* [PATCH] smb: client: fix overflow in passthrough ioctl bounds check
@ 2026-07-08 12:35 Guangshuo Li
2026-07-08 14:42 ` Markus Elfring
0 siblings, 1 reply; 2+ messages in thread
From: Guangshuo Li @ 2026-07-08 12:35 UTC (permalink / raw)
To: Steve French, Paulo Alcantara, Ronnie Sahlberg, Shyam Prasad N,
Tom Talpey, Bharath SM, Markus Elfring, linux-cifs,
samba-technical, linux-kernel
Cc: Guangshuo Li
smb2_ioctl_query_info() validates the PASSTHRU_FSCTL response payload
before copying it to userspace.
The payload offset and length both come from 32-bit fields. The bounds
check currently adds OutputOffset and qi.input_buffer_length directly, so
the addition can wrap in 32-bit arithmetic before the result is compared
against the response buffer length.
A malicious server can use a large OutputOffset and a small OutputCount
to make the wrapped sum pass the bounds check. The later copy_to_user()
then reads from io_rsp + OutputOffset, outside the response buffer.
Use size_add() for the offset plus length check so overflow is treated as
out of bounds.
Fixes: 2b1116bbe898 ("CIFS: Use common error handling code in smb2_ioctl_query_info()")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
fs/smb/client/smb2ops.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index 06e9322a762a..fd2d55df2c86 100644
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -1772,8 +1772,8 @@ smb2_ioctl_query_info(const unsigned int xid,
if (le32_to_cpu(io_rsp->OutputCount) < qi.input_buffer_length)
qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount);
if (qi.input_buffer_length > 0 &&
- le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length
- > rsp_iov[1].iov_len) {
+ size_add(le32_to_cpu(io_rsp->OutputOffset),
+ qi.input_buffer_length) > rsp_iov[1].iov_len) {
rc = -EFAULT;
goto out;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] smb: client: fix overflow in passthrough ioctl bounds check
2026-07-08 12:35 [PATCH] smb: client: fix overflow in passthrough ioctl bounds check Guangshuo Li
@ 2026-07-08 14:42 ` Markus Elfring
0 siblings, 0 replies; 2+ messages in thread
From: Markus Elfring @ 2026-07-08 14:42 UTC (permalink / raw)
To: Guangshuo Li, linux-cifs, samba-technical, Bharath SM,
Paulo Alcantara, Ronnie Sahlberg, Shyam Prasad N, Steve French,
Tom Talpey
Cc: LKML
> smb2_ioctl_query_info() validates the PASSTHRU_FSCTL response payload
> before copying it to userspace.
…
> Use size_add() for the offset plus length check so overflow is treated as
> out of bounds.
>
> Fixes: 2b1116bbe898 ("CIFS: Use common error handling code in smb2_ioctl_query_info()")
Were implementation details improvable already before this commit?
Regards,
Markus
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-08 14:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-08 12:35 [PATCH] smb: client: fix overflow in passthrough ioctl bounds check Guangshuo Li
2026-07-08 14:42 ` Markus Elfring
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox