apr 2026 16:20:49 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 4FBB9301A927\n\tfor ; Wed, 8 Apr 2026 06:20:47 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id A95F135C1B6;\n\tWed, 8 Apr 2026 06:20:45 +0000 (UTC)","from out-186.mta0.migadu.com (out-186.mta0.migadu.com\n [91.218.175.186])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id A733A282F2C\n\tfor ; Wed, 8 Apr 2026 06:20:41 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775629245; cv=none;\n b=DZZq+oPzT+xvO1vpummTfuJ0Tf5mqccUQhddYNfkk5JzqUQy0RO4MQR6wGQij6dmh6LkU19MtKMTV2vxA6vGfnJYtZWbFoyLMbuUktDIAvQyMpqDHI7EBWuyrKJDr9RBGgvrZodRj9ZjRNdjHwttz41brIYsCWG4bBynjX26JW8=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775629245; c=relaxed/simple;\n\tbh=MJl/cRTIP8pZSs9M2nxtYap1jFT7FTMYAzKzl07Be3c=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=P1lSimyVsYYuabiI1edYWKW28R4a34ZYUPLC6bDTZ0YQHSb6MoxP8i8GCYmixo6TKjUKkl4hFLDRB/2BBP9w6MALfPQMCmsqqPhi49MKKZxJ8bypX1Xxb6Tr0FvRxaxcYCCRxaW9jALW4z3joXQXZOMjKXB1No0vtvX9zq8c50g=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=chenxiaosong.com;\n spf=pass smtp.mailfrom=chenxiaosong.com;\n dkim=pass (2048-bit key) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.b=mOKZfd/9; arc=none smtp.client-ip=91.218.175.186","Message-ID":"","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=chenxiaosong.com;\n\ts=key1; t=1775629239;\n\th=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n\t to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=kYU5bkJdbMIFqgaevph2uCBQue8kBmxDi1XOY4ekAsA=;\n\tb=mOKZfd/9GewPtrKBFwvYwcULUBdYAGYG2UHY7fMuC5B2MaK6eO2H7mcXLuDNQ42k+MT77U\n\tXgE6kSOwAVI5Cq0UM3LjQ7KDO4gEdUez0RM1hdgNoE9Z691qMTRxp1pPx6iPyfHYIcd8Ox\n\txQK4cGFGtzzohbkcTnxs0Z/+K6mUGteZ3iJ0Wb2nfeF0zX+mOTYbGBJNdkrBgyexFAkq5X\n\tq/WVZvunsDIUGwI4XlaFX87wJA52IntZKjZVtLmJ8HilsLnLSSq535W5EzdPD2MsbcEQRu\n\twXDJsqNiwva7HZb5/9YcQqmep2RmleWpLk95f+CFpTP1BTo1MTVsqCUh2IjKRQ==","Date":"Wed, 8 Apr 2026 14:19:48 +0800","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","To":"Greg Kroah-Hartman ","Cc":"linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org,\n Steve French , Paulo Alcantara ,\n Ronnie Sahlberg ,\n Shyam Prasad N , Tom Talpey ,\n Bharath SM , samba-technical@lists.samba.org,\n stable ","References":"<2026040635-banking-unsoiled-3250@gregkh>\n <2026040636-unsigned-jackal-e239@gregkh>\n \n <2026040822-shortly-chump-8518@gregkh>\n <68bc86cc-1c57-4734-9c75-14c9de80bd71@chenxiaosong.com>\n <2026040833-espresso-triangle-425d@gregkh>","Content-Language":"en-US","X-Report-Abuse":"Please report any abuse attempt to abuse@migadu.com and\n include these headers.","From":"ChenXiaoSong ","In-Reply-To":"<2026040833-espresso-triangle-425d@gregkh>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Migadu-Flow":"FLOW_OUT"}},{"id":3674583,"web_url":"http://patchwork.ozlabs.org/comment/3674583/","msgid":"<2026040846-winner-juniper-096c@gregkh>","list_archive_url":null,"date":"2026-04-08T06:40:25","subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","submitter":{"id":11800,"url":"http://patchwork.ozlabs.org/api/people/11800/","name":"Greg Kroah-Hartman","email":"gregkh@linuxfoundation.org"},"content":"On Wed, Apr 08, 2026 at 02:19:48PM +0800, ChenXiaoSong wrote:\n> Could you send v2 with this check added?\n\nLooks like this was already accepted, and the additional check would be\njust that, an additional check :)\n\n> I am currently reviewing another patch. Perhaps you could wait until I have\n> finished reviewing it.\n\nI have no problem waiting, but as you found this one, I want to give you\nproper credit for the find/fix.\n\nthanks,\n\ngreg k-h","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=linuxfoundation.org header.i=@linuxfoundation.org\n header.a=rsa-sha256 header.s=korg header.b=FeHoV0z5;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10711-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=linuxfoundation.org\n header.i=@linuxfoundation.org header.b=\"FeHoV0z5\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frD34386Nz1xv0\n\tfor ; Wed, 08 Apr 2026 16:40:32 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 7C95E300FC6F\n\tfor ; Wed, 8 Apr 2026 06:40:29 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id CA43B365A18;\n\tWed, 8 Apr 2026 06:40:28 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id A76BA36495E;\n\tWed, 8 Apr 2026 06:40:28 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id C75A2C19424;\n\tWed, 8 Apr 2026 06:40:27 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775630428; cv=none;\n b=dDO7u03NUdFMQCPyceyjHDtGI+6dnAXyneQjtj2HWvkNj3OcEeShB3btGtPwXj3xjKgdtszpVFXtX6Ty57oZ1BJHaAp5IzMEqtyIgVFI1QB4XU0f9zTj4WWW+DqhiljY8aMXKdhyW6bVDMZakn6sXCsR5SuyOmLYgjoipw4WXLI=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775630428; c=relaxed/simple;\n\tbh=DZr/CyiL0tBakOiW+bpiDccVL3DKrCbola+AqUVIKWM=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=Aw+/HwDbKEPuhMD12zvrJsUQ2Iwb/otfUa0axZnC8zFOG28WV6h/sQBJrxyuTSgHcsk3CZ1Lj7IPrky0lnI56OJAxxhChuZsuDJpkPTWKR4lxAnnKE4VpdBbQZWQtbvqVxIvnvpKBa7Rrw1PVRg5RFZE3m4yjQ7BvykCSALHkx4=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (1024-bit key) header.d=linuxfoundation.org\n header.i=@linuxfoundation.org header.b=FeHoV0z5;\n arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;\n\ts=korg; t=1775630428;\n\tbh=DZr/CyiL0tBakOiW+bpiDccVL3DKrCbola+AqUVIKWM=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=FeHoV0z52X3UhIEEeJHa7ZUwS42Udn4WyW57/pzPC+O9V42puHr9idD5eLcyQfPz0\n\t dcEwbZN8is8HvoqyLqgIXNQlej9KIHnJsjAUCP68ZF+6H0m2hsmGLGFOK3W/ct2Mms\n\t MTocVZK6EbOAKJQ2DvUDG4/YID17dQCTg13VQVxU=","Date":"Wed, 8 Apr 2026 08:40:25 +0200","From":"Greg Kroah-Hartman ","To":"ChenXiaoSong ","Cc":"linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org,\n\tSteve French ,\n\tPaulo Alcantara ,\n\tRonnie Sahlberg ,\n\tShyam Prasad N , Tom Talpey ,\n\tBharath SM ,\n\tsamba-technical@lists.samba.org, stable ","Subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","Message-ID":"<2026040846-winner-juniper-096c@gregkh>","References":"<2026040635-banking-unsoiled-3250@gregkh>\n <2026040636-unsigned-jackal-e239@gregkh>\n \n <2026040822-shortly-chump-8518@gregkh>\n <68bc86cc-1c57-4734-9c75-14c9de80bd71@chenxiaosong.com>\n <2026040833-espresso-triangle-425d@gregkh>\n ","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":""}},{"id":3674590,"web_url":"http://patchwork.ozlabs.org/comment/3674590/","msgid":"<0568bec2-b85e-4b5e-8765-8acc3d779c82@chenxiaosong.com>","list_archive_url":null,"date":"2026-04-08T06:52:31","subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","submitter":{"id":88754,"url":"http://patchwork.ozlabs.org/api/people/88754/","name":"ChenXiaoSong","email":"chenxiaosong@chenxiaosong.com"},"content":"Sashiko found it, I just checked and confirmed it.