[{"id":3685260,"web_url":"http://patchwork.ozlabs.org/comment/3685260/","msgid":"<2026050208-selection-blog-ff4e@gregkh>","list_archive_url":null,"date":"2026-05-02T08:45:32","subject":"Re: [PATCH 1/2] smb/client: fix out-of-bounds read in\n smb2_compound_op()","submitter":{"id":11800,"url":"http://patchwork.ozlabs.org/api/people/11800/","name":"Greg KH","email":"gregkh@linuxfoundation.org"},"content":"On Sat, May 02, 2026 at 04:34:21PM +0800, Zisen Ye wrote:\n> If a server sends a truncated response but a large OutputBufferLength, and\n> terminates the EA list early, check_wsl_eas() returns success without\n> validating that the entire OutputBufferLength fits within iov_len.\n> \n> Then smb2_compound_op() does:\n>     memcpy(idata->wsl.eas, data[0], size[0]);\n> \n> Where size[0] is OutputBufferLength. If iov_len is smaller than size[0],\n> memcpy can read beyond the end of the rsp_iov allocation and leak adjacent\n> kernel heap memory.\n> \n> Link: https://lore.kernel.org/linux-cifs/d998240c-aca9-420d-9dbd-f5ba24af19e0@chenxiaosong.com/\n> Signed-off-by: Zisen Ye <zisenye@stu.xidian.edu.cn>\n> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>\n> ---\n>  fs/smb/client/smb2inode.c | 3 +++\n>  1 file changed, 3 insertions(+)\n\nNo Fixes: tag?  No cc: stable?  Do you not want this backported\nanywhere?\n\nthanks,\n\ngreg k-h","headers":{"Return-Path":"\n <linux-cifs+bounces-11353-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=linuxfoundation.org header.i=@linuxfoundation.org\n header.a=rsa-sha256 header.s=korg header.b=oz7nRUi2;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.232.135.74; helo=sto.lore.kernel.org;\n envelope-from=linux-cifs+bounces-11353-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=linuxfoundation.org\n header.i=@linuxfoundation.org header.b=\"oz7nRUi2\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org [172.232.135.74])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g71j73Pxwz1yGq\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 02 May 2026 18:46:19 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 06B82300460C\n\tfor <incoming@patchwork.ozlabs.org>; Sat,  2 May 2026 08:46:16 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 9848C1E834E;\n\tSat,  2 May 2026 08:46:13 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 7602A1D7E41\n\tfor <linux-cifs@vger.kernel.org>; Sat,  2 May 2026 08:46:13 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id 59F52C19425;\n\tSat,  2 May 2026 08:46:12 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777711573; cv=none;\n b=dbTo+6E5PlPnl679snkXQUqZptQa3P12peIt5nSvp0B+Oqzt2gHOd9OA8ki4sCMTCV2uFv93t5HiHtCob0e1vsGEb3FAvwAOwZ4xc/oRXGWKiJun91JamCLpN4AD/63v8iqI+7f+crkYa/Maa/E2P4bI9CiA1wkzRlX/NeGGUGc=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777711573; c=relaxed/simple;\n\tbh=VcGOCDBEkVSjYcfteI505tq8HH/441f/kyhIPLa6uMk=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=jdnuj+UyU29Y6/wtkECMTIQmiaE9YBsNT5UP3rFgvC30RCc1Gb6yBtN4/sXh6QjXvZqKHObiTj9uMGcQR3k1ns5nfZpXR+0n6iDi48ayxYGDNmJNLO8/S5lRMtHybuqnKwKLbTKzaSxqTxYZcj/v36d9MHef/ZFJ8w4lWTBsHdU=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (1024-bit key) header.d=linuxfoundation.org\n header.i=@linuxfoundation.org header.b=oz7nRUi2;\n arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;\n\ts=korg; t=1777711572;\n\tbh=VcGOCDBEkVSjYcfteI505tq8HH/441f/kyhIPLa6uMk=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=oz7nRUi2CVtBk832dSNZIXL874x+SyjY1j3o97fzn12/qKE7dDymbixD4OfF0fdlD\n\t UReJZn36OzcHrbKzuwJYTS5ALMOpt10CfcC6Pd29oyRTrFF9M2pwHZpCFg7PU0OS8D\n\t 2x1BilFF7JfrMGSambapMc0FbSKFq3JutMYsd2ho=","Date":"Sat, 2 May 2026 10:45:32 +0200","From":"Greg KH <gregkh@linuxfoundation.org>","To":"Zisen Ye <zisenye@stu.xidian.edu.cn>","Cc":"smfrench@gmail.com, linkinjeon@kernel.org, pc@manguebit.org,\n\tronniesahlberg@gmail.com, sprasad@microsoft.com, tom@talpey.com,\n\tbharathsm@microsoft.com, senozhatsky@chromium.org,\n\tdhowells@redhat.com, chenxiaosong@chenxiaosong.com,\n\tlinux-cifs@vger.kernel.org, ChenXiaoSong <chenxiaosong@kylinos.cn>","Subject":"Re: [PATCH 1/2] smb/client: fix out-of-bounds read in\n smb2_compound_op()","Message-ID":"<2026050208-selection-blog-ff4e@gregkh>","References":"<20260502083422.2955909-1-zisenye@stu.xidian.edu.cn>\n <20260502083422.2955909-2-zisenye@stu.xidian.edu.cn>","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"<linux-cifs.vger.kernel.org>","List-Subscribe":"<mailto:linux-cifs+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-cifs+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20260502083422.2955909-2-zisenye@stu.xidian.edu.cn>"}}]