Patch "smb: client: memcpy() with surrounding object base address" has been added to the 6.1-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    smb: client: memcpy() with surrounding object base address

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     smb-client-memcpy-with-surrounding-object-base-addre.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 5f3523d73b0d09b686c88bfa946cf0ecf5f2ab23
Author: Kees Cook <kees@xxxxxxxxxx>
Date:   Sun Nov 17 03:32:09 2024 -0800

    smb: client: memcpy() with surrounding object base address
    
    [ Upstream commit f69b0187f8745a7a9584f6b13f5e792594b88b2e ]
    
    Like commit f1f047bd7ce0 ("smb: client: Fix -Wstringop-overflow issues"),
    adjust the memcpy() destination address to be based off the surrounding
    object rather than based off the 4-byte "Protocol" member. This avoids a
    build-time warning when compiling under CONFIG_FORTIFY_SOURCE with GCC 15:
    
    In function 'fortify_memcpy_chk',
        inlined from 'CIFSSMBSetPathInfo' at ../fs/smb/client/cifssmb.c:5358:2:
    ../include/linux/fortify-string.h:571:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
      571 |                         __write_overflow_field(p_size_field, size);
          |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Signed-off-by: Kees Cook <kees@xxxxxxxxxx>
    Reviewed-by: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx>
    Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
index 67c5fc2b2db94..6077fe1dcc9ce 100644
--- a/fs/smb/client/cifssmb.c
+++ b/fs/smb/client/cifssmb.c
@@ -5349,7 +5349,7 @@ CIFSSMBSetPathInfo(const unsigned int xid, struct cifs_tcon *tcon,
 	param_offset = offsetof(struct smb_com_transaction2_spi_req,
 				InformationLevel) - 4;
 	offset = param_offset + params;
-	data_offset = (char *) (&pSMB->hdr.Protocol) + offset;
+	data_offset = (char *)pSMB + offsetof(typeof(*pSMB), hdr.Protocol) + offset;
 	pSMB->ParameterOffset = cpu_to_le16(param_offset);
 	pSMB->DataOffset = cpu_to_le16(offset);
 	pSMB->SetupCount = 1;