\n\nCould you create another patch? I enjoy the review process more than \ncreating patches :)\n\nOn 4/8/26 14:40, Greg Kroah-Hartman wrote:\n> On Wed, Apr 08, 2026 at 02:19:48PM +0800, ChenXiaoSong wrote:\n>> Could you send v2 with this check added?\n> \n> Looks like this was already accepted, and the additional check would be\n> just that, an additional check :)\n> \n>> I am currently reviewing another patch. Perhaps you could wait until I have\n>> finished reviewing it.\n> \n> I have no problem waiting, but as you found this one, I want to give you\n> proper credit for the find/fix.\n> \n> thanks,\n> \n> greg k-h","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.a=rsa-sha256 header.s=key1 header.b=F2zYwAmQ;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10713-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.b=\"F2zYwAmQ\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=95.215.58.179","smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=chenxiaosong.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=chenxiaosong.com"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frDLX3Yj2z1yD3\n\tfor ; Wed, 08 Apr 2026 16:53:56 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 66AE730191A7\n\tfor ; Wed, 8 Apr 2026 06:53:42 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id F310734DB6C;\n\tWed, 8 Apr 2026 06:53:40 +0000 (UTC)","from out-179.mta1.migadu.com (out-179.mta1.migadu.com\n [95.215.58.179])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C33C243387\n\tfor ; Wed, 8 Apr 2026 06:53:36 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775631220; cv=none;\n b=Ou/b8TCxVOb/wvNN2Y7JdBvuhYbql3dTizgiIyKwT67nGLMBjcy5SfQ5oOMr4p4/1NzBg9BozvMaFAykbOq3JhZfMajMjzIstCpJpEF608BIKP4UlYpn5I8DoS5u5H9CPaC7KSNRv1SkndYCCj4BKZMQ453MpeuiqI8gPBes0NU=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775631220; c=relaxed/simple;\n\tbh=T5ifx0bGxeqyrtnPJNcUibhfQKYZwJM7hgIh3vhwKHc=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=DxUIPLpRbnUciN+yDPw3lTfkUcYCKpJwx5f6skpgSawzLzDWGH5sSk18g7/kpnKm3857MbB0gs1MQBjfl2D3BcC6lqZeqqKLFI7yHQXQXSYMPq/oWNE94oTfQORwxU7RGSoV+Sol6dJQxmdAt/OsknVhyrHjVmX4rCom8LsNn1w=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=chenxiaosong.com;\n spf=pass smtp.mailfrom=chenxiaosong.com;\n dkim=pass (2048-bit key) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.b=F2zYwAmQ; arc=none smtp.client-ip=95.215.58.179","Message-ID":"<0568bec2-b85e-4b5e-8765-8acc3d779c82@chenxiaosong.com>","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=chenxiaosong.com;\n\ts=key1; t=1775631214;\n\th=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n\t