[PATCH] smb/client: fix unaligned reads in wsl_to

Linux CIFS filesystem development
 help / color / mirror / Atom feed

* [PATCH] smb/client: fix unaligned reads in wsl_to_fattr()
@ 2026-04-23  5:59 Youling Tang
  2026-04-24 21:41 ` Steve French
  0 siblings, 1 reply; 3+ messages in thread
From: Youling Tang @ 2026-04-23  5:59 UTC (permalink / raw)
  To: smfrench, linkinjeon, pc, ronniesahlberg, sprasad, tom, bharathsm,
	senozhatsky, dhowells, chenxiaosong, gregkh
  Cc: linux-cifs, youling.tang, Youling Tang, ChenXiaoSong

From: Youling Tang <tangyouling@kylinos.cn>

See MS-FSCC 2.4.16. When multiple FILE_FULL_EA_INFORMATION data elements
are present in the buffer, each MUST be aligned on a 4-byte boundary.

When parsing WSL extended attributes, the code derives the value pointer
at an offset of 7 (SMB2_WSL_XATTR_NAME_LEN + 1) from ea_data, the value
sits at an unaligned offset.

We should use get_unaligned_le32() or get_unaligned_le64() to get
unaligned values.

Link: https://lore.kernel.org/linux-cifs/77013349-ff89-4593-985d-520d967d2638@chenxiaosong.com/
Signed-off-by: Youling Tang <tangyouling@kylinos.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
---
 fs/smb/client/reparse.c | 6 +++---
 fs/smb/client/reparse.h | 6 +++---
 fs/smb/client/smb2pdu.h | 1 +
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
index cd1e1eaee67a..eebce954c5ce 100644
--- a/fs/smb/client/reparse.c
+++ b/fs/smb/client/reparse.c
@@ -1160,7 +1160,7 @@ static bool wsl_to_fattr(struct cifs_open_info_data *data,
 
 		name = ea->ea_data;
 		nlen = ea->ea_name_length;
-		v = (void *)((u8 *)ea->ea_data + ea->ea_name_length + 1);
+		v = (void *)((u8 *)name + nlen + 1);
 
 		if (!strncmp(name, SMB2_WSL_XATTR_UID, nlen))
 			fattr->cf_uid = wsl_make_kuid(cifs_sb, v);
@@ -1168,9 +1168,9 @@ static bool wsl_to_fattr(struct cifs_open_info_data *data,
 			fattr->cf_gid = wsl_make_kgid(cifs_sb, v);
 		else if (!strncmp(name, SMB2_WSL_XATTR_MODE, nlen)) {
 			/* File type in reparse point tag and in xattr mode must match. */
-			if (S_DT(fattr->cf_mode) != S_DT(le32_to_cpu(*(__le32 *)v)))
+			if (S_DT(fattr->cf_mode) != S_DT(get_unaligned_le32(v)))
 				return false;
-			fattr->cf_mode = (umode_t)le32_to_cpu(*(__le32 *)v);
+			fattr->cf_mode = (umode_t)get_unaligned_le32(v);
 		} else if (!strncmp(name, SMB2_WSL_XATTR_DEV, nlen)) {
 			fattr->cf_rdev = reparse_mkdev(v);
 			have_xattr_dev = true;
diff --git a/fs/smb/client/reparse.h b/fs/smb/client/reparse.h
index 0164dc47bdfd..653213a6b7e8 100644
--- a/fs/smb/client/reparse.h
+++ b/fs/smb/client/reparse.h
@@ -23,7 +23,7 @@
 
 static inline dev_t reparse_mkdev(void *ptr)
 {
-	u64 v = le64_to_cpu(*(__le64 *)ptr);
+	u64 v = get_unaligned_le64(ptr);
 
 	return MKDEV(v & 0xffffffff, v >> 32);
 }
@@ -31,7 +31,7 @@ static inline dev_t reparse_mkdev(void *ptr)
 static inline kuid_t wsl_make_kuid(struct cifs_sb_info *cifs_sb,
 				   void *ptr)
 {
-	u32 uid = le32_to_cpu(*(__le32 *)ptr);
+	u32 uid = get_unaligned_le32(ptr);
 
