[{"id":3678946,"web_url":"http://patchwork.ozlabs.org/comment/3678946/","msgid":"<CAKYAXd-v03Tq_qjnDz-e3N8_S+rwxxnp5nucTriQ0DQLXHbRtg@mail.gmail.com>","list_archive_url":null,"date":"2026-04-18T06:27:11","subject":"Re: [PATCH v2] ksmbd: fix out-of-bounds write in smb2_get_ea() EA\n alignment","submitter":{"id":79386,"url":"http://patchwork.ozlabs.org/api/people/79386/","name":"Namjae Jeon","email":"linkinjeon@kernel.org"},"content":"On Sat, Apr 18, 2026 at 4:33 AM Tristan Madani <tristmd@gmail.com> wrote:\n>\n> smb2_get_ea() applies 4-byte alignment padding via memset() after\n> writing each EA entry. The bounds check on buf_free_len is performed\n> before the value memcpy, but the alignment memset fires unconditionally\n> afterward with no check on remaining space.\n>\n> When the EA value exactly fills the remaining buffer (buf_free_len == 0\n> after value subtraction), the alignment memset writes 1-3 NUL bytes\n> past the buf_free_len boundary. In compound requests where the response\n> buffer is shared across commands, the first command (e.g., READ) can\n> consume most of the buffer, leaving a tight remainder for the QUERY_INFO\n> EA response. The alignment memset then overwrites past the physical\n> kvmalloc allocation into adjacent kernel heap memory.\n>\n> Add a bounds check before the alignment memset to ensure buf_free_len\n> can accommodate the padding bytes.\n>\n> This is the same bug pattern fixed by commit beef2634f81f (\"ksmbd: fix\n> potencial OOB in get_file_all_info() for compound requests\") and\n> commit fda9522ed6af (\"ksmbd: fix OOB write in QUERY_INFO for compound\n> requests\"), both of which added bounds checks before unconditional\n> writes in QUERY_INFO response handlers.\n>\n> Cc: stable@vger.kernel.org\n> Fixes: e2b76ab8b5c9 (\"ksmbd: add support for read compound\")\n> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>\nApplied it to #ksmbd-for-next-next.\nThanks!","headers":{"Return-Path":"\n <linux-cifs+bounces-10896-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=utPl4PdP;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10896-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"utPl4PdP\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fyMHN3CRhz1y1V\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 18 Apr 2026 16:27:28 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 755F030305F0\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 18 Apr 2026 06:27:26 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 9ECD333859C;\n\tSat, 18 Apr 2026 06:27:25 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 7BDD71FDE31\n\tfor <linux-cifs@vger.kernel.org>; Sat, 18 Apr 2026 06:27:25 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id 4924BC2BCB9\n\tfor <linux-cifs@vger.kernel.org>; Sat, 18 Apr 2026 06:27:25 +0000 (UTC)","by mail-ed1-f44.google.com with SMTP id\n 4fb4d7f45d1cf-6714f678bdaso2368834a12.3\n        for <linux-cifs@vger.kernel.org>;\n Fri, 17 Apr 2026 