to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=Co90LOIbkTlrjBcAgJGvDYECpJbGFClNbFMmlhGg1/k=;\n\tb=F2zYwAmQmdvua3/49eaT99HN6aP5VHjFbOyRHH6q6rhgm8/0HoXf256h2Ij/n6VyNoHxH7\n\tNr4ykrFr+6pUjIeUuAJdgWpqGs8UIjs18AJgHj+9igeEa6qnXP+4KM4QgFr0HGir5cXGnq\n\tYF5N6kwAboJDJCmKWxoBsTb8jEmAZmji+fHeAS8EtDliD1rBeOZjO/miQyvmuQ9qJalx/i\n\tXxiKYqr/SSq0LdQjqtxwVgB92wJmVZkO6AMi28IgcOWTz0qSDwyqhgg+A7N4x4J7JdhUC4\n\tgBnhV17XkiolaU5eytaBscWhN/Z44Iw0xON+g0qBYutF2dNEN5bPdzoyI8GMdw==","Date":"Wed, 8 Apr 2026 14:52:31 +0800","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","To":"Greg Kroah-Hartman ","Cc":"linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org,\n Steve French , Paulo Alcantara ,\n Ronnie Sahlberg ,\n Shyam Prasad N , Tom Talpey ,\n Bharath SM , samba-technical@lists.samba.org,\n stable ","References":"<2026040635-banking-unsoiled-3250@gregkh>\n <2026040636-unsigned-jackal-e239@gregkh>\n \n <2026040822-shortly-chump-8518@gregkh>\n <68bc86cc-1c57-4734-9c75-14c9de80bd71@chenxiaosong.com>\n <2026040833-espresso-triangle-425d@gregkh>\n \n <2026040846-winner-juniper-096c@gregkh>","Content-Language":"en-US","X-Report-Abuse":"Please report any abuse attempt to abuse@migadu.com and\n include these headers.","From":"ChenXiaoSong ","In-Reply-To":"<2026040846-winner-juniper-096c@gregkh>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Migadu-Flow":"FLOW_OUT"}},{"id":3674592,"web_url":"http://patchwork.ozlabs.org/comment/3674592/","msgid":"<2026040829-control-capacity-1806@gregkh>","list_archive_url":null,"date":"2026-04-08T06:56:55","subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","submitter":{"id":11800,"url":"http://patchwork.ozlabs.org/api/people/11800/","name":"Greg Kroah-Hartman","email":"gregkh@linuxfoundation.org"},"content":"On Wed, Apr 08, 2026 at 02:52:31PM +0800, ChenXiaoSong wrote:\n> Sashiko found it, I just checked and confirmed it.\n> \n> Could you create another patch? I enjoy the review process more than\n> creating patches :)\n\nWill do, I'll add that to my queue, but might take a few days if someone\nwants to \"beat\" me to it, I'll have no objection at all :)\n\nthanks,\n\ngreg k-h","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=linuxfoundation.org header.i=@linuxfoundation.org\n header.a=rsa-sha256 header.s=korg header.b=aCQUWXsZ;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.232.135.74; helo=sto.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10714-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=linuxfoundation.org\n header.i=@linuxfoundation.org header.b=\"aCQUWXsZ\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org [172.232.135.74])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frDSC6fMnz1xv0\n\tfor ; Wed, 08 Apr 2026 16:58:51 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 11A4D3017272\n\tfor ; Wed, 8 Apr 2026 06:58:49 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 40F3D36E475;\n\tWed, 8 Apr 2026 06:58:47 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 1DD5E36DA16;\n\tWed, 8 Apr 2026 06:58:47 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id A6C0DC2BCB2;\n\tWed, 8 Apr 2026 06:58:46 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775631527; cv=none;\n