From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3850BFBE1 for ; Sat, 18 Jul 2026 00:21:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784334092; cv=none; b=qoM18zefBDGAjLQweQHfeRjjlCPZIha3CXKg9JepGMwDI2DD+FBsgT02wX/FiTOtJ9Cb6autgMRKskJ0ATFLQ2+ZZEuoLQGffw/Kd2X9VTnCyQdNtStBX9XOziOVeWlwvVUQloyRtCqrXsHDxD4f+H+LZtL/vCg+XlVP/8U6hkw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784334092; c=relaxed/simple; bh=2hTqbl2nmK3iQi785rYhFhyc/sNiduJ1yowKNrGBJ0I=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ZQ0t+YJvWr7ciJfAAjlFL/jBpxsSWwLYj+IMHLDWyhKGlLWMg4RC9O/AmZjH4PJ/6wN+W2760H/vFAujOgptekGScV8E+Cu/rjM+7Ev8WfWwqmtF/lDcmaFw3KSPkcREim+j4QBzATCA6wptZwXUxf+tiw9/kvbCnjRuhxVnonE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=artiphishell.com; spf=pass smtp.mailfrom=artiphishell.com; dkim=pass (2048-bit key) header.d=artiphishell.com header.i=@artiphishell.com header.b=aBkl6MhL; arc=none smtp.client-ip=209.85.216.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=artiphishell.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=artiphishell.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=artiphishell.com header.i=@artiphishell.com header.b="aBkl6MhL" Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-38dfe7eb825so4173964a91.0 for ; Fri, 17 Jul 2026 17:21:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=artiphishell.com; s=google; t=1784334090; x=1784938890; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to:content-type; bh=8uLK8YR1msEi6equJYkUjd7anLC80xXw6SAB94F6up4=; b=aBkl6MhLHgZ7Wj/r1r5wGQXFRYW5D/728f+QjaLSljFV77okndCT2zkG7LDkxgp4hu wz1brSs/1VDJBugcUMLsK9vEM4ai24C1GVpvpO+huCGrPhcfGmbFbeq/tGseBSiE2hK1 Qw3iaPPSjRbD7n+yeY3SpQLI3QhEOVQW1IVKBZwOC/bkI9SyNND8N9PPRjxPruf7gqER usA88hK6G5yzM/jNJmnU3h8bXovRUdzW4OSMlT0dGdbGL7ilI/JnBf4rAJ7zG47InBzw de7ktNvzuZPMDi4qeC5oSUv3dP8IpknwNEUhnPxQd5FfPI5FIPy18z2D5LrQEd9Fzz8p suYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1784334090; x=1784938890; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to:content-type; bh=8uLK8YR1msEi6equJYkUjd7anLC80xXw6SAB94F6up4=; b=J5Bo5Qn+DQG3IwIWiSOP8nPJXXlFJmCSigSjqqkOcTQtQ1mfDK9FO2bLISZrenVkap ujYPzOi9vnatHLPjol4lpQyce3cp9VGPCl+WkyH/GBtjSywe50OIxbAMbugLBeTnyPuH hafUxD6Qffj/U35qzaypGh908/+FKWOdkQS3KyxjTGpxY58ZCvQwrmyHqgi22+fzMuEk jH08UApG0kheP4Fkeop9xtvHDSDX1fLYSDJbe3WqFH6VLceKFMrMfikwn4zMIFWW+Q9I 5i4caFksi3W+QZrVNPR+DGU9QLr7UBf3usXi9Oo6lGiGZawmHtzO/Towzpq419NwSB8e BzLg== X-Forwarded-Encrypted: i=1; AHgh+RqqwbsZi5o25kIPYjKaQQjJYD+f+rmSOQs59FpibMgu4ROWxYbTNs4qC2hfs9yd3pfc5kSlm9jwLpg1wOs=@vger.kernel.org X-Gm-Message-State: AOJu0YwTKWuW37pJbPlQaHZph5wLTqKR+EzfLac7u4mgYNa7GYrE2bBO lIqfNY4rUgF85Eig7AVdbUKAJ/QROqGeHAu+cp3qIb+jjNfa2KCk0hD5Dg7iGjCer/eW X-Gm-Gg: AfdE7claMFqC3B+g6wgdbDLEsolXZYpFbh5ViYGl7D4lyEaR1YbW8AWFJmLW+du8CqY Rz6A6eHWrAmWyFswNfKjPrlChfrzYfMtsWHvcukHLICnm0iEkk2yMEI7h5wu8ksXzEvYjm9Nl19 zGtktTpMrGstgcKJzqWlwKJzB94QcNgYwtOeQxhYf2foWUvH+Oq/zl8UXnnGfZfqeEb9DtgJTVy /tHStAAZ+SeSop05dgrHIg/tosPHvWrtlc4UVeSu8kCono6UKRoQvF2YycchZfaXcICYs+6QxyV 07vTqDuPPtqy0+aTcbGuEQi/WYGFzeXaIygfTA5zqnez+swA7wM9ApcHseXvOU3YExkvGvN/IWp KyjWevce82hUopdWgDSBoShvynseQlTcJ/3/QtBQGZ+O5xJSYpsUjv/7JLPPFpK4WBPX7DinbKb nGXlCO X-Received: by 2002:a17:90b:55d0:b0:37f:9ce1:735a with SMTP id 98e67ed59e1d1-38e4b505f8amr5083639a91.27.1784334090406; Fri, 17 Jul 2026 17:21:30 -0700 (PDT) Received: from nixos ([2001:579:62a8:47:d0f5:3653:252e:1041]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-31429fdbd45sm10840068eec.12.2026.07.17.17.21.