lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAFgAp7ixLZLXGSN6tOmtNj0f4b-z3pnMrQg4Avnb6tOvj3h3KQ@mail.gmail.com>
Date: Wed, 22 Oct 2025 23:53:49 +0900
From: くさあさ <pioooooooooip@...il.com>
To: Namjae Jeon <linkinjeon@...nel.org>
Cc: Steve French <smfrench@...il.com>, Sergey Senozhatsky <senozhatsky@...omium.org>, 
	Tom Talpey <tom@...pey.com>, linux-cifs@...r.kernel.org, linux-kernel@...r.kernel.org, 
	gregkh@...uxfoundation.org, stable@...r.kernel.org
Subject: Re: [PATCH] ksmbd: transport_ipc: validate payload size before
 reading handle

Hi Namjae, Steve,

Thanks for updating the patch. I’ve reviewed the changes and they look
good to me.

Minor impact note: this patch prevents a 4-byte out-of-bounds read in
ksmbd's handle_response() when the declared Generic Netlink payload
size is < 4.
If a remote client can influence ksmbd.mountd to emit a truncated
payload, this could be remotely triggerable (info-leak/DoS potential).
If you consider this security-impacting, I’m happy to request a CVE
via the kernel.org CNA.

Thanks!!
Qianchang Zhao


On Wed, Oct 22, 2025 at 3:39 PM Namjae Jeon <linkinjeon@...nel.org> wrote:
>
> On Tue, Oct 21, 2025 at 11:55 PM Qianchang Zhao <pioooooooooip@...il.com> wrote:
> >
> > handle_response() dereferences the payload as a 4-byte handle without
> > verifying that the declared payload size is at least 4 bytes. A malformed
> > or truncated message from ksmbd.mountd can lead to a 4-byte read past the
> > declared payload size. Validate the size before dereferencing.
> >
> > This is a minimal fix to guard the initial handle read.
> >
> > Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
> > Cc: stable@...r.kernel.org
> > Reported-by: Qianchang Zhao <pioooooooooip@...il.com>
> > Signed-off-by: Qianchang Zhao <pioooooooooip@...il.com>
> I have directly updated your patch. Can you check the attached patch ?
> Thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