From 02c4b4f2a9f9c7f64a2592c631d91c54235e3822 Mon Sep 17 00:00:00 2001 From: Murad Masimov Date: Wed, 2 Apr 2025 15:10:46 +0800 Subject: [PATCH 1/2] cifs: Fix integer overflow while processing acregmax mount option stable inclusion from stable-v6.6.84 commit 0252c33cc943e9e48ddfafaa6b1eb72adb68a099 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBY42B CVE: CVE-2025-21964 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0252c33cc943e9e48ddfafaa6b1eb72adb68a099 -------------------------------- [ Upstream commit 7489161b1852390b4413d57f2457cd40b34da6cc ] User-provided mount parameter acregmax of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 5780464614f6 ("cifs: Add new parameter "acregmax" for distinct file and directory metadata timeout") Signed-off-by: Murad Masimov Signed-off-by: Steve French Signed-off-by: Sasha Levin Signed-off-by: Li Lingfeng --- fs/smb/client/fs_context.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c index 4e77ba191ef8..695a2a223f93 100644 --- a/fs/smb/client/fs_context.c +++ b/fs/smb/client/fs_context.c @@ -1262,11 +1262,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, } break; case Opt_acregmax: - ctx->acregmax = HZ * result.uint_32; - if (ctx->acregmax > CIFS_MAX_ACTIMEO) { + if (result.uint_32 > CIFS_MAX_ACTIMEO / HZ) { cifs_errorf(fc, "acregmax too large\n"); goto cifs_parse_mount_err; } + ctx->acregmax = HZ * result.uint_32; break; case Opt_acdirmax: ctx->acdirmax = HZ * result.uint_32; -- Gitee From ba271ca448e9b5eb4d0dd589bb44c1205ee91e5c Mon Sep 17 00:00:00 2001 From: Murad Masimov Date: Wed, 2 Apr 2025 15:10:47 +0800 Subject: [PATCH 2/2] cifs: Fix integer overflow while processing acdirmax mount option stable inclusion from stable-v6.6.84 commit 9e438d0410a4002d24f420f2c28897ba2dc0af64 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBY44A CVE: CVE-2025-21963 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9e438d0410a4002d24f420f2c28897ba2dc0af64 -------------------------------- [ Upstream commit 5b29891f91dfb8758baf1e2217bef4b16b2b165b ] User-provided mount parameter acdirmax of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 4c9f948142a5 ("cifs: Add new mount parameter "acdirmax" to allow caching directory metadata") Signed-off-by: Murad Masimov Signed-off-by: Steve French Signed-off-by: Sasha Levin Signed-off-by: Li Lingfeng --- fs/smb/client/fs_context.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c index 695a2a223f93..b3fb1db26eb3 100644 --- a/fs/smb/client/fs_context.c +++ b/fs/smb/client/fs_context.c @@ -1269,11 +1269,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, ctx->acregmax = HZ * result.uint_32; break; case Opt_acdirmax: - ctx->acdirmax = HZ * result.uint_32; - if (ctx->acdirmax > CIFS_MAX_ACTIMEO) { + if (result.uint_32 > CIFS_MAX_ACTIMEO / HZ) { cifs_errorf(fc, "acdirmax too large\n"); goto cifs_parse_mount_err; } + ctx->acdirmax = HZ * result.uint_32; break; case Opt_actimeo: if (HZ * result.uint_32 > CIFS_MAX_ACTIMEO) { -- Gitee