[{"id":3685295,"web_url":"http://patchwork.ozlabs.org/comment/3685295/","msgid":"","list_archive_url":null,"date":"2026-05-02T13:26:49","subject":"Re: [PATCH v2 1/2] smb/client: fix out-of-bounds read in\n smb2_compound_op()","submitter":{"id":510,"url":"http://patchwork.ozlabs.org/api/people/510/","name":"Steve French","email":"smfrench@gmail.com"},"content":"This patch generates a build warning, can you send a v3\n\n CC [M] smb2inode.o\nsmb2inode.c: In function ‘check_wsl_eas’:\nsmb2inode.c:124:25: warning: comparison of distinct pointer types\nlacks a cast [-Wcompare-distinct-pointer-types]\n 124 | if (ea + outlen > end)\n | ^\n CHECK smb2inode.c\nsmb2inode.c:124:25: error: incompatible types in comparison expression\n(different base types):\nsmb2inode.c:124:25: struct smb2_file_full_ea_info *\nsmb2inode.c:124:25: unsigned char [usertype] *\n\nOn Sat, May 2, 2026 at 5:47 AM wrote:\n>\n> From: Zisen Ye \n>\n> If a server sends a truncated response but a large OutputBufferLength, and\n> terminates the EA list early, check_wsl_eas() returns success without\n> validating that the entire OutputBufferLength fits within iov_len.\n>\n> Then smb2_compound_op() does:\n> memcpy(idata->wsl.eas, data[0], size[0]);\n>\n> Where size[0] is OutputBufferLength. If iov_len is smaller than size[0],\n> memcpy can read beyond the end of the rsp_iov allocation and leak adjacent\n> kernel heap memory.\n>\n> Link: https://lore.kernel.org/linux-cifs/d998240c-aca9-420d-9dbd-f5ba24af19e0@chenxiaosong.com/\n> Fixes: ea41367b2a60 (\"smb: client: introduce SMB2_OP_QUERY_WSL_EA\")\n> Cc: Stable@vger.kernel.org\n> Signed-off-by: Zisen Ye \n> Reviewed-by: ChenXiaoSong \n> ---\n> fs/smb/client/smb2inode.c | 3 +++\n> 1 file changed, 3 insertions(+)\n>\n> diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c\n> index 286912616c73..a192d70cd29e 100644\n> --- a/fs/smb/client/smb2inode.c\n> +++ b/fs/smb/client/smb2inode.c\n> @@ -121,6 +121,9 @@ static int check_wsl_eas(struct kvec *rsp_iov)\n> ea = (void *)((u8 *)rsp_iov->iov_base +\n> le16_to_cpu(rsp->OutputBufferOffset));\n> end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len;\n> + if (ea + outlen > end)\n> + return -EINVAL;\n> +\n> for (;;) {\n> if ((u8 *)ea > end - sizeof(*ea))\n> return -EINVAL;\n> --\n> 2.53.0\n>\n>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=pK7XQj0o;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-11357-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"pK7XQj0o\"","smtp.subspace.kernel.org;\n arc=pass smtp.client-ip=209.85.219.50","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g77x90qBGz1yJ0\n\tfor ; Sat, 02 May 2026 23:27:09 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 9C378300EAAB\n\tfor ; Sat, 2 May 2026 13:27:04 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 54C4C247DE1;\n\tSat, 2 May 2026 13:27:04 +0000 (UTC)","from mail-qv1-f50.google.com (mail-qv1-f50.google.com\n [209.85.219.50])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 988442D7BF\n\tfor ; Sat, 2 May 2026 13:27:01 +0000 (UTC)","by mail-qv1-f50.google.com with SMTP id\n 6a1803df08f44-8b45dff1eebso24349976d6.2\n for ;\n Sat, 02 May 2026 06:27:01 -0700 (PDT)"],"ARC-Seal":["i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777728424; cv=pass;\n b=O/xxFnyKeYqYOJ0BQOmlW+2WBFqzQOjpY2CHYF/EBmLVIQnGjjv6s1hiP7Dc9mtKDt8eoiJWRbQ60XySHdQ//8RgwVVjUjHMYZXqaHBysqcH5QHttMqpw0K2xq6x9qjqWi2/QGMVfvDVWUtpj+suADEI2KnozzJtA5+aEcnkxo0=","i=1; a=rsa-sha256; t=1777728420; cv=none;\n d=google.com; s=arc-20240605;\n b=fYzUudzmjo8al8D34zr7LZf7d8HjGreGRXqjCeSwVFZv05r2G46VLzJimI863Vk8DD\n sON30NVD7Wln83ABvG1k4EgPZGZoZyMvfPRNsX1fjGayWkg8R9+Fl5K6QZmBhARBxiXC\n HpNTKgWyvHvJPZFDSts4/uL5mRGbGDtpo1hQnqIB2hIKAUjM/jtdrPnLmb8iHnnFBNTP\n vTGvwFvMnosVyypEYp5s+kGEtPO9TT1kmceOeZWN3cfuVk91w41CdDp2wdTDNRz+BenJ\n h/QFO2Mgi+J08J29kq8gj4m4DKKFrm9VI3mym+XaqprpBWdu4Z4ZFU7d/ofOxkhjiSLM\n CSQw=="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777728424; c=relaxed/simple;\n\tbh=ax+q8rVZxVd5b3oJ7d58OiRhgALzGey32thxe4LddhM=;\n\th=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:\n\t To:Cc:Content-Type;\n b=FXjNNHQMVsBc+fX5krAJoL+fIrPt835pAEeb48oMGQQDe/WLhBM0ELTCyppweyYFp7HZNdc4qLLt2yvd1feZG0wq5/YsIvZgMlht59g7CIgv/Dg5lNzWrVqVX6Ex6jVXxRihKtstbqHsa5eFKeSqUGWbXiQxBqgg+r5HTicklqQ=","i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:dkim-signature;\n bh=96mEUW8wN+2bhoRt9GlOUt/xYvY0MYV0pTk+gcc6ObY=;\n fh=perjH9T2uvCI9NAdVjT3N/MWwJxQckoi0KXZ3UBXAsw=;\n b=fXYlDEHxU2FCNgOvIF9ajl1tgE/fdZEcJZ1X8KMlv+2x6nfkkyB9FT6R3udB7dkrK8\n A35kgJin/4z//fePMtkxS57T32fZcWa78r4OZeB2MIWsTnunf4VQATI0YAkKHnX4U3wZ\n VKEiH7eIYZ98vh8Lv60RzDggtZAL6ogLn598/k4exPe76Ou6AV30HK6oJfdCCXrajWQF\n cVF1POuq2NOm5K5TjzOk+4UdeMI7aN/6rUJG8OCCyv5kcgPs+C3lUA3xrnWfdvZKW4eO\n 8NaezUmGY6f4p50Q1JEv+90KgPRTPpFHrZN1jUqDghst9hWAzzseewDpxhOTsbW4ekGl\n 8jJQ==;\n darn=vger.kernel.org"],"ARC-Authentication-Results":["i=2; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=pK7XQj0o; arc=pass smtp.client-ip=209.85.219.50","i=1; mx.google.com; arc=none"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1777728420; x=1778333220;\n darn=vger.kernel.org;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:from:to:cc:subject:date\n :message-id:reply-to;\n bh=96mEUW8wN+2bhoRt9GlOUt/xYvY0MYV0pTk+gcc6ObY=;\n b=pK7XQj0oK8oC0gvB8T5haAa8GxcnuUKpqrE4STaDtYj8DCB82GToQJsIAUFwbadfXT\n CfuhzaiySG1cgCv/G8Kf6D9+zMuJCauBYbelE2PuovlT1zLLxUJdrdQO+Nc43khIyuTf\n 80FJeBMf6x/DTLHhqUeSL76R/hE3nJtw+3gmQbkFvGAvu3KumJx4CdvcSHC4kIx2LgV6\n O4WA3RmrCGa/nQwHY7AbvgXgYW0uTfCMhxwssN5KoG1kvYKu0YaCuhSb0zzIptiBzM/o\n T3MpemCTaDzvm0x2/jffaG98qdBlzOk9XkBhuZXI1AttgHEq00aV2BB4u6d8kFMDBmPj\n YGtw==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777728420; x=1778333220;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=96mEUW8wN+2bhoRt9GlOUt/xYvY0MYV0pTk+gcc6ObY=;\n b=OJ9sC9mk9CMn4fhERMEYpbQywcQX34QVxg5yCJZHUy6pK2rRNnGcp5YIzzOAVGu5jJ\n R3sTSgGUSfaKAc1ntDLpBiSCx/hJdc7k05cvcH4IfcTRUv7CoEaikgODKXH3xvunjQe+\n MAjpV2c6EfNJwYoiVyK6+/0KSzntHzDWpZpnAGJbD+qf284AD3kO3yiLLQ1Fs9f4r8zS\n QSTe5PnbE0mU16FnRZCzg392dppl9A+4LFKh4fuwWA6oUmveScTLKcARt1r3C/2cFm11\n EzxCx7XahCa66OeJF6MhwsIuvGT8iz+QK8po+itDWkoRaphsSFFmBJtHoqbBVR0F5OIf\n 8O0w==","X-Forwarded-Encrypted":"i=1;\n AFNElJ9Q4M8X+vGF8KiiIfeqhnvC3bJRmSi1jVMDabyiwsFCtBd0BSTiXb4lqPdpaFkpW+DBEkwgr3cgnSvA@vger.kernel.org","X-Gm-Message-State":"AOJu0YyiJT2EXCF5rx2nkm/ds41CVwAeoamdN1dvuPYX1ZIQ28mkpES2\n\t4TyEmfCB3eMY8iwuwFMZUBAA4/Zc1Dd3U08GadS1hEdtQsGk+jk4MXM78OXyQZ/wiL79pN4m4Q0\n\t/3AFrqLT1Y193iAs4jvkEa5nL/lq14gM=","X-Gm-Gg":"AeBDietAmfDFTkN/zUKcs0yLU/iFOiCZRTvNscY000v99SLglkrRXm197tnR4PK6tgP\n\tvC4MqNe8sLmRjCwM3I6qmFBwLNrH9wUVH6h4yZ9BDuczK1yQmb2nyB8dDR7CxYiNimyXOJrChjK\n\tyoviPfBfFDRePxn3WDjj+hgbS/e/jSSpwNn0caxPXxkhEMWHZ1RirYPlWSxxm4D1DdcV51MkTxO\n\taX+EIFyVnd4wbS5i88j5nU0+3l0pgnJbFJLqNGQ1EANrm6vrIi61P66uaG0XA8DSXBJRpMzh/Hq\n\tbuLwO6seulrIaRw9QNmkV6i5ft7A/F9Mi8OCG8/8GHBPAT+7FJPxTihJNk1ina209FPac1Ex3Oq\n\tHzljwAdg52iFaFLp+chb1/G/Ef3rb9gzlRoFQZPkcTy7VsmaflZMsuXaoiJw6VOYe8XQw76Q=","X-Received":"by 2002:a05:6214:e45:b0:89c:5f6e:451a with SMTP id\n 6a1803df08f44-8b6667ee116mr55192506d6.21.1777728420510; Sat, 02 May 2026\n 06:27:00 -0700 (PDT)","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","References":"<20260502095435.2969835-1-zisenye@stu.xidian.edu.cn>\n <20260502104436.2978678-1-jasonye247@163.com>","In-Reply-To":"<20260502104436.2978678-1-jasonye247@163.com>","From":"Steve French ","Date":"Sat, 2 May 2026 08:26:49 -0500","X-Gm-Features":"AVHnY4JCm6Q3MxWZymRf8uWukt1vQnZmtxcBPNotbvr1eoqDne7c192vEX0LPHY","Message-ID":"\n ","Subject":"Re: [PATCH v2 1/2] smb/client: fix out-of-bounds read in\n smb2_compound_op()","To":"jasonye247@163.com","Cc":"linkinjeon@kernel.org, pc@manguebit.org, ronniesahlberg@gmail.com,\n\tsprasad@microsoft.com, tom@talpey.com, bharathsm@microsoft.com,\n\tsenozhatsky@chromium.org, dhowells@redhat.com, chenxiaosong@chenxiaosong.com,\n\tgregkh@linuxfoundation.org, linux-cifs@vger.kernel.org,\n\tZisen Ye , Stable@vger.kernel.org,\n\tChenXiaoSong ","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable"}}]