 	if (cifs_sb_flags(cifs_sb) & CIFS_MOUNT_OVERR_UID)
 		return cifs_sb->ctx->linux_uid;
@@ -41,7 +41,7 @@ static inline kuid_t wsl_make_kuid(struct cifs_sb_info *cifs_sb,
 static inline kgid_t wsl_make_kgid(struct cifs_sb_info *cifs_sb,
 				   void *ptr)
 {
-	u32 gid = le32_to_cpu(*(__le32 *)ptr);
+	u32 gid = get_unaligned_le32(ptr);
 
 	if (cifs_sb_flags(cifs_sb) & CIFS_MOUNT_OVERR_GID)
 		return cifs_sb->ctx->linux_gid;
diff --git a/fs/smb/client/smb2pdu.h b/fs/smb/client/smb2pdu.h
index 30d70097fe2f..6744606dab6c 100644
--- a/fs/smb/client/smb2pdu.h
+++ b/fs/smb/client/smb2pdu.h
@@ -211,6 +211,7 @@ struct compress_ioctl {
  *	BB consider moving to a different header
  */
 
+/* See MS-FSCC 2.4.16 */
 struct smb2_file_full_ea_info { /* encoding of response for level 15 */
 	__le32 next_entry_offset;
 	__u8   flags;
-- 
2.53.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] smb/client: fix unaligned reads in wsl_to_fattr()
  2026-04-23  5:59 [PATCH] smb/client: fix unaligned reads in wsl_to_fattr() Youling Tang
@ 2026-04-24 21:41 ` Steve French
  2026-04-25 23:01   ` ChenXiaoSong
  0 siblings, 1 reply; 3+ messages in thread
From: Steve French @ 2026-04-24 21:41 UTC (permalink / raw)
  To: Youling Tang
  Cc: linkinjeon, pc, ronniesahlberg, sprasad, tom, bharathsm,
	senozhatsky, dhowells, chenxiaosong, gregkh, linux-cifs,
	Youling Tang, ChenXiaoSong

Were you able to reproduce this bug with a test?

