lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250311142206.2045-5-m.masimov@mt-integration.ru>
Date: Tue, 11 Mar 2025 17:22:06 +0300
From: Murad Masimov <m.masimov@...integration.ru>
To: Steve French <sfrench@...ba.org>
CC: Paulo Alcantara <pc@...guebit.com>, Ronnie Sahlberg
	<ronniesahlberg@...il.com>, Shyam Prasad N <sprasad@...rosoft.com>, Tom
 Talpey <tom@...pey.com>, Bharath SM <bharathsm@...rosoft.com>, Jeff Layton
	<jlayton@...nel.org>, Suresh Jayaraman <sjayaraman@...e.de>, "Paulo Alcantara
 (SUSE)" <pc@....nz>, <linux-cifs@...r.kernel.org>,
	<samba-technical@...ts.samba.org>, <linux-kernel@...r.kernel.org>,
	<lvc-project@...uxtesting.org>, Murad Masimov <m.masimov@...integration.ru>
Subject: [PATCH 4/4] cifs: Fix integer overflow while processing closetimeo mount option

User-provided mount parameter closetimeo of type u32 is intended to have
an upper limit, but before it is validated, the value is converted from
seconds to jiffies which can lead to an integer overflow.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 5efdd9122eff ("smb3: allow deferred close timeout to be configurable")
Signed-off-by: Murad Masimov <m.masimov@...integration.ru>
---
 fs/smb/client/fs_context.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
index 89e54cf238f8..da5973c228ed 100644
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -1366,11 +1366,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
 		ctx->acdirmax = ctx->acregmax = HZ * result.uint_32;
 		break;
 	case Opt_closetimeo:
-		ctx->closetimeo = HZ * result.uint_32;
-		if (ctx->closetimeo > SMB3_MAX_DCLOSETIMEO) {
+		if (result.uint_32 > SMB3_MAX_DCLOSETIMEO / HZ) {
 			cifs_errorf(fc, "closetimeo too large\n");
 			goto cifs_parse_mount_err;
 		}
+		ctx->closetimeo = HZ * result.uint_32;
 		break;
 	case Opt_echo_interval:
 		ctx->echo_interval = result.uint_32;
--
2.39.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