Linux CIFS filesystem development
 help / color / mirror / Atom feed
* [PATCH] smb: client: fix overflow in passthrough ioctl bounds check
@ 2026-07-08 12:35 Guangshuo Li
  2026-07-08 14:42 ` Markus Elfring
  0 siblings, 1 reply; 2+ messages in thread
From: Guangshuo Li @ 2026-07-08 12:35 UTC (permalink / raw)
  To: Steve French, Paulo Alcantara, Ronnie Sahlberg, Shyam Prasad N,
	Tom Talpey, Bharath SM, Markus Elfring, linux-cifs,
	samba-technical, linux-kernel
  Cc: Guangshuo Li

smb2_ioctl_query_info() validates the PASSTHRU_FSCTL response payload
before copying it to userspace.

The payload offset and length both come from 32-bit fields. The bounds
check currently adds OutputOffset and qi.input_buffer_length directly, so
the addition can wrap in 32-bit arithmetic before the result is compared
against the response buffer length.

A malicious server can use a large OutputOffset and a small OutputCount
to make the wrapped sum pass the bounds check. The later copy_to_user()
then reads from io_rsp + OutputOffset, outside the response buffer.

Use size_add() for the offset plus length check so overflow is treated as
out of bounds.

Fixes: 2b1116bbe898 ("CIFS: Use common error handling code in smb2_ioctl_query_info()")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 fs/smb/client/smb2ops.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index 06e9322a762a..fd2d55df2c86 100644
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -1772,8 +1772,8 @@ smb2_ioctl_query_info(const unsigned int xid,
 		if (le32_to_cpu(io_rsp->OutputCount) < qi.input_buffer_length)
 			qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount);
 		if (qi.input_buffer_length > 0 &&
-		    le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length
-		    > rsp_iov[1].iov_len) {
+		     size_add(le32_to_cpu(io_rsp->OutputOffset),
+			     qi.input_buffer_length) > rsp_iov[1].iov_len) {
 			rc = -EFAULT;
 			goto out;
 		}
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] smb: client: fix overflow in passthrough ioctl bounds check
  2026-07-08 12:35 [PATCH] smb: client: fix overflow in passthrough ioctl bounds check Guangshuo Li
@ 2026-07-08 14:42 ` Markus Elfring
  0 siblings, 0 replies; 2+ messages in thread
From: Markus Elfring @ 2026-07-08 14:42 UTC (permalink / raw)
  To: Guangshuo Li, linux-cifs, samba-technical, Bharath SM,
	Paulo Alcantara, Ronnie Sahlberg, Shyam Prasad N, Steve French,
	Tom Talpey
  Cc: LKML

> smb2_ioctl_query_info() validates the PASSTHRU_FSCTL response payload
> before copying it to userspace.
> Use size_add() for the offset plus length check so overflow is treated as
> out of bounds.
> 
> Fixes: 2b1116bbe898 ("CIFS: Use common error handling code in smb2_ioctl_query_info()")

Were implementation details improvable already before this commit?

Regards,
Markus

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-07-08 14:43 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-08 12:35 [PATCH] smb: client: fix overflow in passthrough ioctl bounds check Guangshuo Li
2026-07-08 14:42 ` Markus Elfring

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox