[0/2] cifs: fix integer overflow in match_server()

Message ID	20250331082251.123381-1-r.smirnov@omp.ru (mailing list archive)
Headers	show Received: from mx01.omp.ru (mx01.omp.ru [90.154.21.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AD32D156237; Mon, 31 Mar 2025 08:23:32 +0000 (UTC) From: Roman Smirnov <r.smirnov@omp.ru> To: Steve French <sfrench@samba.org>, Paulo Alcantara <pc@manguebit.com>, Ronnie Sahlberg <ronniesahlberg@gmail.com>, Shyam Prasad N <sprasad@microsoft.com>, Tom Talpey <tom@talpey.com>, Bharath SM <bharathsm@microsoft.com> CC: Roman Smirnov <r.smirnov@omp.ru>, Sachin Prabhu <sprabhu@redhat.com>, Shirish Pargaonkar <shirishpargaonkar@gmail.com>, <linux-cifs@vger.kernel.org>, <samba-technical@lists.samba.org>, <linux-kernel@vger.kernel.org>, <lvc-project@linuxtesting.org> Subject: [PATCH 0/2] cifs: fix integer overflow in match_server() Date: Mon, 31 Mar 2025 11:22:48 +0300 Message-ID: <20250331082251.123381-1-r.smirnov@omp.ru> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain on: 03/31/2025 08:06:54 from: r.smirnov@omp.ru DNSBL: 81.22.207.138 in (user) b.barracudacentral.org} DNSBL: 81.22.207.138 in (user) dbl.spamhaus.org} bases: 3/31/2025 5:23:00 AM X-KSE-Attachment-Filter-Triggered-Rules: Clean X-KSE-Attachment-Filter-Triggered-Filters: Clean X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit
Series	cifs: fix integer overflow in match_server() \| expand [0/2] cifs: fix integer overflow in match_server() [1/2] cifs: fix integer overflow in match_server() [2/2] cifs: remove unreachable code in cifs_get_tcp_session()

Message ID

20250331082251.123381-1-r.smirnov@omp.ru (mailing list archive)

Headers

From: Roman Smirnov <r.smirnov@omp.ru>
To: Steve French <sfrench@samba.org>, Paulo Alcantara <pc@manguebit.com>,
	Ronnie Sahlberg <ronniesahlberg@gmail.com>, Shyam Prasad N
	<sprasad@microsoft.com>, Tom Talpey <tom@talpey.com>, Bharath SM
	<bharathsm@microsoft.com>
CC: Roman Smirnov <r.smirnov@omp.ru>, Sachin Prabhu <sprabhu@redhat.com>,
	Shirish Pargaonkar <shirishpargaonkar@gmail.com>,
	<linux-cifs@vger.kernel.org>, <samba-technical@lists.samba.org>,
	<linux-kernel@vger.kernel.org>, <lvc-project@linuxtesting.org>
Subject: [PATCH 0/2] cifs: fix integer overflow in match_server()
Date: Mon, 31 Mar 2025 11:22:48 +0300
Message-ID: <20250331082251.123381-1-r.smirnov@omp.ru>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-KSE-Attachment-Filter-Triggered-Filters: Clean
X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit

Series

cifs: fix integer overflow in match_server() | expand

Message

Roman Smirnov March 31, 2025, 8:22 a.m. UTC

If a large number is written to echo_interval during mount,
an integer overflow may occur in match_server():

smb3_fs_context_parse_param()

cifs_smb3_do_mount()
  sget()
    cifs_match_super()
      match_server()

Found by Linux Verification Center (linuxtesting.org) with Svace.

Roman Smirnov (2):
  cifs: fix integer overflow in match_server()
  cifs: remove unreachable code in cifs_get_tcp_session()

 fs/smb/client/connect.c    | 6 +-----
 fs/smb/client/fs_context.c | 5 +++++
 2 files changed, 6 insertions(+), 5 deletions(-)

Comments

Steve French March 31, 2025, 10:48 p.m. UTC | #1

Merged into cifs-2.6.git for-next

On Mon, Mar 31, 2025 at 3:23 AM Roman Smirnov <r.smirnov@omp.ru> wrote:
>
> If a large number is written to echo_interval during mount,
> an integer overflow may occur in match_server():
>
> smb3_fs_context_parse_param()
>
> cifs_smb3_do_mount()
>   sget()
>     cifs_match_super()
>       match_server()
>
> Found by Linux Verification Center (linuxtesting.org) with Svace.
>
> Roman Smirnov (2):
>   cifs: fix integer overflow in match_server()
>   cifs: remove unreachable code in cifs_get_tcp_session()
>
>  fs/smb/client/connect.c    | 6 +-----
>  fs/smb/client/fs_context.c | 5 +++++
>  2 files changed, 6 insertions(+), 5 deletions(-)
>
> --
> 2.34.1
>
>