[{"id":3685386,"web_url":"http://patchwork.ozlabs.org/comment/3685386/","msgid":"","list_archive_url":null,"date":"2026-05-03T14:36:40","subject":"Re: [PATCH v3 1/1] smb/client: fix out-of-bounds read in\n smb2_compound_op()","submitter":{"id":510,"url":"http://patchwork.ozlabs.org/api/people/510/","name":"Steve French","email":"smfrench@gmail.com"},"content":"merged into cifs-2.6.git for-next pending review and testing\n\nOn Sun, May 3, 2026 at 9:17 AM wrote:\n>\n> From: Zisen Ye \n>\n> If a server sends a truncated response but a large OutputBufferLength, and\n> terminates the EA list early, check_wsl_eas() returns success without\n> validating that the entire OutputBufferLength fits within iov_len.\n>\n> Then smb2_compound_op() does:\n> memcpy(idata->wsl.eas, data[0], size[0]);\n>\n> Where size[0] is OutputBufferLength. If iov_len is smaller than size[0],\n> memcpy can read beyond the end of the rsp_iov allocation and leak adjacent\n> kernel heap memory.\n>\n> Link: https://lore.kernel.org/linux-cifs/d998240c-aca9-420d-9dbd-f5ba24af19e0@chenxiaosong.com/\n> Fixes: ea41367b2a60 (\"smb: client: introduce SMB2_OP_QUERY_WSL_EA\")\n> Cc: stable@vger.kernel.org\n> Signed-off-by: Zisen Ye \n> Reviewed-by: ChenXiaoSong \n> ---\n> fs/smb/client/smb2inode.c | 3 +++\n> 1 file changed, 3 insertions(+)\n>\n> diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c\n> index 286912616c73..28e01d02be03 100644\n> --- a/fs/smb/client/smb2inode.c\n> +++ b/fs/smb/client/smb2inode.c\n> @@ -121,6 +121,9 @@ static int check_wsl_eas(struct kvec *rsp_iov)\n> ea = (void *)((u8 *)rsp_iov->iov_base +\n> le16_to_cpu(rsp->OutputBufferOffset));\n> end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len;\n> + if ((u8 *)ea + outlen > end)\n> + return -EINVAL;\n> +\n> for (;;) {\n> if ((u8 *)ea > end - sizeof(*ea))\n> return -EINVAL;\n> --\n> 2.53.0\n>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=l9iSFd19;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-cifs+bounces-11377-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"l9iSFd19\"","smtp.subspace.kernel.org;\n arc=pass smtp.client-ip=209.85.219.47","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g7nRH2RRwz1yJV\n\tfor ; Mon, 04 May 2026 00:36:59 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 6CA6030088AC\n\tfor ; Sun, 3 May 2026 14:36:56 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 372DF242D7F;\n\tSun, 3 May 2026 14:36:56 +0000 (UTC)","from mail-qv1-f47.google.com (mail-qv1-f47.google.com\n [209.85.219.47])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 7B5C51531C8\n\tfor ; Sun, 3 May 2026 14:36:53 +0000 (UTC)","by mail-qv1-f47.google.com with SMTP id\n 6a1803df08f44-8b3d6b215cfso55574496d6.3\n for ;\n Sun, 03 May 2026 07:36:53 -0700 (PDT)"],"ARC-Seal":["i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777819016; cv=pass;\n b=Z8nHJ3B817qLFbgS9ZFnwvvKOe5lLpoDvgzzbr97jrtgUb7MCdSgaV4CCZ9CbIfdrPLKl67KvM9ZNAD68plstzb07Ir0yOclpjs+wr7emQl1Rm+jwusCZB2n4iYqWnS+DlKg/ypc5IA7yxdMkOwLI1frcqUKzAkHt0Ws8/Ej0SA=","i=1; a=rsa-sha256; t=1777819012; cv=none;\n d=google.com; s=arc-20240605;\n b=RxeBq11YF8PyKQ7AQ/DhjXN/bwiy3DuraFwxpAQcn7ChtamAeOAnsctMCoADqHP6UU\n ueQGfh2Nw4lUJYbPDS/Uz6DPpF2o3G0cUn/e84puyHUBJJRlPMMnabwpzolXZc3u1tFz\n gTjdg2Z4+ti4ZZG0epifjeD/FtE2qRh0QXtqCH+pYuwQF03c69oPtMGYn9emb2EOoBPg\n X5RTKKInz8CzDqmp5WDbpWkyndYUyG5i23WFa9VJUSjWu7AxdR01hfMAbv3Los5KA7za\n CHCzDUi8FzKQNc/dj+FkSEuHpTVi9wnT1iTXbsJv6FQByFN7pCfrjv2o1gc5BaXa5+Qc\n WBmg=="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777819016; c=relaxed/simple;\n\tbh=Unyv3EZ/HB4GgUdtsflAJusHcnNNJnKZIPEseowCgbI=;\n\th=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:\n\t To:Cc:Content-Type;\n b=UXPmH8IoJYpVHtk8JHZkXimdTxR1/hxGHeEzngfI1es5JQCLfNq931Lhyrz2A/UPPLXUVDnVziQKMNo62YWhJMkGE81xFgV+QYZNgEh+HCj2sqB3dTcB6aV1kRAzmncqFO5CGAx0ujq02p1NKhnBouH/1TgzyksvyoBNwLn5miI=","i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:dkim-signature;\n bh=GI3d2iU/mmXcADFfS0JjbTvGYdNnQT9tF4bdBex1PRs=;\n fh=mJFU7+VJBFhdRjDOjXfB5V/e6gTMrBavSWlhoFij58w=;\n b=B/kAjq0krn2e5oh5fybeDNDyTa95isPBtmSjDL+TX2fDwYfGKKi36GkL0Z5nzdELL3\n gMe2K6QwmmjRhWCJhuSgzFhfjoFufdoqDg+4Tb2ohmIbfWCC2ZhZOYmRYLuZwOAiyy4a\n F87EBFd2KZQHUXOFxZ6c1GufP6xQkK14Q5cEUO2Dqncn8mOQ0S6PWp/pXidSvLSufQuw\n Jxj1i4eetcEPvC0UOmX7fgYfZD157/HvX3YnBQYqY3/jawa1f1umWzfL7ePH5DsXRIyg\n 3I3n616VCigBDzWaaRkuhmgDfJLORsLmSfOvE1tTWG4Fcl2x0tidasV8yFTTDzXxbDja\n 1oaw==;\n darn=vger.kernel.org"],"ARC-Authentication-Results":["i=2; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=l9iSFd19; arc=pass smtp.client-ip=209.85.219.47","i=1; mx.google.com; arc=none"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1777819012; x=1778423812;\n darn=vger.kernel.org;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:from:to:cc:subject:date\n :message-id:reply-to;\n bh=GI3d2iU/mmXcADFfS0JjbTvGYdNnQT9tF4bdBex1PRs=;\n b=l9iSFd19aW8JuzJlDRoA54ajq+zRBanIt4tZ4C/YeCneDBZrqh1h+dOWze2jyvxey1\n VnWLSqwNb9FzlYc812zbfc+DAqnU2sCWf/bXmRoSvGyDjf7SXJih1zvboI591Kq9vtpW\n +RghzxmEDiisqfAFGu0GzZObAWfTXbvKyVtpCTvRTzYa+sNdxvNvdjtUSRO07Qw/+dfL\n vHOhLY/COI4Un+2jJOjre9/Svv3WeG9FVDXR28KGaHNFjs0CmMqWGeZih/ZCSSViWkBe\n ULkS6nkjjSlO0mEdpR4ziPsB/BIY61btCZXtw4UDPJB3VSAFNv4qr37YHI3uFJyG/HqF\n efKw==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777819012; x=1778423812;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=GI3d2iU/mmXcADFfS0JjbTvGYdNnQT9tF4bdBex1PRs=;\n b=m+b5okuKrS1yzOqPmCYVdet7e/1wHj85v/Mmsm4cC1zyGQOXYZf4y+8PxRtl0KM1Cr\n hPnPfFqpiXf0dnZuDf6AWCG3mD+EtGh5CQ6Oj4hDxnP6TOgYOX/jEIEORUIUYvEPoMQ2\n rkJ/Ql7hL+G2JGB/WR9HHzowAbb2TafgaTIMx1H22XLbWfiV2qR2nzN+6sIWYkGWTv40\n gLnGQC8Fc0dhhrzfAB3G7AtwXbIrMkVQDcHBhPimbQbmmhnJP5Hz/NabRP9bwoTcVXLZ\n lOC43PyBsQip7miuQciFgL18woX+rrL8S6E4oczQd52SZ6+MqsnG6FeBIRnd2hIPgUzV\n JPmA==","X-Forwarded-Encrypted":"i=1;\n AFNElJ+gdvNSCP+PEtCP18y1dVjQ83FdHmnij1Gge1ktVuO3nvQ69okOmhncvek3+a3hLy/muMjnr1mvFMeU@vger.kernel.org","X-Gm-Message-State":"AOJu0YxwX3wyIi6tXrw9xcHowqMpXhe2561ezNCRB01qDVI2YcRAAz4w\n\tZQqA23eLIdjBPy5R2m5blEK85ylimsYuPHipKHtI+P7nE1w0v0Wbhq3p4zfS12IXXAKLAGEZWg/\n\t9V5evmYvGqQS9qFejzVXQlxP2XbUctJyraJnQ","X-Gm-Gg":"AeBDies/B9YipHcoG3T/vGY71liCMFoBMSgqcX2JZzeF6oNGCSa1U4gQLFs14JSNplm\n\tMTfsvcONSytJzu3MnMTZWDXakAYpBYZ/ZytnhyQ8tmgADVrnKs5A5ogyb544DM1US2EsVR86Z+n\n\tHV7iYhbpcgqbDnWPN8mm8i4JFqpJwm6nPgNUdUKrsPIvugYAhD9FyX3ovFLYWTo4bC+j/nKLPmF\n\tNZi2eNCq/qFzleOLZHmbD76ohzpwRtq4GHw/2hDFusWWY9wPEg2pWCR1iwIj8uQK1A7rMUMLOvT\n\t2V6L058sDQthLa0HXNwrg2aDytw/c8awNtiAVGalQRPM5wDw8quiOczSdyWz44Gk50yCmWzrTpG\n\tF74WlU9MZ7M8Q5m88zbtDwv1WtwimVZSxN3lpnjL31NcsuiAY4uBhyZ7EP93AezEWO1Q5pffdhg\n\tAEOtViN6t/t8uf/RgczRK4YYEo+QIXpg6LeeGhRrCZAg==","X-Received":"by 2002:ad4:5d4d:0:b0:8ac:a097:2810 with SMTP id\n 6a1803df08f44-8b66805d8femr117628316d6.27.1777819012467; Sun, 03 May 2026\n 07:36:52 -0700 (PDT)","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","References":"<20260503134333.3260640-1-zisenye@stu.xidian.edu.cn>\n <20260503141713.3266571-1-zisenye@stu.xidian.edu.cn>","In-Reply-To":"<20260503141713.3266571-1-zisenye@stu.xidian.edu.cn>","From":"Steve French ","Date":"Sun, 3 May 2026 09:36:40 -0500","X-Gm-Features":"AVHnY4IhwzVw1QzIcj7bVxZg5476jeMOsNbmOAxBdYrlyKp-zDzPHlUSlIZ2OnQ","Message-ID":"\n ","Subject":"Re: [PATCH v3 1/1] smb/client: fix out-of-bounds read in\n smb2_compound_op()","To":"zisenye@stu.xidian.edu.cn","Cc":"linkinjeon@kernel.org, pc@manguebit.org, ronniesahlberg@gmail.com,\n\tsprasad@microsoft.com, tom@talpey.com, bharathsm@microsoft.com,\n\tsenozhatsky@chromium.org, dhowells@redhat.com, gregkh@linuxfoundation.org,\n\tchenxiaosong@chenxiaosong.com, stable@vger.kernel.org,\n\tlinux-cifs@vger.kernel.org","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable"}}]