23:27:25 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776493645; cv=none;\n b=kcWvMUUV9ggvgzDvRpqV275Api+GRDNlVkJcelCwrzbOyBXTPBwhtEmdRYTxbo7SnAPTvZ6QNUWQtGnrG+08pHCCdFz1J9ipguf/CbS87tEUWuc/a8iVME/98C28RiAeoW7dzvGRb639N3+x4A2jjYc0Ar2DXFXNGivIszgTXoU=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776493645; c=relaxed/simple;\n\tbh=5TM9w5ZWH4mYmyD0uBCL9WRquWjldbq36QbHPeMcFyI=;\n\th=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:\n\t To:Cc:Content-Type;\n b=fIDjChQytalE7wA1Zf+Fb58EdciG8ns1W1yiUuOVzq9gn7k2sa5+ixAclXFOXRnjYC5Db+GHlnbtnvbFNqcW7ZqAWbOyYxvNWG6I6c0YeijQc6H3YmsKQrRVpOFu097zwzRJqqQj4J4NAGnf0tRW/KTc2rZrvNzrjBtqYDVlFbw=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=utPl4PdP; arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1776493645;\n\tbh=5TM9w5ZWH4mYmyD0uBCL9WRquWjldbq36QbHPeMcFyI=;\n\th=References:In-Reply-To:From:Date:Subject:To:Cc:From;\n\tb=utPl4PdPPXAbRHhiZgQ+1s6dAjpaRUjdqkzdbu2nyNaWMvrjchONZfbYq4/K8HgjG\n\t sWxF2Mx+clYEKv6vBEXt+LEr9SXwLUAyK9ylVu2cPCM1V924Q4OD4u2sSjc2A4U8IZ\n\t SI8+75/4saRjO3eJI9KGO3MyvjGB+Vxct7Zj1JOXl8lCcWob5kCmfh0NXH4k27DfCv\n\t aCq1O1hUuvDGaFHOuuTjaRUnnX6U2PRyN57cmCnA6yobr+ET9TRv3k/xSDZMiirW2g\n\t a2peTGr7iF5afRSMEPmOqlnu/BBNQbLEHLxEihPf2CNgNbYX2RHrBX88MUHLXlalkW\n\t m52QLpAUVtfHw==","X-Forwarded-Encrypted":"i=1;\n AFNElJ/Kfp6H0EHuAujx7B0OPDBDTGZ3+dNPkgWdS0kldBdmOMlsuhHqBc36lZgBLM8vFYSyJMgr0+3PPZ1M@vger.kernel.org","X-Gm-Message-State":"AOJu0YyILvoDnfJoBikmfrMKQhBows/QFspzbEp3rbIahkx9J2w6fG2A\n\tJSG05v1lD1n3RO15tQYTQqpD85sEmlC2BmNGyrjlsVawdYbuZt8BxjGRMbypkPHW4PDA5a+SWeP\n\tuoB5cMTZ8pv9PyZSa4vGLuHbeFpQMrfQ=","X-Received":"by 2002:aa7:d388:0:b0:670:7c64:c24d with SMTP id\n 4fb4d7f45d1cf-672bfd86d7bmr1860043a12.6.1776493643764; Fri, 17 Apr 2026\n 23:27:23 -0700 (PDT)","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"<linux-cifs.vger.kernel.org>","List-Subscribe":"<mailto:linux-cifs+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-cifs+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","References":"<20260417192036.268452-1-tristan@talencesecurity.com>\n <20260417193317.315698-1-tristan@talencesecurity.com>","In-Reply-To":"<20260417193317.315698-1-tristan@talencesecurity.com>","From":"Namjae Jeon <linkinjeon@kernel.org>","Date":"Sat, 18 Apr 2026 15:27:11 +0900","X-Gmail-Original-Message-ID":"\n <CAKYAXd-v03Tq_qjnDz-e3N8_S+rwxxnp5nucTriQ0DQLXHbRtg@mail.gmail.com>","X-Gm-Features":"AQROBzAYErow6xVrOZcyiMd-RnTYn03NP56HDBzGDq16YhGLX9m2x2YPRuGaUZQ","Message-ID":"\n <CAKYAXd-v03Tq_qjnDz-e3N8_S+rwxxnp5nucTriQ0DQLXHbRtg@mail.gmail.com>","Subject":"Re: [PATCH v2] ksmbd: fix out-of-bounds write in smb2_get_ea() EA\n alignment","To":"Tristan Madani <tristmd@gmail.com>","Cc":"Steve French <smfrench@gmail.com>,\n Sergey Senozhatsky <senozhatsky@chromium.org>,\n\tTom Talpey <tom@talpey.com>, linux-cifs@vger.kernel.org,\n stable@vger.kernel.org,\n\tTristan Madani <tristan@talencesecurity.com>","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable"}}]