From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Namjae Jeon <linkinjeon@kernel.org>,
Steve French <stfrench@microsoft.com>
Subject: [PATCH 5.15 03/28] ksmbd: replace one-element array with flex-array member in struct smb2_ea_info
Date: Mon, 4 Sep 2023 19:30:34 +0100 [thread overview]
Message-ID: <20230904182945.344449804@linuxfoundation.org> (raw)
In-Reply-To: <20230904182945.178705038@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit 0ba5439d9afa2722e7728df56f272c89987540a4 upstream.
UBSAN complains about out-of-bounds array indexes on 1-element arrays in
struct smb2_ea_info.
UBSAN: array-index-out-of-bounds in fs/smb/server/smb2pdu.c:4335:15
index 1 is out of range for type 'char [1]'
CPU: 1 PID: 354 Comm: kworker/1:4 Not tainted 6.5.0-rc4 #1
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop
Reference Platform, BIOS 6.00 07/22/2020
Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
Call Trace:
<TASK>
__dump_stack linux/lib/dump_stack.c:88
dump_stack_lvl+0x48/0x70 linux/lib/dump_stack.c:106
dump_stack+0x10/0x20 linux/lib/dump_stack.c:113
ubsan_epilogue linux/lib/ubsan.c:217
__ubsan_handle_out_of_bounds+0xc6/0x110 linux/lib/ubsan.c:348
smb2_get_ea linux/fs/smb/server/smb2pdu.c:4335
smb2_get_info_file linux/fs/smb/server/smb2pdu.c:4900
smb2_query_info+0x63ae/0x6b20 linux/fs/smb/server/smb2pdu.c:5275
__process_request linux/fs/smb/server/server.c:145
__handle_ksmbd_work linux/fs/smb/server/server.c:213
handle_ksmbd_work+0x348/0x10b0 linux/fs/smb/server/server.c:266
process_one_work+0x85a/0x1500 linux/kernel/workqueue.c:2597
worker_thread+0xf3/0x13a0 linux/kernel/workqueue.c:2748
kthread+0x2b7/0x390 linux/kernel/kthread.c:389
ret_from_fork+0x44/0x90 linux/arch/x86/kernel/process.c:145
ret_from_fork_asm+0x1b/0x30 linux/arch/x86/entry/entry_64.S:304
</TASK>
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/smb2pdu.c | 2 +-
fs/ksmbd/smb2pdu.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -4289,7 +4289,7 @@ static int smb2_get_ea(struct ksmbd_work
if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
name_len -= XATTR_USER_PREFIX_LEN;
- ptr = (char *)(&eainfo->name + name_len + 1);
+ ptr = eainfo->name + name_len + 1;
buf_free_len -= (offsetof(struct smb2_ea_info, name) +
name_len + 1);
/* bailout if xattr can't fit in buf_free_len */
--- a/fs/ksmbd/smb2pdu.h
+++ b/fs/ksmbd/smb2pdu.h
@@ -1567,7 +1567,7 @@ struct smb2_ea_info {
__u8 Flags;
__u8 EaNameLength;
__le16 EaValueLength;
- char name[1];
+ char name[];
/* optionally followed by value */
} __packed; /* level 15 Query */
next prev parent reply other threads:[~2023-09-04 18:35 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-04 18:30 [PATCH 5.15 00/28] 5.15.131-rc1 review Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 01/28] erofs: ensure that the post-EOF tails are all zeroed Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 02/28] ksmbd: fix wrong DataOffset validation of create context Greg Kroah-Hartman
2023-09-04 18:30 ` Greg Kroah-Hartman [this message]
2023-09-04 18:30 ` [PATCH 5.15 04/28] ARM: pxa: remove use of symbol_get() Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 05/28] mmc: au1xmmc: force non-modular build and remove symbol_get usage Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 06/28] net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 07/28] rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 08/28] modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 09/28] USB: serial: option: add Quectel EM05G variant (0x030e) Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 10/28] USB: serial: option: add FOXCONN T99W368/T99W373 product Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 11/28] ALSA: usb-audio: Fix init call orders for UAC1 Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 12/28] usb: dwc3: meson-g12a: do post init to fix broken usb after resumption Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 13/28] usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0 Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 14/28] HID: wacom: remove the battery when the EKR is off Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 15/28] staging: rtl8712: fix race condition Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 16/28] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to " Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 17/28] wifi: mt76: mt7921: do not support one stream on secondary antenna only Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 18/28] serial: qcom-geni: fix opp vote on shutdown Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 19/28] serial: sc16is7xx: fix broken port 0 uart init Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 20/28] serial: sc16is7xx: fix bug when first setting GPIO direction Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 21/28] firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 22/28] fsi: master-ast-cf: Add MODULE_FIRMWARE macro Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 23/28] tcpm: Avoid soft reset when partner does not support get_status Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 24/28] nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers() Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 25/28] nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 26/28] pinctrl: amd: Dont show `Invalid config param` errors Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 27/28] usb: typec: tcpci: move tcpci.h to include/linux/usb/ Greg Kroah-Hartman
2023-09-04 18:30 ` [PATCH 5.15 28/28] usb: typec: tcpci: clear the fault status bit Greg Kroah-Hartman
2023-09-05 0:08 ` [PATCH 5.15 00/28] 5.15.131-rc1 review Joel Fernandes
2023-09-05 1:25 ` SeongJae Park
2023-09-05 9:36 ` Sudip Mukherjee (Codethink)
2023-09-05 10:10 ` Naresh Kamboju
2023-09-05 11:08 ` Jon Hunter
2023-09-05 17:33 ` Florian Fainelli
2023-09-05 19:16 ` Pavel Machek
2023-09-05 21:16 ` Shuah Khan
2023-09-05 23:19 ` Ron Economos
2023-09-06 17:48 ` Allen Pais
2023-09-06 5:20 ` Harshit Mogalapalli
2023-09-06 17:24 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230904182945.344449804@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linkinjeon@kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.