On Thu, Apr 23, 2026 at 1:00 AM Youling Tang <youling.tang@linux.dev> wrote:
>
> From: Youling Tang <tangyouling@kylinos.cn>
>
> See MS-FSCC 2.4.16. When multiple FILE_FULL_EA_INFORMATION data elements
> are present in the buffer, each MUST be aligned on a 4-byte boundary.
>
> When parsing WSL extended attributes, the code derives the value pointer
> at an offset of 7 (SMB2_WSL_XATTR_NAME_LEN + 1) from ea_data, the value
> sits at an unaligned offset.
>
> We should use get_unaligned_le32() or get_unaligned_le64() to get
> unaligned values.
>
> Link: https://lore.kernel.org/linux-cifs/77013349-ff89-4593-985d-520d967d2638@chenxiaosong.com/
> Signed-off-by: Youling Tang <tangyouling@kylinos.cn>
> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
> ---
>  fs/smb/client/reparse.c | 6 +++---
>  fs/smb/client/reparse.h | 6 +++---
>  fs/smb/client/smb2pdu.h | 1 +
>  3 files changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
> index cd1e1eaee67a..eebce954c5ce 100644
> --- a/fs/smb/client/reparse.c
> +++ b/fs/smb/client/reparse.c
> @@ -1160,7 +1160,7 @@ static bool wsl_to_fattr(struct cifs_open_info_data *data,
>
>                 name = ea->ea_data;
>                 nlen = ea->ea_name_length;
> -               v = (void *)((u8 *)ea->ea_data + ea->ea_name_length + 1);
> +               v = (void *)((u8 *)name + nlen + 1);
>
>                 if (!strncmp(name, SMB2_WSL_XATTR_UID, nlen))
>                         fattr->cf_uid = wsl_make_kuid(cifs_sb, v);
> @@ -1168,9 +1168,9 @@ static bool wsl_to_fattr(struct cifs_open_info_data *data,
>                         fattr->cf_gid = wsl_make_kgid(cifs_sb, v);
>                 else if (!strncmp(name, SMB2_WSL_XATTR_MODE, nlen)) {
>                         /* File type in reparse point tag and in xattr mode must match. */
> -                       if (S_DT(fattr->cf_mode) != S_DT(le32_to_cpu(*(__le32 *)v)))
> +                       if (S_DT(fattr->cf_mode) != S_DT(get_unaligned_le32(v)))
>                                 return false;
> -                       fattr->cf_mode = (umode_t)le32_to_cpu(*(__le32 *)v);
> +                       fattr->cf_mode = (umode_t)get_unaligned_le32(v);
>                 } else if (!strncmp(name, SMB2_WSL_XATTR_DEV, nlen)) {
>                         fattr->cf_rdev = reparse_mkdev(v);
>                         have_xattr_dev = true;
> diff --git a/fs/smb/client/reparse.h b/fs/smb/client/reparse.h
> index 0164dc47bdfd..653213a6b7e8 100644
> --- a/fs/smb/client/reparse.h
> +++ b/fs/smb/client/reparse.h
> @@ -23,7 +23,7 @@
>
>  static inline dev_t reparse_mkdev(void *ptr)
>  {
> -       u64 v = le64_to_cpu(*(__le64 *)ptr);
> +       u64 v = get_unaligned_le64(ptr);
>
>         return MKDEV(v & 0xffffffff, v >> 32);
>  }
> @@ -31,7 +31,7 @@ static inline dev_t reparse_mkdev(void *ptr)
>  static inline kuid_t wsl_make_kuid(struct cifs_sb_info *cifs_sb,
>                                    void *ptr)
>  {
> -       u32 uid = le32_to_cpu(*(__le32 *)ptr);
> +       u32 uid = get_unaligned_le32(ptr);
>
>         if (cifs_sb_flags(cifs_sb) & CIFS_MOUNT_OVERR_UID)
>                 return cifs_sb->ctx->linux_uid;
> @@ -41,7 +41,7 @@ static inline kuid_t wsl_make_kuid(struct cifs_sb_info *cifs_sb,
>  static inline kgid_t wsl_make_kgid(struct cifs_sb_info *cifs_sb,
>                                    void *ptr)
>  {
> -       u32 gid = le32_to_cpu(*(__le32 *)ptr);
> +       u32 gid = get_unaligned_le32(ptr);
>
>         if (cifs_sb_flags(cifs_sb) & CIFS_MOUNT_OVERR_GID)
>                 return cifs_sb->ctx->linux_gid;
> diff --git a/fs/smb/client/smb2pdu.h b/fs/smb/client/smb2pdu.h
> index 30d70097fe2f..6744606dab6c 100644
> --- a/fs/smb/client/smb2pdu.h
> +++ b/fs/smb/client/smb2pdu.h
> @@ -211,6 +211,7 @@ struct compress_ioctl {
>   *     BB consider moving to a different header
>   */
>
> +/* See MS-FSCC 2.4.16 */
>  struct smb2_file_full_ea_info { /* encoding of response for level 15 */
>         __le32 next_entry_offset;
>         __u8   flags;
> --
> 2.53.0



-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] smb/client: fix unaligned reads in wsl_to_fattr()
  2026-04-24 21:41 ` Steve French
@ 2026-04-25 23:01   ` ChenXiaoSong
  0 siblings, 0 replies; 3+ messages in thread
From: ChenXiaoSong @ 2026-04-25 23:01 UTC (permalink / raw)
  To: Steve French, Youling Tang
  Cc: linkinjeon, pc, ronniesahlberg, sprasad, tom, bharathsm,
	senozhatsky, dhowells, chenxiaosong, gregkh, linux-cifs,
	Youling Tang

Some older architectures require strict alignment, we will set up 
virtual machine environments for testing.

On 2026/4/25 05:41, Steve French wrote:
> Were you able to reproduce this bug with a test?

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-04-25 23:02 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-23  5:59 [PATCH] smb/client: fix unaligned reads in wsl_to_fattr() Youling Tang
2026-04-24 21:41 ` Steve French
2026-04-25 23:01   ` ChenXiaoSong

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox