This is a note to let you know that I've just added the patch titled cifs: prevent copying past input buffer boundaries to the 5.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: cifs-prevent-copying-past-input-buffer-boundaries.patch and it can be found in the queue-5.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 9ee2afe5207b63b20426ee081f486d831bae871d Mon Sep 17 00:00:00 2001 From: Paulo Alcantara <pc@xxxxxx> Date: Thu, 6 Oct 2022 13:04:05 -0300 Subject: cifs: prevent copying past input buffer boundaries From: Paulo Alcantara <pc@xxxxxx> commit 9ee2afe5207b63b20426ee081f486d831bae871d upstream. Prevent copying past @data buffer in smb2_validate_and_copy_iov() as the output buffer in @iov might be potentially bigger and thus copying more bytes than requested in @minbufsize. Signed-off-by: Paulo Alcantara (SUSE) <pc@xxxxxx> Reviewed-by: Ronnie Sahlberg <lsahlber@xxxxxxxxxx> Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx> Cc: Georg Müller <georgmueller@xxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/cifs/smb2pdu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -3071,7 +3071,7 @@ smb2_validate_and_copy_iov(unsigned int if (rc) return rc; - memcpy(data, begin_of_buf, buffer_length); + memcpy(data, begin_of_buf, minbufsize); return 0; } @@ -3192,7 +3192,7 @@ query_info(const unsigned int xid, struc rc = smb2_validate_and_copy_iov(le16_to_cpu(rsp->OutputBufferOffset), le32_to_cpu(rsp->OutputBufferLength), - &rsp_iov, min_len, *data); + &rsp_iov, dlen ? *dlen : min_len, *data); if (rc && allocated) { kfree(*data); *data = NULL; Patches currently in stable-queue which might be from pc@xxxxxx are queue-5.4/cifs-fix-missing-display-of-three-mount-options.patch queue-5.4/cifs-prevent-copying-past-input-buffer-boundaries.patch queue-5.4/cifs-fix-confusing-debug-message.patch queue-5.4/cifs-fix-oops-during-encryption.patch