[{"id":3677620,"web_url":"http://patchwork.ozlabs.org/comment/3677620/","msgid":"<mbrdhvinfbr53a5k7ybmeahzezkboundsgqk4ohdyaz2m3xyu4@64oxh33do2bv>","list_archive_url":null,"date":"2026-04-15T11:50:37","subject":"Re: [PATCH v2] smb: client: fix integer underflow in\n receive_encrypted_read()","submitter":{"id":78375,"url":"http://patchwork.ozlabs.org/api/people/78375/","name":"Enzo Matsumiya","email":"ematsumiya@suse.de"},"content":"On 04/15, Dudu Lu wrote:\n>In receive_encrypted_read(), the length of data to read from the socket\n>is computed as:\n>\n>  len = le32_to_cpu(tr_hdr->OriginalMessageSize) -\n>        server->vals->read_rsp_size;\n>\n>OriginalMessageSize comes from the server's transform header and is\n>untrusted. If a malicious server sends a value smaller than\n>read_rsp_size, the unsigned subtraction wraps to a very large value\n>(~4GB). This value is then passed to netfs_alloc_folioq_buffer() and\n>cifs_read_iter_from_socket(), causing either a massive allocation\n>attempt that fails with -ENOMEM (DoS), or under extreme memory\n>pressure, potential heap corruption.\n>\n>Fix by adding a check that OriginalMessageSize is at least\n>read_rsp_size before the subtraction. On failure, jump to\n>discard_data to drain the remaining PDU from the socket, preventing\n>desync of subsequent reads on the connection.\n>\n>Signed-off-by: Dudu Lu <phx0fer@gmail.com>\n>---\n> fs/smb/client/smb2ops.c | 8 ++++++++\n> 1 file changed, 8 insertions(+)\n>\n>diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c\n>index 509fcea28a42..a2105f4b54db 100644\n>--- a/fs/smb/client/smb2ops.c\n>+++ b/fs/smb/client/smb2ops.c\n>@@ -4943,6 +4943,14 @@ receive_encrypted_read(struct TCP_Server_Info *server, struct mid_q_entry **mid,\n> \t\tgoto free_dw;\n> \tserver->total_read += rc;\n>\n>+\tif (le32_to_cpu(tr_hdr->OriginalMessageSize) <\n>+\t    server->vals->read_rsp_size) {\n>+\t\tcifs_server_dbg(VFS, \"OriginalMessageSize %u too small for read response (%zu)\\n\",\n>+\t\t\tle32_to_cpu(tr_hdr->OriginalMessageSize),\n>+\t\t\tserver->vals->read_rsp_size);\n>+\t\trc = -EINVAL;\n>+\t\tgoto discard_data;\n>+\t}\n\nYou could replace it with:\n\n\tif (check_sub_overflow(le32_to_cpu(tr_hdr->OriginalMessageSize),\n\t\t\t       server->vals->read_rsp_size, &len) {\n\t\t...\n\t}\n\nfor subtraction + check in one shot.\n\nPatch is ok nonetheless.\n\n\nCheers,\n\nEnzo","headers":{"Return-Path":"\n <linux-cifs+bounces-10836-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=rq4y1pmA;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=qUX+wXbJ;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=rq4y1pmA;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=qUX+wXbJ;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10836-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"rq4y1pmA\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"qUX+wXbJ\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"rq4y1pmA\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"qUX+wXbJ\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.131","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de","smtp-out2.suse.de;\n\tnone"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwfbr3PKLz1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 21:50:48 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id AF501300BC91\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 11:50:46 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id DECF12BD11;\n\tWed, 15 Apr 2026 11:50:43 +0000 (UTC)","from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 87DBD32AABD\n\tfor <linux-cifs@vger.kernel.org>; Wed, 15 Apr 2026 11:50:42 +0000 (UTC)","from imap1.dmz-prg2.suse.org (unknown [10.150.64.97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out2.suse.de (Postfix) with ESMTPS id D2E495BD23;\n\tWed, 15 Apr 2026 11:50:40 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 