b=ZyB4MeS2N0U31M6ObBOVqi/anMGDHqMo3d9tx4ygIVe36zHarfc9cx9jpZMDmlD3j3bASjWtmJ0p/vQMDeqYbxbzGJxsi8dA/niEOV5K+HqoPsRMV9VxWeXyZPlTXOjDgEVLS7N+cGfIZ1YAxnpGOYoNl61yadl/OmIp0fO7Vl0=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775631527; c=relaxed/simple;\n\tbh=ydOZvHMnEanUmXgYbqc6wkG84oVARJV1WZguFd5BtlE=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=Jw8M4dHx/cElRl9pmJNObCu7US6Lhc2gUjlLADfMXaqewUoHBDBMrdXUkSlQsD7qvMgv8QCE1B3UjFmyjflCQPJLTEebuMLcxnBUDw2pEqikxLU2Sa8XLnNFs8yGJ6gBmonEYvYhX2hBBjc3AmMHVfQhQ9wy7d5Is5pkZooGkoA=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (1024-bit key) header.d=linuxfoundation.org\n header.i=@linuxfoundation.org header.b=aCQUWXsZ;\n arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;\n\ts=korg; t=1775631527;\n\tbh=ydOZvHMnEanUmXgYbqc6wkG84oVARJV1WZguFd5BtlE=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=aCQUWXsZnIt/mSqfOF95twJd+DleGfxWYE+Z9jQwJ3Fi6LAKdeQv1A4nXyiFTYtGw\n\t AqdKWDEuwzOnYO3t0RKZbzjZo+K1+jE8bc09x+vigyYzO0C50bfeLozCPYdHf5huka\n\t AzzVlEhLM+F6+EqVfcgDibdybMRg1ZIWy2IQu7w8=","Date":"Wed, 8 Apr 2026 08:56:55 +0200","From":"Greg Kroah-Hartman ","To":"ChenXiaoSong ","Cc":"linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org,\n\tSteve French ,\n\tPaulo Alcantara ,\n\tRonnie Sahlberg ,\n\tShyam Prasad N , Tom Talpey ,\n\tBharath SM ,\n\tsamba-technical@lists.samba.org, stable ","Subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","Message-ID":"<2026040829-control-capacity-1806@gregkh>","References":"<2026040635-banking-unsoiled-3250@gregkh>\n <2026040636-unsigned-jackal-e239@gregkh>\n \n <2026040822-shortly-chump-8518@gregkh>\n <68bc86cc-1c57-4734-9c75-14c9de80bd71@chenxiaosong.com>\n <2026040833-espresso-triangle-425d@gregkh>\n \n <2026040846-winner-juniper-096c@gregkh>\n <0568bec2-b85e-4b5e-8765-8acc3d779c82@chenxiaosong.com>","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<0568bec2-b85e-4b5e-8765-8acc3d779c82@chenxiaosong.com>"}},{"id":3674688,"web_url":"http://patchwork.ozlabs.org/comment/3674688/","msgid":"<1F39D765-2631-40EB-9B1A-131B5753599A@stu.pku.edu.cn>","list_archive_url":null,"date":"2026-04-08T09:39:09","subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","submitter":{"id":93082,"url":"http://patchwork.ozlabs.org/api/people/93082/","name":"Yuanfu Xie","email":"yuanfuxie@stu.pku.edu.cn"},"content":"[PATCH] smb: client: add bounds checks when iterating SMB1 WSL EAs\n\nAdd boundary and overflow checks when traversing extended attribute (EA)\nentries for SMB1 WSL reparse points in cifs_query_path_info(), to prevent\nout-of-bounds memory accesses from malformed next_entry_offset values.\n\nThis is necessary because SMB1 WSL EA iteration does not currently have\nany explicit bounds checking, unlike SMB2 path which has check_wsl_eas().\nThe new checks ensure the current EA pointer plus its size does not\nexceed the end of the EA buffer during iteration and before parsing.\n\nSigned-off-by: YuanfuXie \n---\n fs/smb/client/smb1ops.c | 12 ++++++++++--\n 1 file changed, 10 insertions(+), 2 deletions(-)\n\ndiff --git a/fs/smb/client/smb1ops.c b/fs/smb/client/smb1ops.c\nindex 9694117050a6..940bae49b2cc 100644\n--- a/fs/smb/client/smb1ops.c\n+++ b/fs/smb/client/smb1ops.c\n@@ -645,13 +645,17 @@ static int cifs_query_path_info(const unsigned int xid,\n \tif (!rc && data->reparse_point) {\n \t\tstruct smb2_file_full_ea_info *ea;\n \t\tu32 next = 0;\n+\t\tu8 *eas_end = data->wsl.eas + data->wsl.eas_len;\n \n \t\tea = (struct smb2_file_full_ea_info *)data->wsl.eas;\n \t\tdo {\n \t\t\tea = (void *)((u8 *)ea + next);\n+\t\t\tif ((u8 *)ea + sizeof(*ea) > eas_end)\n+\t\t\t\tbreak;\n \t\t\tnext = le32_to_cpu(ea->next_entry_offset);\n \t\t} while (next);\n-\t\tif (le16_to_cpu(ea->ea_value_length)) {\n+\t\tif ((u8 *)ea + sizeof(*ea) <= eas_end &&\n+\t\t le16_to_cpu(ea->ea_value_length)) {\n \t\t\tea->next_entry_offset = cpu_to_le32(ALIGN(sizeof(*ea) +\n \t\t\t\t\t\tea->ea_name_length + 1 +\n \t\t\t\t\t\tle16_to_cpu(ea->ea_value_length), 4));\n@@ -691,13 +695,17 @@ static int cifs_query_path_info(const unsigned int xid,\n \tif (!rc && data->reparse_point) {\n \t\tstruct smb2_file_full_ea_info *ea;\n \t\tu32 next = 0;\n+\t\tu8 *eas_end = data->wsl.eas + data->wsl.eas_len;\n \n \t\tea = (struct smb2_file_full_ea_info *)data->wsl.eas;\n \t\tdo {\n \t\t\tea = (void *)((u8 *)ea + next);\n+\t\t\tif ((u8 *)ea + sizeof(*ea) > eas_end)\n+\t\t\t\tbreak;\n \t\t\tnext = le32_to_cpu(ea->next_entry_offset);\n \t\t} while (next);\n-\t\tif (le16_to_cpu(ea->ea_value_length)) {\n+\t\tif ((u8 *)ea + sizeof(*ea) <= eas_end &&\n+\t\t le16_to_cpu(ea->ea_value_length)) {\n \t\t\tea->next_entry_offset = cpu_to_le32(ALIGN(sizeof(*ea) +\n \t\t\t\t\t\tea->ea_name_length + 1 +\n \t\t\t\t\t\tle16_to_cpu(ea->ea_value_length), 4));","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=stu.pku.edu.cn header.i=@stu.pku.edu.cn\n header.a=rsa-sha256 header.s=default header.b=GXsqupK7;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10716-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=stu.pku.edu.cn header.i=@stu.pku.edu.cn\n header.b=\"GXsqupK7\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=45.254.49.197","smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=stu.pku.edu.cn","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=stu.pku.edu.cn"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frJ8g4FCqz1xv0\n\tfor ; Wed, 08 Apr 2026 19:45:39 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id 2E28E300C388\n\tfor ; Wed, 8 Apr 2026 09:39:46 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 280B2364E93;\n\tWed, 8 Apr 2026 09:39:35 +0000 (UTC)","from mail-m49197.qiye.163.com (mail-m49197.qiye.163.com\n [45.254.49.197])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id AF17623EABC;\n\tWed, 8 Apr 2026 09:39:29 +0000 (UTC)","from smtpclient.apple (unknown [58.206.232.189])\n\tby smtp.qiye.163.com (Hmail) with ESMTP id 39f15eb4b;\n\tWed, 8 Apr 2026 17:39:20 +0800 (GMT+08:00)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775641175; cv=none;\n b=LA/p9uHNJTA/BsPG1YRZs0Vt4M3G9b3Vy6areDdFbkOsdud8iVDfF1vc+Y61RPwfnNOFegUrHpGlOZt0yZU2ydCnhZLY5sP316ACAH1hzkN9y9sDy3rI8Gh+bwj/crGFUS38fdBCo0O82Tj/JLlOEuVRxqh6rDDQ1x/7Xls31mw=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775641175; c=relaxed/simple;\n\tbh=Gb1Xrqu+8dtdfVKpK50SdS/TSSqAO94bBFu2WIbxl0Q=;\n\th=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:\n\t Message-Id:References:To;\n b=YU8JwICKuyImISx+IWAS+JD/a8ZC53WWL4KCcieuu2DnzWNk364/MnsPgKlisl4gG26XBcmpvMj61IcQyhaJm19kZADAbZTLsonSsCeksP5Uw5AqqCuDew0SHWEDwl/WX7EYundicjfWMETqBFARp3If1cJyu2+mIm7fXzBLoYk=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=stu.pku.edu.cn;\n spf=pass smtp.mailfrom=stu.pku.edu.cn;\n dkim=pass (1024-bit key) header.d=stu.pku.edu.cn header.i=@stu.pku.edu.cn\n header.b=GXsqupK7; arc=none smtp.client-ip=45.254.49.197","Content-Type":"text/plain;\n\tcharset=us-ascii","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","Mime-Version":"1.0 (Mac OS X Mail 16.0 \\(3864.500.181\\))","Subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","From":"Yuanfu Xie ","In-Reply-To":"<2026040636-unsigned-jackal-e239@gregkh>","Date":"Wed, 8 Apr 2026 17:39:09 +0800","Cc":"linux-cifs@vger.kernel.org,\n linux-kernel@vger.kernel.org,\n Steve French ,\n Paulo Alcantara ,\n Ronnie Sahlberg ,\n Shyam Prasad N ,\n Tom Talpey ,\n Bharath SM ,\n samba-technical@lists.samba.org,\n stable ","Content-Transfer-Encoding":"quoted-printable","Message-Id":"<1F39D765-2631-40EB-9B1A-131B5753599A@stu.pku.edu.cn>","References":"<2026040635-banking-unsoiled-3250@gregkh>\n <2026040636-unsigned-jackal-e239@gregkh>","To":"Greg Kroah-Hartman ","X-Mailer":"Apple Mail (2.3864.500.181)","X-HM-Tid":"0a9d6c75e9d103a1kunm5a3f7b8137c0f","X-HM-MType":"10","X-HM-Spam-Status":"e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly\n\ttZV1koWUFITzdXWS1ZQUlXWQ8JGhUIEh9ZQVkZSRofVh0eHRpJTBgfTk4ZTVYeHw5VEwETFhoSFy\n\tQUDg9ZV1kYEgtZQVlOQ1VJS01VSUhJVUpDQllXWRYaDxIVHRRZQVlPS0hVSktISk5MTlVKS0tVSk\n\tJLS1kG","DKIM-Signature":"a=rsa-sha256;\n\tb=GXsqupK7a0b2A/VSDyK1MDTRIg4W9KC2eY3eoW+UlxC1qdG2ZRED6RrzzNuD4QB6wsp+LwVBKH19lJwfHd5bVCCkMTlPjpULAY+GHwkrnUFMlahO0+ueYsamoIJY8Xmi27mn8abHBL0pAWq53jCBSljKpWX00zp1uhaCSkRqatw=;\n s=default; c=relaxed/relaxed; d=stu.pku.edu.cn; v=1;\n\tbh=RY0WK+afdMqPqSsi6g+9H/saDXURk1JzxJogWSYhZCY=;\n\th=date:mime-version:subject:message-id:from;"}},{"id":3675055,"web_url":"http://patchwork.ozlabs.org/comment/3675055/","msgid":"<77013349-ff89-4593-985d-520d967d2638@chenxiaosong.com>","list_archive_url":null,"date":"2026-04-09T03:09:47","subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","submitter":{"id":88754,"url":"http://patchwork.ozlabs.org/api/people/88754/","name":"ChenXiaoSong","email":"chenxiaosong@chenxiaosong.com"},"content":"Hi Steve,\n\nShould we use `get_unaligned_le32()` to get unaligned data?\n\n> static inline kuid_t wsl_make_kuid(struct cifs_sb_info *cifs_sb,\n> void *ptr) \n> { \n> u32 uid = le32_to_cpu(*(__le32 *)ptr);\n> ...\n> } \n\n\n> \n> Additionally, does parsing these extended attributes cause unaligned memory\n> accesses?\n> When parsing WSL extended attributes, the code derives the value pointer\n> at an offset of ea_name_length (which is 6) plus 1 from ea_data. Since\n> ea is a 4-byte aligned structure, the value sits at an unaligned offset.\n> Helper functions like wsl_make_kuid() explicitly cast this unaligned\n> pointer to a 32-bit type and dereference it:\n> le32_to_cpu(*(__le32 *)v);\n> \n> Could this trigger an unaligned access exception and crash the kernel on\n> architectures with strict alignment requirements?","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.a=rsa-sha256 header.s=key1 header.b=g9AgRE7c;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10728-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.b=\"g9AgRE7c\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=95.215.58.173","smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=chenxiaosong.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=chenxiaosong.com"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frlMy0Wwnz1yCv\n\tfor ; Thu, 09 Apr 2026 13:11:58 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id A52063016ECD\n\tfor ; Thu, 9 Apr 2026 03:11:51 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id D27FC36CDEB;\n\tThu, 9 Apr 2026 03:11:50 +0000 (UTC)","from out-173.mta1.migadu.com (out-173.mta1.migadu.com\n [95.215.58.173])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 7A5F64A23\n\tfor ; Thu, 9 Apr 2026 03:11:48 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775704310; cv=none;\n b=aZSMTqO5+a1WjMlZSQBNaySZW2utbVufIjtwNKyD/qbfO4PFtR9NFeQuMaOIRhipY6V+zHq4XPxvy768t3PA3QnixiIoV9wdMFXHZDkeSEkZPh6YlCr0A+HamcdrgMhwmPIhZvsMePC7wjf4LMggV+eCom5vrLCiCF4JYNVT+C4=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775704310; c=relaxed/simple;\n\tbh=BKu6slQSA59rMwyjMqQttlERuky3a+Q080V04uN6zGo=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=YEdP9rT9oJYCwRfSmFN7U05E3zOpFiWNUUvyqg8p1S4XGKuO/cCUMIqgErewJmmNUh4furOjD0XqOpL+65ycyzCZ5itUPUafSVHLYZgGN9fINWz+A6YcLNfmCxJf3l710CjVhlSGtkmAdwBAUq5yJ1AehWSwMXnT2IVCyxjb3Y8=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=chenxiaosong.com;\n spf=pass smtp.mailfrom=chenxiaosong.com;\n dkim=pass (2048-bit key) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.b=g9AgRE7c; arc=none smtp.client-ip=95.215.58.173","Message-ID":"<77013349-ff89-4593-985d-520d967d2638@chenxiaosong.com>","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=chenxiaosong.com;\n\ts=key1; t=1775704306;\n\th=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n\t to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=iy2d63mOs0uVe10NEgVk9hD0DgC4FR98sN+wcxJYrDM=;\n\tb=g9AgRE7cvI3s6sDV56zddFWQ6Q3vG0XjFOcQPWu4HWoUH9jVNpdnqgLnq9PNgN1+nGzAi4\n\ty27Y6uNlIQoAPklwrBsnbWaYqZvhqllwRxI0MwKa1eCEo1j7/OfHMje4yORFigCk7utgzI\n\t8ep0QJndFPa9UoGk9jMSpidyWwgvLyzgyikOwJOnYXgoxVnnHfQ1GiQIOI9dVaq6EFcae5\n\t6INw2r+iTS+phJwpp1A8QJzQot+jWQgbwy51fMVHhmmwfAFqRat6LHzC+cKohwE8m27H0X\n\traRDWroYnVSD8bC9cDv6zCcKaKVYtgEsixK5A7D8Qf7UVC8bTm3P7nIGY/SDcg==","Date":"Thu, 9 Apr 2026 11:09:47 +0800","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Subject":"Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in\n check_wsl_eas()","To":"Steve French ","Cc":"linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org,\n Paulo Alcantara ,\n Greg Kroah-Hartman ,\n Ronnie Sahlberg ,\n Shyam Prasad N , Tom Talpey ,\n Bharath SM , samba-technical@lists.samba.org,\n stable ","References":"<2026040635-banking-unsoiled-3250@gregkh>\n <2026040636-unsigned-jackal-e239@gregkh>\n \n <2026040822-shortly-chump-8518@gregkh>","Content-Language":"en-US","X-Report-Abuse":"Please report any abuse attempt to abuse@migadu.com and\n include these headers.","From":"ChenXiaoSong ","In-Reply-To":"<2026040822-shortly-chump-8518@gregkh>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Migadu-Flow":"FLOW_OUT"}}]