lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAH2r5msAgsWfnCt171TcmhvCw39GtQ8nU8SwzrVpP=xw2vGypg@mail.gmail.com>
Date: Wed, 3 Dec 2025 15:40:04 -0600
From: Steve French <smfrench@...il.com>
To: Paulo Alcantara <pc@...guebit.org>
Cc: David Howells <dhowells@...hat.com>, Steve French <sfrench@...ba.org>, 
	Shyam Prasad N <sprasad@...rosoft.com>, linux-cifs@...r.kernel.org, netfs@...ts.linux.dev, 
	linux-fsdevel@...r.kernel.org, stable@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] cifs: Fix handling of a beyond-EOF DIO/unbuffered read
 over SMB1

On Wed, Dec 3, 2025 at 12:03 PM Paulo Alcantara <pc@...guebit.org> wrote:
>
> David Howells <dhowells@...hat.com> writes:
>
> >
> > If a DIO read or an unbuffered read request extends beyond the EOF, the
> > server will return a short read and a status code indicating that EOF was
> > hit, which gets translated to -ENODATA.  Note that the client does not cap
> > the request at i_size, but asks for the amount requested in case there's a
> > race on the server with a third party.
> >
> > Now, on the client side, the request will get split into multiple
> > subrequests if rsize is smaller than the full request size.  A subrequest
> > that starts before or at the EOF and returns short data up to the EOF will
> > be correctly handled, with the NETFS_SREQ_HIT_EOF flag being set,
> > indicating to netfslib that we can't read more.
> >
> > If a subrequest, however, starts after the EOF and not at it, HIT_EOF will
> > not be flagged, its error will be set to -ENODATA and it will be abandoned.
> > This will cause the request as a whole to fail with -ENODATA.
> >
> > Fix this by setting NETFS_SREQ_HIT_EOF on any subrequest that lies beyond
> > the EOF marker.
> >
> > This can be reproduced by mounting with "cache=none,sign,vers=1.0" and
> > doing a read of a file that's significantly bigger than the size of the
> > file (e.g. attempting to read 64KiB from a 16KiB file).
> >
> > Fixes: a68c74865f51 ("cifs: Fix SMB1 readv/writev callback in the same way as SMB2/3")
> > Signed-off-by: David Howells <dhowells@...hat.com>
> > cc: Steve French <sfrench@...ba.org>
> > cc: Paulo Alcantara <pc@...guebit.org>
> > cc: Shyam Prasad N <sprasad@...rosoft.com>
> > cc: linux-cifs@...r.kernel.org
> > cc: netfs@...ts.linux.dev
> > cc: linux-fsdevel@...r.kernel.org
>
> Reviewed-by: Paulo Alcantara (Red Hat) <pc@...guebit.org>
>
> Dave, looks like we're missing a similar fix for smb2_readv_callback()
> as well.
>
> Can you handle it?

Any luck reproducing it for smb2/smb3/smb3.1.1?

-- 
Thanks,

Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