From: Norbert Szetei <norbert@doyensec.com> mainline inclusion from mainline-v6.15-rc6 commit 0ca6df4f40cf4c32487944aaf48319cb6c25accc category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/10216 CVE: CVE-2025-37947 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- ksmbd_vfs_stream_write() did not validate whether the write offset (*pos) was within the bounds of the existing stream data length (v_len). If *pos was greater than or equal to v_len, this could lead to an out-of-bounds memory write. This patch adds a check to ensure *pos is less than v_len before proceeding. If the condition fails, -EINVAL is returned. Cc: stable@vger.kernel.org Signed-off-by: Norbert Szetei <norbert@doyensec.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Conflicts: fs/smb/server/vfs.c fs/ksmbd/vfs.c [lc:file path is not same] Signed-off-by: XiongWei Yang <yangxiongwei6@huawei.com> Signed-off-by: Long Li <leo.lilong@huawei.com> --- fs/ksmbd/vfs.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index 7fd796880c7c..9ad95009393a 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -425,6 +425,13 @@ static int ksmbd_vfs_stream_write(struct ksmbd_file *fp, char *buf, loff_t *pos, goto out; } + if (v_len <= *pos) { + pr_err("stream write position %lld is out of bounds (stream length: %zd)\n", + *pos, v_len); + err = -EINVAL; + goto out; + } + if (v_len < size) { wbuf = kvmalloc(size, GFP_KERNEL | __GFP_ZERO); if (!wbuf) { -- 2.39.2