[PATCH] ksmbd: transport_ipc: validate payload size before reading handle

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] ksmbd: transport_ipc: validate payload size before reading handle
       [not found] <2025102125-petted-gristle-43a0@gregkh>
@ 2025-10-21 14:54 ` Qianchang Zhao
  2025-10-22  6:39   ` Namjae Jeon
  0 siblings, 1 reply; 4+ messages in thread
From: Qianchang Zhao @ 2025-10-21 14:54 UTC (permalink / raw)
  To: Namjae Jeon, Steve French
  Cc: Sergey Senozhatsky, Tom Talpey, linux-cifs, linux-kernel, gregkh,
	Qianchang Zhao, stable

handle_response() dereferences the payload as a 4-byte handle without
verifying that the declared payload size is at least 4 bytes. A malformed
or truncated message from ksmbd.mountd can lead to a 4-byte read past the
declared payload size. Validate the size before dereferencing.

This is a minimal fix to guard the initial handle read.

Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Cc: stable@vger.kernel.org
Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
---
 fs/smb/server/transport_ipc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c
index 46f87fd1ce1c..2028de4d3ddf 100644
--- a/fs/smb/server/transport_ipc.c
+++ b/fs/smb/server/transport_ipc.c
@@ -263,6 +263,10 @@ static void ipc_msg_handle_free(int handle)
 
 static int handle_response(int type, void *payload, size_t sz)
 {
+	/* Prevent 4-byte read beyond declared payload size */
+	if (sz < sizeof(unsigned int))
+		return -EINVAL;
+
 	unsigned int handle = *(unsigned int *)payload;
 	struct ipc_msg_table_entry *entry;
 	int ret = 0;
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] ksmbd: transport_ipc: validate payload size before reading handle
  2025-10-21 14:54 ` [PATCH] ksmbd: transport_ipc: validate payload size before reading handle Qianchang Zhao
@ 2025-10-22  6:39   ` Namjae Jeon
  2025-10-22 14:53     ` くさあさ
       [not found]     ` <CAFgAp7g52dJDvJyEoV7Ms-YofG6a2=G=N16ARNrBOiCSkLVLTw@mail.gmail.com>
  0 siblings, 2 replies; 4+ messages in thread
From: Namjae Jeon @ 2025-10-22  6:39 UTC (permalink / raw)
  To: Qianchang Zhao
  Cc: Steve French, Sergey Senozhatsky, Tom Talpey, linux-cifs,
	linux-kernel, gregkh, stable

[-- Attachment #1: Type: text/plain, Size: 768 bytes --]

On Tue, Oct 21, 2025 at 11:55 PM Qianchang Zhao <pioooooooooip@gmail.com> wrote:
>
> handle_response() dereferences the payload as a 4-byte handle without
> verifying that the declared payload size is at least 4 bytes. A malformed
> or truncated message from ksmbd.mountd can lead to a 4-byte read past the
> declared payload size. Validate the size before dereferencing.
>
> This is a minimal fix to guard the initial handle read.
>
> Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
> Cc: stable@vger.kernel.org
> Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
> Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
I have directly updated your patch. Can you check the attached patch ?
Thanks!

[-- Attachment #2: 0001-ksmbd-transport_ipc-validate-payload-size-before-rea.patch --]
[-- Type: text/x-patch, Size: 1753 bytes --]

From 177af6102527571eaa381323dddd7084c203353e Mon Sep 17 00:00:00 2001
From: Qianchang Zhao <pioooooooooip@gmail.com>
Date: Wed, 22 Oct 2025 15:27:47 +0900
Subject: [PATCH] ksmbd: transport_ipc: validate payload size before reading
 handle

handle_response() dereferences the payload as a 4-byte handle without
verifying that the declared payload size is at least 4 bytes. A malformed
or truncated message from ksmbd.mountd can lead to a 4-byte read past the
declared payload size. Validate the size before dereferencing.

This is a minimal fix to guard the initial handle read.

Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Cc: stable@vger.kernel.org
Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
 fs/smb/server/transport_ipc.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c
index 46f87fd1ce1c..2c08cccfa680 100644
--- a/fs/smb/server/transport_ipc.c
+++ b/fs/smb/server/transport_ipc.c
@@ -263,10 +263,16 @@ static void ipc_msg_handle_free(int handle)
 
 static int handle_response(int type, void *payload, size_t sz)
 {
-	unsigned int handle = *(unsigned int *)payload;
+	unsigned int handle;
 	struct ipc_msg_table_entry *entry;
 	int ret = 0;
 
+	/* Prevent 4-byte read beyond declared payload size */
+	if (sz < sizeof(unsigned int))
+		return -EINVAL;
+
+	handle = *(unsigned int *)payload;
+
 	ipc_update_last_active();
 	down_read(&ipc_msg_table_lock);
 	hash_for_each_possible(ipc_msg_table, entry, ipc_table_hlist, handle) {
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] ksmbd: transport_ipc: validate payload size before reading handle
  2025-10-22  6:39   ` Namjae Jeon
@ 2025-10-22 14:53     ` くさあさ
       [not found]     ` <CAFgAp7g52dJDvJyEoV7Ms-YofG6a2=G=N16ARNrBOiCSkLVLTw@mail.gmail.com>
  1 sibling, 0 replies; 4+ messages in thread
From: くさあさ @ 2025-10-22 14:53 UTC (permalink / raw)
  To: Namjae Jeon
  Cc: Steve French, Sergey Senozhatsky, Tom Talpey, linux-cifs,
	linux-kernel, gregkh, stable

Hi Namjae, Steve,

Thanks for updating the patch. I’ve reviewed the changes and they look
good to me.

Minor impact note: this patch prevents a 4-byte out-of-bounds read in
ksmbd's handle_response() when the declared Generic Netlink payload
size is < 4.
If a remote client can influence ksmbd.mountd to emit a truncated
payload, this could be remotely triggerable (info-leak/DoS potential).
If you consider this security-impacting, I’m happy to request a CVE
via the kernel.org CNA.

Thanks!!
Qianchang Zhao


On Wed, Oct 22, 2025 at 3:39 PM Namjae Jeon <linkinjeon@kernel.org> wrote:
>
> On Tue, Oct 21, 2025 at 11:55 PM Qianchang Zhao <pioooooooooip@gmail.com> wrote:
> >
> > handle_response() dereferences the payload as a 4-byte handle without
> > verifying that the declared payload size is at least 4 bytes. A malformed
> > or truncated message from ksmbd.mountd can lead to a 4-byte read past the
> > declared payload size. Validate the size before dereferencing.
> >
> > This is a minimal fix to guard the initial handle read.
> >
> > Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
> > Cc: stable@vger.kernel.org
> > Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
> > Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
> I have directly updated your patch. Can you check the attached patch ?
> Thanks!

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ksmbd: transport_ipc: validate payload size before reading handle
       [not found]     ` <CAFgAp7g52dJDvJyEoV7Ms-YofG6a2=G=N16ARNrBOiCSkLVLTw@mail.gmail.com>
@ 2025-10-22 23:13       ` Namjae Jeon
  0 siblings, 0 replies; 4+ messages in thread
From: Namjae Jeon @ 2025-10-22 23:13 UTC (permalink / raw)
  To: くさあさ
  Cc: Steve French, Sergey Senozhatsky, Tom Talpey, linux-cifs,
	linux-kernel, gregkh, stable

On Wed, Oct 22, 2025 at 7:45 PM くさあさ <pioooooooooip@gmail.com> wrote:
>
> Hi Namjae, Steve,
Hi,
>
> Thanks for updating the patch. I’ve reviewed the changes and they look good to me.
Okay.
>
> Minor impact note: this patch prevents a 4-byte out-of-bounds read in ksmbd’s handle_response() when the declared Generic Netlink payload size is < 4.
> If a remote client can influence ksmbd.mountd to emit a truncated payload, this could be remotely triggerable (info-leak/DoS potential).
I don't understand how this is possible. Could you please explain it
to me via private email?
> If you consider this security-impacting, I’m happy to request a CVE via the kernel.org CNA.
>
> Thanks!!
> Qianchang Zhao

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-10-22 23:13 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <2025102125-petted-gristle-43a0@gregkh>
2025-10-21 14:54 ` [PATCH] ksmbd: transport_ipc: validate payload size before reading handle Qianchang Zhao
2025-10-22  6:39   ` Namjae Jeon
2025-10-22 14:53     ` くさあさ
     [not found]     ` <CAFgAp7g52dJDvJyEoV7Ms-YofG6a2=G=N16ARNrBOiCSkLVLTw@mail.gmail.com>
2025-10-22 23:13       ` Namjae Jeon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox