[PATCH] smb: client: use kzalloc to zero-initialize security descriptor buffer

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] smb: client: use kzalloc to zero-initialize security descriptor buffer
@ 2026-04-30  8:57 Bjoern Doebel
  0 siblings, 0 replies; only message in thread
From: Bjoern Doebel @ 2026-04-30  8:57 UTC (permalink / raw)
  To: sfrench
  Cc: Bjoern Doebel, stable, Paulo Alcantara, Ronnie Sahlberg,
	Shyam Prasad N, Tom Talpey, Bharath SM, Namjae Jeon,
	open list:COMMON INTERNET FILE SYSTEM CLIENT (CIFS and SMB3),
	moderated list:COMMON INTERNET FILE SYSTEM CLIENT (CIFS and SMB3),
	open list

Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces
to le16") split struct smb_acl's __le32 num_aces field into __le16
num_aces and __le16 reserved. The reserved field corresponds to Sbz2
in the MS-DTYP ACL wire format, which must be zero [1].

When building an ACL descriptor in build_sec_desc(), we are using a
kmalloc()'ed descriptor buffer and writing the fields explicitly using
le16() writes now. This never writes to the 2 byte reserved field,
leaving it as uninitialized heap data.

When the reserved field happens to contain non-zero slab garbage,
Samba rejects the security descriptor with "ndr_pull_security_descriptor
failed: Range Error", causing chmod to fail with EINVAL.

Change kmalloc() to kzalloc() to ensure the entire buffer is
zero-initialized.

Fixes: 62e7dd0a39c2d ("smb: common: change the data type of num_aces to le16")
Cc: stable@vger.kernel.org

Signed-off-by: Bjoern Doebel <doebel@amazon.de>
Assisted-by: Kiro:claude-opus-4.6
[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428
---
Tested using xfstests' generic/680 test on CIFS (Samba server
on localhost) with AL2023 ARM64 kernel 6.18.22 and 7.1.0-rc1.
Without the fix, the test fails after 10-40 iterations. With
the fix, we successfully completed 1,000 iterations.
---
 fs/smb/client/cifsacl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c
index ec5d477793040..a2750f1e3d90b 100644
--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -1732,7 +1732,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode,
 	 * descriptor parameters, and security descriptor itself
 	 */
 	nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN);
-	pnntsd = kmalloc(nsecdesclen, GFP_KERNEL);
+	pnntsd = kzalloc(nsecdesclen, GFP_KERNEL);
 	if (!pnntsd) {
 		kfree(pntsd);
 		cifs_put_tlink(tlink);
-- 
2.48.2

Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-04-30  8:57 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-30  8:57 [PATCH] smb: client: use kzalloc to zero-initialize security descriptor buffer Bjoern Doebel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox