lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250311142206.2045-2-m.masimov@mt-integration.ru>
Date: Tue, 11 Mar 2025 17:22:03 +0300
From: Murad Masimov <m.masimov@...integration.ru>
To: Steve French <sfrench@...ba.org>
CC: Paulo Alcantara <pc@...guebit.com>, Ronnie Sahlberg
	<ronniesahlberg@...il.com>, Shyam Prasad N <sprasad@...rosoft.com>, Tom
 Talpey <tom@...pey.com>, Bharath SM <bharathsm@...rosoft.com>, Jeff Layton
	<jlayton@...nel.org>, Suresh Jayaraman <sjayaraman@...e.de>, "Paulo Alcantara
 (SUSE)" <pc@....nz>, <linux-cifs@...r.kernel.org>,
	<samba-technical@...ts.samba.org>, <linux-kernel@...r.kernel.org>,
	<lvc-project@...uxtesting.org>, Murad Masimov <m.masimov@...integration.ru>
Subject: [PATCH 1/4] cifs: Fix integer overflow while processing acregmax mount option

User-provided mount parameter acregmax of type u32 is intended to have
an upper limit, but before it is validated, the value is converted from
seconds to jiffies which can lead to an integer overflow.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 5780464614f6 ("cifs: Add new parameter "acregmax" for distinct file and directory metadata timeout")
Signed-off-by: Murad Masimov <m.masimov@...integration.ru>
---
 fs/smb/client/fs_context.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
index e9b286d9a7ba..e9045fcf843e 100644
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -1340,11 +1340,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
 		}
 		break;
 	case Opt_acregmax:
-		ctx->acregmax = HZ * result.uint_32;
-		if (ctx->acregmax > CIFS_MAX_ACTIMEO) {
+		if (result.uint_32 > CIFS_MAX_ACTIMEO / HZ) {
 			cifs_errorf(fc, "acregmax too large\n");
 			goto cifs_parse_mount_err;
 		}
+		ctx->acregmax = HZ * result.uint_32;
 		break;
 	case Opt_acdirmax:
 		ctx->acdirmax = HZ * result.uint_32;
--
2.39.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