From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8BD8030C15A; Thu, 2 Jul 2026 16:57:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783011426; cv=none; b=Nd72ItcVVH7NsIH/S7SacsymUoJuODZYqFZ6OkJRmN4NeKMyVWrZQFqFxiFDNIUG1KV44CQH0cNREU+IRsoC8sHCosOI3SrJHHS6Mi6fJT9pn2q4kDIHqvRcKdTjBm74jT+wom45ZFEGmrvFi6ALOjo8GNWO7a6KnKKoADOy+nA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783011426; c=relaxed/simple; bh=cpDfpQvOXXi5JkIXAXpcEuhMRJu8PrtNR3SitnMngDg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TVHKzqjLMAUU6PYlqqp7FQAIjRCeAF9aE+hI/sYCi0pnBvCEL5ZAcBAUHlSbbh7W0fEM8gGKEe+RKfYX9238KzQOIEdR3dfighi0M1jwtfOCyFl3Ktxzkvcs0OeE0x53oXL99yLtK0hLzXzUBINt0m2+iCtl/N2CzCVjHnA6ze8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=o4Q6+KOY; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="o4Q6+KOY" Received: by smtp.kernel.org (Postfix) with ESMTPSA id BC6BC1F000E9; Thu, 2 Jul 2026 16:57:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1783011425; bh=i4sz7qdozYsL0iity4mKznHnBftqFuZsyT5H04qKnps=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=o4Q6+KOY8Vf73egSOdII7nyzT8x/6uxZdy3CsGdZF6HeI3XpQenIYGxpDJlhluePN 5KE3PxJcRjRnRsf3Dgev757ZbQ8bNz14bqsQ2tmQ0ldeM+fhxlMRsJVifsA9rvsSuc 2iTCoChopy9bsJB9d3ICojZFER5XachUWqSjUZ6Q= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Hem Parekh , Namjae Jeon , Steve French Subject: [PATCH 6.18 105/108] ksmbd: fix out-of-bounds read in smb_check_perm_dacl() Date: Thu, 2 Jul 2026 18:21:42 +0200 Message-ID: <20260702155114.289636817@linuxfoundation.org> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260702155112.110058792@linuxfoundation.org> References: <20260702155112.110058792@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Hem Parekh commit 1ef06004ed4bd6d3ed8c840d9d1a376b66d4935b upstream. The permission-check ACE walk in smb_check_perm_dacl() validates the ACE header size and caps sid.num_subauth at SID_MAX_SUB_AUTHORITIES, but it never checks that ace->size is actually large enough to contain num_subauth sub-authorities before compare_sids() dereferences them. CIFS_SID_BASE_SIZE covers the SID header up to but excluding the sub_auth[] array, and offsetof(struct smb_ace, sid) is the ACE header, so the existing guards only guarantee the 8-byte SID base, i.e. zero sub-authorities. compare_sids() then reads ace->sid.sub_auth[i] for i < min(local_sid->num_subauth, ace->sid.num_subauth). The local comparison SIDs (sid_everyone, sid_unix_NFS_mode, and the id_to_sid() result) always have at least one sub-authority, and an attacker controls the ACE revision and authority bytes (which lie within the in-bounds SID base), so they can match one of those SIDs and force the sub_auth read. A crafted ACE with size == 16 and num_subauth >= 1 placed at the tail of the security descriptor therefore causes a heap out-of-bounds read of up to SID_MAX_SUB_AUTHORITIES * sizeof(__le32) bytes past the pntsd allocation. The security descriptor is loaded by ksmbd_vfs_get_sd_xattr() into a buffer sized exactly to the on-disk data (kzalloc(sd_size) in ndr_decode_v4_ntacl()), so the read lands past the allocation. The malformed descriptor can be stored verbatim via SMB2_SET_INFO (the DACL is not normalised before being written to the security.NTACL xattr) and the read fires on a subsequent SMB2_CREATE access check, making this reachable by an authenticated client on a share that uses ACL xattrs. Add the missing num_subauth-versus-ace_size check, mirroring the identical guards already present in the sibling parsers parse_dacl() and smb_inherit_dacl(). Fixes: d07b26f39246 ("ksmbd: require minimum ACE size in smb_check_perm_dacl()") Cc: stable@vger.kernel.org Signed-off-by: Hem Parekh Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/smb/server/smbacl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/fs/smb/server/smbacl.c +++ b/fs/smb/server/smbacl.c @@ -1480,7 +1480,9 @@ int smb_check_perm_dacl(struct ksmbd_con break; aces_size -= ace_size; - if (ace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES) + if (ace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES || + ace_size < offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE + + sizeof(__le32) * ace->sid.num_subauth) break; if (!compare_sids(&sid, &ace->sid) ||