Re: [PATCH] ksmbd: transport_ipc: validate payload size before reading handle

Next message: Jens Remus: "Re: [PATCH 11/12] unwind: Implement compat fp unwind"
Previous message: Konrad Dybcio: "Re: [PATCH v5 2/3] arm64: dts: qcom: Add DisplayPort and QMP USB3DP PHY for SM6150"
In reply to: Namjae Jeon: "Re: [PATCH] ksmbd: transport_ipc: validate payload size before reading handle"
Next in thread: Namjae Jeon: "Re: [PATCH] ksmbd: transport_ipc: validate payload size before reading handle"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: くさあさ

Date: Wed Oct 22 2025 - 10:54:01 EST

Hi Namjae, Steve,

Thanks for updating the patch. I’ve reviewed the changes and they look
good to me.

Minor impact note: this patch prevents a 4-byte out-of-bounds read in
ksmbd's handle_response() when the declared Generic Netlink payload
size is < 4.
If a remote client can influence ksmbd.mountd to emit a truncated
payload, this could be remotely triggerable (info-leak/DoS potential).
If you consider this security-impacting, I’m happy to request a CVE
via the kernel.org CNA.

Thanks!!
Qianchang Zhao

On Wed, Oct 22, 2025 at 3:39 PM Namjae Jeon <linkinjeon@xxxxxxxxxx> wrote:
>
> On Tue, Oct 21, 2025 at 11:55 PM Qianchang Zhao <pioooooooooip@xxxxxxxxx> wrote:
> >
> > handle_response() dereferences the payload as a 4-byte handle without
> > verifying that the declared payload size is at least 4 bytes. A malformed
> > or truncated message from ksmbd.mountd can lead to a 4-byte read past the
> > declared payload size. Validate the size before dereferencing.
> >
> > This is a minimal fix to guard the initial handle read.
> >
> > Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Reported-by: Qianchang Zhao <pioooooooooip@xxxxxxxxx>
> > Signed-off-by: Qianchang Zhao <pioooooooooip@xxxxxxxxx>
> I have directly updated your patch. Can you check the attached patch ?
> Thanks!