From nobody Fri Jun 12 13:56:41 2026 Received: from mail-oo1-f48.google.com (mail-oo1-f48.google.com [209.85.161.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E67AA25393E for ; Thu, 14 May 2026 12:03:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778760224; cv=none; b=PvuwjHf5sMDur2zHZDwpl0mTbLxfSAPBQehMUWrMhiG2QErJMyqmq4juEauPxuW35xrGxEAqTgfoTqw8BtOfGC4H4sVzu0Li0bYJPPQGsO0cVvleCFT9HF4Q7ZOYJmJgENroEA51fb/lovW2BbnCys0+mMb54WNoNy/CT8CbVdg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778760224; c=relaxed/simple; bh=MoFp3Iyqugdztla4DmBnclZXM4x6Ynsg6IyRSupxblM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Bea71gNvG8m82HRzlgPbHNgA2a3AtyMImFZcRod85iViEbn+kkjxSMHLVPrijeyGqmuI1ErHNXNuMB8gr5Bg4jOOEIJx1YT1sht/0tOE18ZM04qZ+oMk4grldPVsgnCWhaTzv8NBcaQvu0VLZt3yWCR36T5RQD8B32ejzc6wM5M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Lru/54H5; arc=none smtp.client-ip=209.85.161.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Lru/54H5" Received: by mail-oo1-f48.google.com with SMTP id 006d021491bc7-679f6ee3fb0so3206445eaf.2 for ; Thu, 14 May 2026 05:03:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778760221; x=1779365021; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=1pwmBpJ+Ay/gUdKa6ifXgmSXC3e4hfZp9GQxRuj1q8c=; b=Lru/54H5sop8uFcPFZHsqamsNVNFTRfqskzOxCV6+ThWA+G12YxvCXJ/WXZs2x3oit 4QoMo6w1/eyT3tlmI8kRALdR+3rlgNpmxKOVTQiGfWejEbpeAAHANtCQf1E2+NrIgB/H t7cenpl9Pj9TtCmEmgwZ7HkOYlOXb04RpzllWvaSxPvK1Kncakf7KEf2MrQ2OJcdA+9F QOAv/tG1CqBeL/BG3F1L7lILNUf/RnDEeZDzmzahSFCcD0IcCZMl6+RFO8zWzM6JPtqh tloQrWJKLEiBNZ1xRRjMf3+Yplj1SOSSESHxxJHUzIjkzRxj9J1CxB9QBzGFEtKnuYUL X8Hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778760221; x=1779365021; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=1pwmBpJ+Ay/gUdKa6ifXgmSXC3e4hfZp9GQxRuj1q8c=; b=n0es8hwv4QsTKUfaIt/z5v2bkeGe+9WddIirb5uiJCS8sLQNUmXPR/06JZN+z36a2b AcVB6ohhmiacu89Vx7F5OuLsq/T1jP2W4TTmwKOqDX3YxwBshuTSdnDcGDiq0G3AUKkV cHT6axcgLyvFxgjDxShAELkQMViRTR0ZJt47k0qireM/yebdS2ErY3HIhoxaDDot/bki kaehtw1vE3LgvGn8ekUPgLSeHFjB0qdHpUZJxFYZF5DXo2kNozp7nA/rz+4nKaLIbPTm kkPKrzXh/zP5N3B647DsFHKHdkaezx8HkIgoIUbSmIwGXeqiSRlMKmGrEh5NBFHc/WpB hZsA== X-Forwarded-Encrypted: i=1; AFNElJ+OG5odkHj9xeZ2L5v3hrNBMrFP9m+YReq4cqMQ4lmm1b9OOCjMNZT0iJCRN2cc0Z4DZBzYE0vZNstLJ/o=@vger.kernel.org X-Gm-Message-State: AOJu0YwMHHYnzDoQaU7sYNgC6g/OFl7wMsrmbyxpkt6MxmWba5Cus9HS 6FPBJMpoYAMNMqyl3/zP1nvmAwvW1KjLrkhZRF+C1f0+4WhozEruIBpH X-Gm-Gg: Acq92OGB7n9m8qmm+b80MrAsTJQeSqAhRNoxEaltHA+WBF0gY2/oixyA6JXU9j3ahsh 1QHkKF5s/ngGAzPsekUNxcTIFeqto+9jrT4A3UjhUjEOBgPCQpcXd4SRCXe0vhJuXpnupdJuKrB n2mO2MA0y3PQlPC55miBIn1HM5++LzGWV4c9Y1HCl5hCwUYSEtifH1Ncil1sNnJc+1ylKS6xTWm 8povBR0UNlirwbVjoYR1kUoJnMaCidtalUQy7Zj0Qs1nGSbnIBU6aWUywzmrG+CxrhGjlCN/9J1 qXB0rwOt8XLdJdpIGymrFWp6Z50L1pYSpkVppOFAvYSE9koWyBXHvq5WEI1K+dPXvR2QfOf4167 7b8dowaApdZyPB2fowcs4SUFWTdtoJjBL5GAIsI+ivrV9bSVty45fqyRPL9mfbYStv4uzqTYk/v 7G5dP6OZtvuehCJfy2At/xgCFpOL40sL2UjlkiHGBaQqcyq/uZUiIi6Zg0CXiGLYEXU0ZFKKCO7 keNvLxdyO6hRPU= X-Received: by 2002:a05:6820:8c8:b0:694:8cd5:10c9 with SMTP id 006d021491bc7-69b78e3c178mr3598323eaf.51.1778760220782; Thu, 14 May 2026 05:03:40 -0700 (PDT) Received: from jeremy.kali (srv1619992.hstgr.cloud. [2a02:4780:75:55a3::1]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8c90b3d0bdbsm21074436d6.24.2026.05.14.05.03.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 May 2026 05:03:40 -0700 (PDT) From: Jeremy Erazo To: Steve French Cc: linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, linux-kernel@vger.kernel.org Subject: [PATCH] smb: client: avoid integer overflow in SMB2 READ length check Date: Thu, 14 May 2026 12:03:34 +0000 Message-ID: <20260514120334.2925013-1-mendozayt13@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" SMB2 READ response validation in cifs_readv_receive() and handle_read_data() checks data_offset + data_len against the received buffer length. Both values are attacker-controlled fields from the server response and are stored as unsigned int, so the addition can wrap before the bounds check: fs/smb/client/transport.c:1259 if (!use_rdma_mr && (data_offset + data_len > buflen)) fs/smb/client/smb2ops.c:4839 else if (buf_len >=3D data_offset + data_len) A malicious SMB server can use this to bypass validation. In the non-encrypted receive path the client attempts an oversized socket read and stalls for the SMB response timeout (180 seconds) before reconnecting. In the SMB3 encrypted path, runtime testing shows the malformed length can reach copy_to_iter() in handle_read_data() with attacker-controlled size, where usercopy hardening stops the oversized copy before bytes reach userspace. Guard both call sites with check_add_overflow(), which is already used elsewhere in this subsystem (smb2pdu.c). On overflow, treat the response as malformed and reject with -EIO. Signed-off-by: Jeremy Erazo --- fs/smb/client/smb2ops.c | 4 +++- fs/smb/client/transport.c | 15 +++++++++------ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index e6cb9b144..373820498 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -4721,6 +4721,7 @@ handle_read_data(struct TCP_Server_Info *server, stru= ct mid_q_entry *mid, { unsigned int data_offset; unsigned int data_len; + unsigned int end_off; unsigned int cur_off; unsigned int cur_page_idx; unsigned int pad_len; @@ -4836,7 +4837,8 @@ handle_read_data(struct TCP_Server_Info *server, stru= ct mid_q_entry *mid, } rdata->got_bytes =3D buffer_len; =20 - } else if (buf_len >=3D data_offset + data_len) { + } else if (!check_add_overflow(data_offset, data_len, &end_off) && + buf_len >=3D end_off) { /* read response payload is in buf */ WARN_ONCE(buffer, "read data can be either in buf or in buffer"); copied =3D copy_to_iter(buf + data_offset, data_len, &rdata->subreq.io_i= ter); diff --git a/fs/smb/client/transport.c b/fs/smb/client/transport.c index 05f809904..fdf4e50c2 100644 --- a/fs/smb/client/transport.c +++ b/fs/smb/client/transport.c @@ -1158,7 +1158,7 @@ int cifs_readv_receive(struct TCP_Server_Info *server, struct mid_q_entry *mid) { int length, len; - unsigned int data_offset, data_len; + unsigned int data_offset, data_len, end_off; struct cifs_io_subrequest *rdata =3D mid->callback_data; char *buf =3D server->smallbuf; unsigned int buflen =3D server->pdu_size; @@ -1256,11 +1256,14 @@ cifs_readv_receive(struct TCP_Server_Info *server, = struct mid_q_entry *mid) use_rdma_mr =3D rdata->mr; #endif data_len =3D server->ops->read_data_length(buf, use_rdma_mr); - if (!use_rdma_mr && (data_offset + data_len > buflen)) { - /* data_len is corrupt -- discard frame */ - rdata->result =3D smb_EIO2(smb_eio_trace_read_rsp_malformed, - data_offset + data_len, buflen); - return cifs_readv_discard(server, mid); + if (!use_rdma_mr) { + if (check_add_overflow(data_offset, data_len, &end_off) || + end_off > buflen) { + /* data_len is corrupt -- discard frame */ + rdata->result =3D smb_EIO2(smb_eio_trace_read_rsp_malformed, + end_off, buflen); + return cifs_readv_discard(server, mid); + } } =20 #ifdef CONFIG_CIFS_SMB_DIRECT --=20 2.53.0