From: Michael Bommarito <michael.bommarito@gmail.com>
To: linux-cifs@vger.kernel.org, Namjae Jeon <linkinjeon@kernel.org>,
Steve French <smfrench@gmail.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>,
Tom Talpey <tom@talpey.com>,
stable@vger.kernel.org
Subject: [PATCH v2 0/2] ksmbd: harden ipc_validate_msg() and smb_check_perm_dacl()
Date: Wed, 15 Apr 2026 07:24:59 -0400 [thread overview]
Message-ID: <20260415112501.116426-1-michael.bommarito@gmail.com> (raw)
In-Reply-To: <20260414191533.1467353-1-michael.bommarito@gmail.com>
Two ksmbd hardening patches, respun from v1 [PATCH 0/3] per Namjae's
review.
Patch 1 folds v1 1/3 and 2/3 into a single response-side validation
change in ipc_validate_msg().
Patch 2 is v1 3/3 unchanged (minimum ACE size in
smb_check_perm_dacl()). Please let me know if there's anything
on this 2/2 you want to think through or change.
Changes since v1
----------------
v1 -> v2:
- 1/3 + 2/3 folded into a single patch (1/2) per Namjae.
- Dropped the hard KSMBD_IPC_MAX_PAYLOAD (4096) cap on
RPC_REQUEST and SHARE_CONFIG_REQUEST response paths. A 4096
cap would regress NetShareEnumAll and other NDR enumerations
on servers with many shares -- userspace ksmbd-tools grows
the response buffer in 4096-byte chunks via g_try_realloc().
Use check_add_overflow() instead so functional payload size
is unconstrained but msg_sz cannot wrap unsigned int.
[Namjae]
- LOGIN_REQUEST_EXT keeps the [0, NGROUPS_MAX] bound (POSIX
semantic limit, not an IPC transport cap). Moved the
pr_err() into ipc_validate_msg() so the error is reported
at the IPC boundary. [Namjae]
- Removed the now-redundant ngroups check and pr_err() from
ksmbd_alloc_user() in mgmt/user_config.c. Both call sites
(ksmbd_login_user and the SPNEGO path in auth.c) reach
ksmbd_alloc_user() through ksmbd_ipc_login_request_ext(),
which now rejects negative ngroups at the IPC gate. [Namjae]
- SPNEGO_AUTHEN_REQUEST left untouched: session_key_len and
spnego_blob_len are both __u16 so their sum cannot wrap the
unsigned int msg_sz. [Namjae ack]
- 2/2 (smb_check_perm_dacl minimum ACE size) unchanged from
v1 3/3 -- no review yet.
Threading
---------
Sent --in-reply-to v1 [PATCH 0/3] cover
(Message-ID 20260414191533.1467353-1-michael.bommarito@gmail.com)
so v2 lives under the v1 thread.
Michael Bommarito (2):
ksmbd: validate response sizes in ipc_validate_msg()
ksmbd: require minimum ACE size in smb_check_perm_dacl()
fs/smb/server/mgmt/user_config.c | 6 ------
fs/smb/server/smbacl.c | 17 +++++++++++++----
fs/smb/server/transport_ipc.c | 16 +++++++++++++---
3 files changed, 26 insertions(+), 13 deletions(-)
--
2.53.0
next prev parent reply other threads:[~2026-04-15 11:25 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-14 19:15 [PATCH 0/3] ksmbd: harden IPC response arithmetic and ACE walk Michael Bommarito
2026-04-14 19:15 ` [PATCH 1/3] ksmbd: cap response sizes in ipc_validate_msg() Michael Bommarito
2026-04-15 2:00 ` Namjae Jeon
2026-04-15 2:35 ` Michael Bommarito
2026-04-15 4:22 ` Namjae Jeon
2026-04-14 19:15 ` [PATCH 2/3] ksmbd: reject negative ngroups in ksmbd_alloc_user() Michael Bommarito
2026-04-15 2:05 ` Namjae Jeon
2026-04-15 2:35 ` Michael Bommarito
2026-04-15 4:31 ` Namjae Jeon
2026-04-14 19:15 ` [PATCH 3/3] ksmbd: require minimum ACE size in smb_check_perm_dacl() Michael Bommarito
2026-04-15 11:24 ` Michael Bommarito [this message]
2026-04-15 11:25 ` [PATCH v2 1/2] ksmbd: validate response sizes in ipc_validate_msg() Michael Bommarito
2026-04-15 11:25 ` [PATCH v2 2/2] ksmbd: require minimum ACE size in smb_check_perm_dacl() Michael Bommarito
2026-04-16 0:07 ` [PATCH v2 0/2] ksmbd: harden ipc_validate_msg() and smb_check_perm_dacl() Namjae Jeon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260415112501.116426-1-michael.bommarito@gmail.com \
--to=michael.bommarito@gmail.com \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=senozhatsky@chromium.org \
--cc=smfrench@gmail.com \
--cc=stable@vger.kernel.org \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox