lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20251108123609.382365-1-pioooooooooip@gmail.com>
Date: Sat,  8 Nov 2025 21:36:09 +0900
From: Qianchang Zhao <pioooooooooip@...il.com>
To: Namjae Jeon <linkinjeon@...nel.org>,
	Steve French <smfrench@...il.com>
Cc: gregkh@...uxfoundation.org,
	linux-cifs@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	security@...nel.org,
	Zhitong Liu <liuzhitong1993@...il.com>,
	Qianchang Zhao <pioooooooooip@...il.com>,
	stable@...r.kernel.org
Subject: [PATCH] ksmbd: vfs: fix truncate lock-range check for shrink/grow and avoid size==0 underflow

ksmbd_vfs_truncate() uses check_lock_range() with arguments that are
incorrect for shrink, and can underflow when size==0:

- For shrink, the code passed [inode->i_size, size-1], which is reversed.
- When size==0, "size-1" underflows to -1, so the range becomes
  [old_size, -1], effectively skipping the intended [0, old_size-1].

Fix by:
- Rejecting negative size with -EINVAL.
- For shrink (size < old): check [size, old-1].
- For grow   (size > old): check [old, size-1].
- Skip lock check when size == old.
- Keep the return value on conflict as -EAGAIN (no noisy pr_err()).

This avoids the size==0 underflow and uses the correct range order,
preserving byte-range lock semantics.

Reported-by: Qianchang Zhao <pioooooooooip@...il.com>
Reported-by: Zhitong Liu <liuzhitong1993@...il.com>
Cc: stable@...r.kernel.org
Signed-off-by: Qianchang Zhao <pioooooooooip@...il.com>
---
 fs/smb/server/vfs.c | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/fs/smb/server/vfs.c b/fs/smb/server/vfs.c
index 891ed2dc2..e7843ec9b 100644
--- a/fs/smb/server/vfs.c
+++ b/fs/smb/server/vfs.c
@@ -825,17 +825,27 @@ int ksmbd_vfs_truncate(struct ksmbd_work *work,
 	if (!work->tcon->posix_extensions) {
 		struct inode *inode = file_inode(filp);
 
-		if (size < inode->i_size) {
-			err = check_lock_range(filp, size,
-					       inode->i_size - 1, WRITE);
-		} else {
-			err = check_lock_range(filp, inode->i_size,
-					       size - 1, WRITE);
+		loff_t old = i_size_read(inode);
+		loff_t start = 0, end = -1;
+		bool need_check = false;
+
+		if (size < 0)
+			return -EINVAL;
+
+		if (size < old) {
+			start = size;
+			end   = old - 1;
+			need_check = true;
+		} else if (size > old) {
+			start = old;
+			end   = size - 1;
+			need_check = true;
 		}
 
-		if (err) {
-			pr_err("failed due to lock\n");
-			return -EAGAIN;
+		if (need_check) {
+			err = check_lock_range(filp, start, end, WRITE);
+			if (err)
+				return -EAGAIN;
 		}
 	}
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