From: Stefan Metzmacher metze@samba.org
[ Upstream commit 9219f8cac296769324bbe8a28c289586114244c4 ]
This simplifies further changes...
Cc: Steve French smfrench@gmail.com Cc: Tom Talpey tom@talpey.com Cc: Long Li longli@microsoft.com Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Acked-by: Namjae Jeon linkinjeon@kernel.org Signed-off-by: Stefan Metzmacher metze@samba.org Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
## Backport Determination: **YES**
Based on my comprehensive analysis of this commit and the surrounding SMBDirect subsystem, this commit **should be backported** to stable kernel trees.
### Detailed Analysis
#### **1. Nature of the Fix**
This commit addresses a **resource exhaustion vulnerability** in the SMBDirect client code. The vulnerability occurs because `receive_credit_target` is set directly from untrusted network data without bounds checking:
**Vulnerable code locations (fs/smb/client/smbdirect.c):** - Line 350: `info->receive_credit_target = le16_to_cpu(packet->credits_requested);` - Line 522: `info->receive_credit_target = le16_to_cpu(data_transfer->credits_requested);`
#### **2. Security Impact**
**Exploit Scenario:** A malicious SMB server can send a `credits_requested` value of up to 65535 (max u16 value). This unbounded value is then used in the credit posting loop (lines 413-430):
```c if (info->receive_credit_target > atomic_read(&info->receive_credits)) { while (true) { response = get_receive_buffer(info); if (!response) break; rc = smbd_post_recv(info, response); ... } } ```
**Consequences:** - **Memory exhaustion**: Attempting to allocate 65535 receive buffers could exhaust kernel memory - **Hardware limit violations**: RDMA hardware has limits (max_cqe, max_qp_wr) that could be exceeded, causing failures - **Denial of service**: System instability or connection failures - **Type mismatch**: Using `int` instead of `u16` for a protocol field can cause subtle bugs
#### **3. The Fix**
The commit implements three protections:
1. **Upper bound check**: `min_t(u16, info->receive_credit_target, sp->recv_credit_max)` - Limits to `recv_credit_max` (default 255, validated against hardware limits at line 1578-1584)
2. **Lower bound check**: `max_t(u16, info->receive_credit_target, 1)` - Prevents zero or negative values that could break protocol logic
3. **Type correction**: Changes `int receive_credit_target` to `u16 receive_credit_target` - Matches the wire protocol specification (le16) - Prevents sign-related bugs
#### **4. Part of Comprehensive Security Hardening**
This commit is one of **160+ commits** by Stefan Metzmacher (Samba team) hardening the SMBDirect code. Related security fixes include:
- `f57e53ea25236`: "let recv_done verify data_offset, data_length and remaining_data_length" (with `Fixes: f198186aa9bb` tag) - Multiple memory leak fixes in error paths - Improved synchronization and error handling
The commit message mentions this is part of a larger effort: "This simplifies further changes..."
#### **5. Backport Suitability**
✅ **Fixes important bug**: Resource exhaustion vulnerability ✅ **Small and contained**: Only 9 lines changed across 2 files ✅ **No architectural changes**: Simple bounds checking addition ✅ **Minimal regression risk**: Defensive check that only restricts invalid values ✅ **No dependencies**: Standalone fix, doesn't require other commits ✅ **Subsystem isolation**: Confined to SMBDirect client code ✅ **Already being backported**: Found evidence in linux tree with "Signed-off-by: Sasha Levin sashal@kernel.org"
#### **6. Risk Assessment**
**Low Risk:** - The changes only add validation to untrusted input - Well-behaved servers will not be affected (they shouldn't request more than the negotiated maximum anyway) - The bounds are based on validated local configuration and hardware capabilities - Type change from `int` to `u16` is safe (values are always from `le16_to_cpu()`)
**No identified follow-up fixes or reverts** in the git history.
### Conclusion
This is a **security hardening fix** that prevents resource exhaustion attacks from malicious SMB servers. It follows stable kernel rules perfectly: it's an important bugfix with minimal risk and no architectural changes. The fix is part of a comprehensive security review of the SMBDirect subsystem by experienced Samba developers.
**Recommendation: Backport to all applicable stable trees supporting SMBDirect (Linux 4.11+)**
fs/smb/client/smbdirect.c | 7 ++++++- fs/smb/client/smbdirect.h | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c index c9375dc11f634..3fc5d2cebea5d 100644 --- a/fs/smb/client/smbdirect.c +++ b/fs/smb/client/smbdirect.c @@ -348,6 +348,7 @@ static bool process_negotiation_response( return false; } info->receive_credit_target = le16_to_cpu(packet->credits_requested); + info->receive_credit_target = min_t(u16, info->receive_credit_target, sp->recv_credit_max);
if (packet->credits_granted == 0) { log_rdma_event(ERR, "error: credits_granted==0\n"); @@ -456,7 +457,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) struct smbdirect_socket_parameters *sp = &sc->parameters; struct smbd_connection *info = container_of(sc, struct smbd_connection, socket); - int old_recv_credit_target; + u16 old_recv_credit_target; u32 data_offset = 0; u32 data_length = 0; u32 remaining_data_length = 0; @@ -522,6 +523,10 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) old_recv_credit_target = info->receive_credit_target; info->receive_credit_target = le16_to_cpu(data_transfer->credits_requested); + info->receive_credit_target = + min_t(u16, info->receive_credit_target, sp->recv_credit_max); + info->receive_credit_target = + max_t(u16, info->receive_credit_target, 1); if (le16_to_cpu(data_transfer->credits_granted)) { atomic_add(le16_to_cpu(data_transfer->credits_granted), &info->send_credits); diff --git a/fs/smb/client/smbdirect.h b/fs/smb/client/smbdirect.h index e45aa9ddd71da..d0f734afd4fb1 100644 --- a/fs/smb/client/smbdirect.h +++ b/fs/smb/client/smbdirect.h @@ -63,7 +63,7 @@ struct smbd_connection { int protocol; atomic_t send_credits; atomic_t receive_credits; - int receive_credit_target; + u16 receive_credit_target;
/* Memory registrations */ /* Maximum number of RDMA read/write outstanding on this connection */