Commit 02c4b4f2 authored Apr 02, 2025 by Murad Masimov Committed by Li Lingfeng Apr 02, 2025

cifs: Fix integer overflow while processing acregmax mount option

stable inclusion
from stable-v6.6.84
commit 0252c33cc943e9e48ddfafaa6b1eb72adb68a099
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBY42B
CVE: CVE-2025-21964

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0252c33cc943e9e48ddfafaa6b1eb72adb68a099



--------------------------------

[ Upstream commit 7489161b1852390b4413d57f2457cd40b34da6cc ]

User-provided mount parameter acregmax of type u32 is intended to have
an upper limit, but before it is validated, the value is converted from
seconds to jiffies which can lead to an integer overflow.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 57804646 ("cifs: Add new parameter "acregmax" for distinct file and directory metadata timeout")
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>

parent 75db7d4f

fs/smb/client/fs_context.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -1262,11 +1262,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
		}
		break;
		case Opt_acregmax:
		ctx->acregmax = HZ * result.uint_32;
		if (ctx->acregmax > CIFS_MAX_ACTIMEO) {
		if (result.uint_32 > CIFS_MAX_ACTIMEO / HZ) {
		cifs_errorf(fc, "acregmax too large\n");
		goto cifs_parse_mount_err;
		}
		ctx->acregmax = HZ * result.uint_32;
		break;
		case Opt_acdirmax:
		ctx->acdirmax = HZ * result.uint_32;