From: Salvatore Bonaccorso <carnil@debian.org>
To: ZhaoLong Wang <wangzhaolong1@huawei.com>
Cc: stable@vger.kernel.org, gregkh@linuxfoundation.org,
sfrench@samba.org, kovalev@altlinux.org, "Mohamed Abuelfotoh,
Hazem" <abuehaze@amazon.com>,
Darren Kenny <darren.kenny@oracle.com>,
Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Subject: Re: [PATCH 5.10 0/1] cifs: Fix stack-out-of-bounds in smb2_set_next_command()
Date: Wed, 7 Feb 2024 16:11:24 +0100 [thread overview]
Message-ID: <ZcOdnBHA0OIB956t@eldamar.lan> (raw)
In-Reply-To: <20240207115251.2209871-1-wangzhaolong1@huawei.com>
Hi,
On Wed, Feb 07, 2024 at 07:52:50PM +0800, ZhaoLong Wang wrote:
> Hello,
>
> I am sending this patch for inclusion in the stable tree, as it fixes
> a critical stack-out-of-bounds bug in the cifs module related to the
> `smb2_set_next_command()` function.
>
> Problem Summary:
> A problem was observed in the `statfs` system call for cifs, where it
> failed with a "Resource temporarily unavailable" message. Further
> investigation with KASAN revealed a stack-out-of-bounds error. The
> root cause was a miscalculation of the size of the `smb2_query_info_req`
> structure in the `SMB2_query_info_init()` function.
>
> This situation arose due to a dependency on a prior commit
> (`eb3e28c1e89b`) that replaced a 1-element array with a flexible
> array member in the `smb2_query_info_req` structure. This commit was
> not backported to the 5.10.y and 5.15.y stable branch, leading to an
> incorrect size calculation after the backport of commit `33eae65c6f49`.
>
> Fix Details:
> The patch corrects the size calculation to ensure the correct length
> is used when initializing the `smb2_query_info_req` structure. It has
> been tested and confirmed to resolve the issue without introducing
> any regressions.
>
> Maybe the prior commit eb3e28c1e89b ("smb3: Replace smb2pdu 1-element
> arrays with flex-arrays") should be backported to solve this problem
> directly. The patch does not seem to conflict.
It looks there are several people working on the very same problem
addint patches right now on top.
See as well https://lore.kernel.org/stable/c4c2f990-20cf-4126-95bd-d14c58e85042@oracle.com/
But this is already worked on and the proper solution is to only the
eb3e28c1e89b backport included?
See as well
https://lore.kernel.org/regressions/Zb5eL-AKcZpmvYSl@eldamar.lan/ and
following.
And this needs to be done consistently for the 5.10.y and 5.15.y
series.
Regards,
Salvatore
next prev parent reply other threads:[~2024-02-07 15:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-07 11:52 [PATCH 5.10 0/1] cifs: Fix stack-out-of-bounds in smb2_set_next_command() ZhaoLong Wang
2024-02-07 11:52 ` [PATCH 5.10 1/1] " ZhaoLong Wang
2024-02-07 15:11 ` Salvatore Bonaccorso [this message]
2024-02-20 20:26 ` [PATCH 5.10 0/1] " Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZcOdnBHA0OIB956t@eldamar.lan \
--to=carnil@debian.org \
--cc=abuehaze@amazon.com \
--cc=darren.kenny@oracle.com \
--cc=gregkh@linuxfoundation.org \
--cc=harshit.m.mogalapalli@oracle.com \
--cc=kovalev@altlinux.org \
--cc=sfrench@samba.org \
--cc=stable@vger.kernel.org \
--cc=wangzhaolong1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.