From nobody Sun Jun 14 21:18:03 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7BC4412F585;
	Mon,  6 Apr 2026 13:49:41 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775483381; cv=none;
 b=brNjZnXoSiJPpPkpz5mQATk4R0nQ6UVI8myQ2rZwfs8DAQpowfuaduOHH/wxiqfDSEU1773n5c4uDFI2bBKRNr+03fjk0MvixGtDTjdBfPA1oddIWqZEJgauLfVW51P6/GBekpgMIgp7HfC0FvCO444xCdaOBMAvAo6JT4HHy6s=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775483381; c=relaxed/simple;
	bh=9BU9EIZ0xpSJhe6BLo5bEcq83MnOBqIILZ9FwVVRilI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=u5C6Ye1JK+N7bxSbbEI36yJm1JnWaCYvt/fFCSCDMy3K3tW44unhpQu21ueCkCavqXbUkOhrwzuzfpHCzSF53gAFZadPh0x3HTyiyk6DXX6kFcBGdr6Y6+rgMg+iJ3/RLPENlkSyhF1sj+7Min8pGY8WMi2stjj+CSNx3G4mjFs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (1024-bit key) header.d=linuxfoundation.org
 header.i=@linuxfoundation.org header.b=To6h9XC5;
 arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linuxfoundation.org
 header.i=@linuxfoundation.org header.b="To6h9XC5"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id B03D6C4CEF7;
	Mon,  6 Apr 2026 13:49:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
	s=korg; t=1775483381;
	bh=9BU9EIZ0xpSJhe6BLo5bEcq83MnOBqIILZ9FwVVRilI=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=To6h9XC5zP+xWBz0FzFGxcHhdJiVt7QI1Vq9SU297CnmbumwIuUx3EZTpmP1fihB1
	 iQLu5GNl/TLRxXOf+HGpB60h3/kd/cMpbPp5R6WRDk4Gv2I1McfDfi49yfPm2SxRWF
	 Wbz/f4FCxG6xmntVxIB6Qt/qW+KmUp9Dn/tzASKg=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-cifs@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Steve French <sfrench@samba.org>,
	Paulo Alcantara <pc@manguebit.org>,
	Ronnie Sahlberg <ronniesahlberg@gmail.com>,
	Shyam Prasad N <sprasad@microsoft.com>,
	Tom Talpey <tom@talpey.com>,
	Bharath SM <bharathsm@microsoft.com>,
	samba-technical@lists.samba.org,
	stable <stable@kernel.org>
Subject: [PATCH 1/2] smb: client: fix off-by-8 bounds check in check_wsl_eas()
Date: Mon,  6 Apr 2026 15:49:37 +0200
Message-ID: <2026040636-unsigned-jackal-e239@gregkh>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <2026040635-banking-unsoiled-3250@gregkh>
References: <2026040635-banking-unsoiled-3250@gregkh>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1895;
 i=gregkh@linuxfoundation.org; h=from:subject:message-id;
 bh=9BU9EIZ0xpSJhe6BLo5bEcq83MnOBqIILZ9FwVVRilI=;
 b=owGbwMvMwCRo6H6F97bub03G02pJDJmXd37YvON0Y+CLz8fKbul+Pt/QzS5tbfrrpeC17U+3n
 5Pe+GPJxY5YFgZBJgZZMUWWL9t4ju6vOKToZWh7GmYOKxPIEAYuTgGYSPcxhvklT4Lt51b5zRRO
 /3AqezXzJP1TBlcYFlyZd2OJ5PuqTwc9jvWucA059fXE/yUA
X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp;
 fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA
name and value, but ea_data sits at offset sizeof(struct
smb2_file_full_ea_info) =3D 8 from ea, not at offset 0.  The strncmp()
later reads ea->ea_data[0..nlen-1] and the value bytes follow at
ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1
+ vlen.  Isn't pointer math fun?

The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the
8-byte header is in bounds, but since the last EA is placed within 8
bytes of the end of the response, the name and value bytes are read past
the end of iov.

Fix this mess all up by using ea->ea_data as the base for the bounds
check.

An "untrusted" server can use this to leak up to 8 bytes of kernel heap
into the EA name comparison and influence which WSL xattr the data is
interpreted as.

Cc: Steve French <sfrench@samba.org>
Cc: Paulo Alcantara <pc@manguebit.org>
Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: Shyam Prasad N <sprasad@microsoft.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: Bharath SM <bharathsm@microsoft.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
---
 fs/smb/client/smb2inode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
index 364bdcff9c9d..fe1c9d776580 100644
--- a/fs/smb/client/smb2inode.c
+++ b/fs/smb/client/smb2inode.c
@@ -128,7 +128,7 @@ static int check_wsl_eas(struct kvec *rsp_iov)
 		nlen =3D ea->ea_name_length;
 		vlen =3D le16_to_cpu(ea->ea_value_length);
 		if (nlen !=3D SMB2_WSL_XATTR_NAME_LEN ||
-		    (u8 *)ea + nlen + 1 + vlen > end)
+		    (u8 *)ea->ea_data + nlen + 1 + vlen > end)
 			return -EINVAL;
=20
 		switch (vlen) {
--=20
2.53.0
From nobody Sun Jun 14 21:18:03 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5069729E11D;
	Mon,  6 Apr 2026 13:49:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775483389; cv=none;
 b=o1k52yUyQwRaP4IknxYgnpHzPPfz158m/SJZ4VrWVz6E6+di+TC7bqc4I2PTmH5+k93MQcBWD+Ws1sKajy6PB/0KTbpKqUW47XKFvKhOBP8RrcXpHPMqMVCcUMOIsjIvbH7LLYPgyemMbY10Qbcrg7ByEX7MSvAhiTCFZvAOnW4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775483389; c=relaxed/simple;
	bh=dINbbS4cKF6wwvx/bzeLOYJ+irUgy9XDiVNht/C7qLg=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=eEKktCXTxD/l0OYQ+9NdAoyGEWPu78aN/bgtr0Ew9ZfvQR3lhjbLsLzgD11AWJFRVbSmlH7kTb4ZUPT7GPNLN5lgbhZn6FC1lcRSxtpkkebjSNOFsDeEUY4CxoWMNNVQ3v0C1xkhwVdFGSYptCERHWjUk7qbkKmjWha/l+qM7tw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (1024-bit key) header.d=linuxfoundation.org
 header.i=@linuxfoundation.org header.b=Ua2KdIIw;
 arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linuxfoundation.org
 header.i=@linuxfoundation.org header.b="Ua2KdIIw"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 93C02C4CEF7;
	Mon,  6 Apr 2026 13:49:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
	s=korg; t=1775483388;
	bh=dINbbS4cKF6wwvx/bzeLOYJ+irUgy9XDiVNht/C7qLg=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=Ua2KdIIwBABAtHiFO3GBaPqNhzbpJxYT5dNJs78uQ4dOKEP9elP9EvXYA1wUQFChT
	 aME3+KnRX2CkmUwexljXI4u8llr/mU6vSY169Tk9O7WgFREyfCXVYMUjoO2h7YlKrE
	 QujcipQUSK0I5HWUEQvyChELsD3UC+WEX16h0HtE=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-cifs@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Steve French <sfrench@samba.org>,
	Paulo Alcantara <pc@manguebit.org>,
	Ronnie Sahlberg <ronniesahlberg@gmail.com>,
	Shyam Prasad N <sprasad@microsoft.com>,
	Tom Talpey <tom@talpey.com>,
	Bharath SM <bharathsm@microsoft.com>,
	samba-technical@lists.samba.org,
	stable <stable@kernel.org>
Subject: [PATCH 2/2] smb: client: fix OOB reads parsing symlink error response
Date: Mon,  6 Apr 2026 15:49:38 +0200
Message-ID: <2026040636-icy-constable-9e17@gregkh>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <2026040635-banking-unsoiled-3250@gregkh>
References: <2026040635-banking-unsoiled-3250@gregkh>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=4719;
 i=gregkh@linuxfoundation.org; h=from:subject:message-id;
 bh=dINbbS4cKF6wwvx/bzeLOYJ+irUgy9XDiVNht/C7qLg=;
 b=owGbwMvMwCRo6H6F97bub03G02pJDJmXd35I+/nxwhW+O1M5I341Cc1u5Sp4ljd7dxCzxq26h
 6fX7xex7YhlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJ+GkwLNhvPuNZ/EGTyNjf
 Z5YvPVbPFqHAuZFhvv871jOch70yOfbuaQw6kX4414O7CAA=
X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp;
 fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()
returns success without any length validation, leaving the symlink
parsers as the only defense against an untrusted server.

symlink_data() walks SMB 3.1.1 error contexts with the loop test "p <
end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset
0.  When the server-controlled ErrorDataLength advances p to within 1-7
bytes of end, the next iteration will read past it.  When the matching
context is found, sym->SymLinkErrorTag is read at offset 4 from
p->ErrorContextData with no check that the symlink header itself fits.

smb2_parse_symlink_response() then bounds-checks the substitute name
using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from
iov_base.  That value is computed as sizeof(smb2_err_rsp) +
sizeof(smb2_symlink_err_rsp), which is correct only when
ErrorContextCount =3D=3D 0.

With at least one error context the symlink data sits 8 bytes deeper,
and each skipped non-matching context shifts it further by 8 +
ALIGN(ErrorDataLength, 8).  The check is too short, allowing the
substitute name read to run past iov_len.  The out-of-bound heap bytes
are UTF-16-decoded into the symlink target and returned to userspace via
readlink(2).

Fix this all up by making the loops test require the full context header
to fit, rejecting sym if its header runs past end, and bound the
substitute name against the actual position of sym->PathBuffer rather
than a fixed offset.

Because sub_offs and sub_len are 16bits, the pointer math will not
overflow here with the new greater-than.

Cc: Steve French <sfrench@samba.org>
Cc: Paulo Alcantara <pc@manguebit.org>
Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: Shyam Prasad N <sprasad@microsoft.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: Bharath SM <bharathsm@microsoft.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
---
 fs/smb/client/smb2file.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c
index ed651c946251..b292aa94a593 100644
--- a/fs/smb/client/smb2file.c
+++ b/fs/smb/client/smb2file.c
@@ -27,10 +27,11 @@ static struct smb2_symlink_err_rsp *symlink_data(const =
struct kvec *iov)
 {
 	struct smb2_err_rsp *err =3D iov->iov_base;
 	struct smb2_symlink_err_rsp *sym =3D ERR_PTR(-EINVAL);
+	u8 *end =3D (u8 *)err + iov->iov_len;
 	u32 len;
=20
 	if (err->ErrorContextCount) {
-		struct smb2_error_context_rsp *p, *end;
+		struct smb2_error_context_rsp *p;
=20
 		len =3D (u32)err->ErrorContextCount * (offsetof(struct smb2_error_contex=
t_rsp,
 							      ErrorContextData) +
@@ -39,8 +40,7 @@ static struct smb2_symlink_err_rsp *symlink_data(const st=
ruct kvec *iov)
 			return ERR_PTR(-EINVAL);
=20
 		p =3D (struct smb2_error_context_rsp *)err->ErrorData;
-		end =3D (struct smb2_error_context_rsp *)((u8 *)err + iov->iov_len);
-		do {
+		while ((u8 *)p + sizeof(*p) <=3D end) {
 			if (le32_to_cpu(p->ErrorId) =3D=3D SMB2_ERROR_ID_DEFAULT) {
 				sym =3D (struct smb2_symlink_err_rsp *)p->ErrorContextData;
 				break;
@@ -50,14 +50,16 @@ static struct smb2_symlink_err_rsp *symlink_data(const =
struct kvec *iov)
=20
 			len =3D ALIGN(le32_to_cpu(p->ErrorDataLength), 8);
 			p =3D (struct smb2_error_context_rsp *)(p->ErrorContextData + len);
-		} while (p < end);
+		}
 	} else if (le32_to_cpu(err->ByteCount) >=3D sizeof(*sym) &&
 		   iov->iov_len >=3D SMB2_SYMLINK_STRUCT_SIZE) {
 		sym =3D (struct smb2_symlink_err_rsp *)err->ErrorData;
 	}
=20
-	if (!IS_ERR(sym) && (le32_to_cpu(sym->SymLinkErrorTag) !=3D SYMLINK_ERROR=
_TAG ||
-			     le32_to_cpu(sym->ReparseTag) !=3D IO_REPARSE_TAG_SYMLINK))
+	if (!IS_ERR(sym) &&
+	    ((u8 *)sym + sizeof(*sym) > end ||
+	     le32_to_cpu(sym->SymLinkErrorTag) !=3D SYMLINK_ERROR_TAG ||
+	     le32_to_cpu(sym->ReparseTag) !=3D IO_REPARSE_TAG_SYMLINK))
 		sym =3D ERR_PTR(-EINVAL);
=20
 	return sym;
@@ -128,8 +130,10 @@ int smb2_parse_symlink_response(struct cifs_sb_info *c=
ifs_sb, const struct kvec
 	print_len =3D le16_to_cpu(sym->PrintNameLength);
 	print_offs =3D le16_to_cpu(sym->PrintNameOffset);
=20
-	if (iov->iov_len < SMB2_SYMLINK_STRUCT_SIZE + sub_offs + sub_len ||
-	    iov->iov_len < SMB2_SYMLINK_STRUCT_SIZE + print_offs + print_len)
+	if ((char *)sym->PathBuffer + sub_offs + sub_len >
+		(char *)iov->iov_base + iov->iov_len ||
+	    (char *)sym->PathBuffer + print_offs + print_len >
+		(char *)iov->iov_base + iov->iov_len)
 		return -EINVAL;
=20
 	return smb2_parse_native_symlink(path,
--=20
2.53.0