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Jul 2026 17:21:30 -0700 (PDT) From: Jay Vadayath To: Steve French Cc: Paulo Alcantara , Ronnie Sahlberg , Shyam Prasad N , Tom Talpey , Bharath SM , linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, linux-kernel@vger.kernel.org, Jay Vadayath Subject: [PATCH] smb: client: bound dirent name against end of SMB response in cifs_filldir Date: Fri, 17 Jul 2026 17:21:22 -0700 Message-ID: <20260718002124.90753-1-jay@artiphishell.com> X-Mailer: git-send-email 2.51.2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit cifs_filldir() copies the entry name out of an SMB1 TRANS2_FIND_FIRST / FIND_NEXT response using a length (de.namelen) supplied by the server. The kmalloc'd SMB response buffer is bounded, but nothing checks that de.name + de.namelen still lies inside that buffer before the eventual filldir64() -> verify_dirent_name() -> memchr() reads namelen bytes. A hostile SMB1 server that returns an oversized FileNameLength in a directory entry therefore causes memchr() to read past the end of the response slab buffer. Reachable from any user who can list a directory on a CIFS mount served by an attacker-controlled server (getdents64() on the mounted directory): BUG: KASAN: slab-out-of-bounds in memchr+0x71/0x80 Read of size 1 at addr ffff88800e0640cc by task poc/115 Call Trace: dump_stack_lvl+0x64/0x80 print_report+0xce/0x620 kasan_report+0xec/0x120 memchr+0x71/0x80 filldir64+0x4c/0x6a0 cifs_filldir.constprop.0+0x9bb/0x1e00 cifs_readdir+0x2101/0x3380 iterate_dir+0x19c/0x520 __x64_sys_getdents64+0x126/0x210 do_syscall_64+0x107/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Pass the end-of-response pointer down to cifs_filldir() and reject entries whose name would extend past that boundary. This bug was discovered by Artiphishell's vTriage pipeline, which generated a userspace reproducer (an emulated hostile SMB1 server plus a getdents64() client) that reliably triggers the KASAN report on an unpatched kernel. The fix below was drafted with the Claude coding assistant; a userspace reproducer is available on request. Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Jay Vadayath --- fs/smb/client/readdir.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/fs/smb/client/readdir.c +++ b/fs/smb/client/readdir.c @@ -952,7 +952,7 @@ static int cifs_filldir(char *find_entry, struct file *file, struct dir_context *ctx, char *scratch_buf, unsigned int max_len, - struct cached_fid *cfid) + char *end_of_smb, struct cached_fid *cfid) { struct cifsFileInfo *file_info = file->private_data; struct super_block *sb = file_inode(file)->i_sb; @@ -973,6 +973,11 @@ de.namelen); return -EINVAL; } + + if (de.name + de.namelen > end_of_smb) { + cifs_dbg(VFS, "search entry name extends past end of SMB\n"); + return -EINVAL; + } /* skip . and .. since we added them first */ if (cifs_entry_is_dot(&de, file_info->srch_inf.unicode)) @@ -1194,7 +1194,7 @@ */ *tmp_buf = 0; rc = cifs_filldir(current_entry, file, ctx, - tmp_buf, max_len, cfid); + tmp_buf, max_len, end_of_smb, cfid); if (rc) { if (rc > 0) rc = 0;