5D2464B9BF;\n\tWed, 15 Apr 2026 11:50:40 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid 8bIJCZB732n2AgAAD6G6ig\n\t(envelope-from <ematsumiya@suse.de>); Wed, 15 Apr 2026 11:50:40 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776253843; cv=none;\n b=Fr7gGCahTNxSAkzYjXfN7qN/UXbBeg+8h6ObijuHYXUydt4n3XIPUwPSDc/3V7sz1pHR9NdQiVyaGhlL3ZlOLeF1zkiiDM6L4TYFtvfRI53BCurT7g3ET7Lf5/2hKroCypOhbI5iK2W5t8uqOuOyK1bb1a5MG1PLoH0/9CvYGQc=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776253843; c=relaxed/simple;\n\tbh=mUwAMAovOgb92nsIM1r3PWuaBRbK2s3Qe3chtxmTnYk=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=txnILZMm+NfRTzpsQA8mZxNtbU54RWpYKvn088rqG9evAUb7zisodLR5jMwIrHjLEv0xXP5wzWsq3K9BXPJ+1+yf8oVImLT8yi+S22Joe0B7f/NfDyLEQyTVg1P/c7mDCBjGOhPl6vzahpvRsNJVYAM796U/StUL2A1IacFfpqk=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=rq4y1pmA;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=qUX+wXbJ;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=rq4y1pmA;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=qUX+wXbJ; arc=none smtp.client-ip=195.135.223.131","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776253840;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=Y/cFEYEDFGm3FgmMyMQYDFi2Uz6ERCGXKrccZY1RQek=;\n\tb=rq4y1pmASKAxq+l750nLj61OjfliszDT3CwRhLJc3nYWw84r4ZDFVISuA3/HTviRtZ7qmK\n\tDZOQRyp721PS+s2SqAVSHibMCdAv24u32Ab8jcxZq8LoYE3SFxj4KJI/h3APc64DMZJQA2\n\t2s2hKBGm584K65P0AsQdi5R7FDpJDn0=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776253840;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=Y/cFEYEDFGm3FgmMyMQYDFi2Uz6ERCGXKrccZY1RQek=;\n\tb=qUX+wXbJPvPEVx4FToJqlWBYMVrXXSzVLnGTtzcU/DR2PFa7xcvUvJbXQ5k6tgz3XLnqNw\n\tDvvlV/0V4y+j5TAw==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776253840;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=Y/cFEYEDFGm3FgmMyMQYDFi2Uz6ERCGXKrccZY1RQek=;\n\tb=rq4y1pmASKAxq+l750nLj61OjfliszDT3CwRhLJc3nYWw84r4ZDFVISuA3/HTviRtZ7qmK\n\tDZOQRyp721PS+s2SqAVSHibMCdAv24u32Ab8jcxZq8LoYE3SFxj4KJI/h3APc64DMZJQA2\n\t2s2hKBGm584K65P0AsQdi5R7FDpJDn0=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776253840;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=Y/cFEYEDFGm3FgmMyMQYDFi2Uz6ERCGXKrccZY1RQek=;\n\tb=qUX+wXbJPvPEVx4FToJqlWBYMVrXXSzVLnGTtzcU/DR2PFa7xcvUvJbXQ5k6tgz3XLnqNw\n\tDvvlV/0V4y+j5TAw=="],"Date":"Wed, 15 Apr 2026 08:50:37 -0300","From":"Enzo Matsumiya <ematsumiya@suse.de>","To":"Dudu Lu <phx0fer@gmail.com>","Cc":"smfrench@gmail.com, linux-cifs@vger.kernel.org","Subject":"Re: [PATCH v2] smb: client: fix integer underflow in\n receive_encrypted_read()","Message-ID":"<mbrdhvinfbr53a5k7ybmeahzezkboundsgqk4ohdyaz2m3xyu4@64oxh33do2bv>","References":"<20260415102424.65161-1-phx0fer@gmail.com>","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"<linux-cifs.vger.kernel.org>","List-Subscribe":"<mailto:linux-cifs+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-cifs+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii; format=flowed","Content-Disposition":"inline","In-Reply-To":"<20260415102424.65161-1-phx0fer@gmail.com>","X-Spam-Score":"-3.80","X-Spam-Level":"","X-Spamd-Result":"default: False [-3.80 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tMID_RHS_NOT_FQDN(0.50)[];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tMIME_GOOD(-0.10)[text/plain];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tFREEMAIL_ENVRCPT(0.00)[gmail.com];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tFREEMAIL_TO(0.00)[gmail.com];\n\tARC_NA(0.00)[];\n\tFREEMAIL_CC(0.00)[gmail.com,vger.kernel.org];\n\tRCVD_TLS_ALL(0.00)[];\n\tRCPT_COUNT_THREE(0.00)[3];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tFROM_HAS_DN(0.00)[];\n\tMIME_TRACE(0.00)[0:+];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tMISSING_XM_UA(0.00)[];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tTO_DN_SOME(0.00)[]","X-Spam-Flag":"NO"}}]