CVE-2026-31432: ksmbd: fix OOB write in QUERY_INFO for compound requests

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix OOB write in QUERY_INFO for compound requests

When a compound request such as READ + QUERY_INFO(Security) is received,
and the first command (READ) consumes most of the response buffer,
ksmbd could write beyond the allocated buffer while building a security
descriptor.

The root cause was that smb2_get_info_sec() checked buffer space using
ppntsd_size from xattr, while build_sec_desc() often synthesized a
significantly larger descriptor from POSIX ACLs.

This patch introduces smb_acl_sec_desc_scratch_len() to accurately
compute the final descriptor size beforehand, performs proper buffer
checking with smb2_calc_max_out_buf_len(), and uses exact-sized
allocation + iov pinning.

The Linux kernel CVE team has assigned CVE-2026-31432 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.6 with commit e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d and fixed in 6.12.81 with commit d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09
	Issue introduced in 6.6 with commit e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d and fixed in 6.18.22 with commit 075ea208c648cc2bcd616295b711d3637c61de45
	Issue introduced in 6.6 with commit e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d and fixed in 6.19.12 with commit 515c2daab46021221bdf406bef19bc90a44ec617
	Issue introduced in 6.6 with commit e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d and fixed in 7.0 with commit fda9522ed6afaec45cabc198d8492270c394c7bc
	Issue introduced in 5.15.145 with commit f2283680a80571ca82d710bc6ecd8f8beac67d63
	Issue introduced in 6.1.71 with commit 9f297df20d93411c0b4ddad7f88ba04a7cd36e77

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-31432
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/smb/server/smb2pdu.c
	fs/smb/server/smbacl.c
	fs/smb/server/smbacl.h


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09
	https://git.kernel.org/stable/c/075ea208c648cc2bcd616295b711d3637c61de45
	https://git.kernel.org/stable/c/515c2daab46021221bdf406bef19bc90a44ec617
	https://git.kernel.org/stable/c/fda9522ed6afaec45cabc198d8492270c394c7bc