The Linux Kernel Mailing List
 help / color / mirror / Atom feed
* [PATCH] ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow
@ 2026-05-11 13:18 Ferry Meng
  2026-05-12  0:32 ` Namjae Jeon
  0 siblings, 1 reply; 2+ messages in thread
From: Ferry Meng @ 2026-05-11 13:18 UTC (permalink / raw)
  To: Namjae Jeon, Steve French
  Cc: Sergey Senozhatsky, Tom Talpey, Tristan Madani, linux-cifs,
	linux-kernel, stable, Ferry Meng

Commit 299f962c0b02 ("ksmbd: use check_add_overflow() to prevent u16
DACL size overflow") added check_add_overflow() guards that break out
of the ACE-building loops in set_posix_acl_entries_dacl() when the
accumulated DACL size would wrap past 65535.

However, each iteration allocates a struct smb_sid via kmalloc_obj()
at the top of the loop and relies on the kfree(sid) call at the end
of the loop body (the 'pass_same_sid' label in the first loop, and
the explicit kfree at the tail of the second loop) to release it.
The newly introduced 'break' statements bypass those kfree() calls,
leaking the sid buffer every time an overflow is detected.

A malicious or malformed file with enough POSIX ACL entries to trip
the overflow check will leak one or more struct smb_sid allocations
on every request that touches the file's DACL, providing a trivial
kernel memory exhaustion vector.

Free sid before breaking out of the loops to plug the leak.

Fixes: 299f962c0b02 ("ksmbd: use check_add_overflow() to prevent u16 DACL size overflow")
Cc: stable@vger.kernel.org
Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
---
 fs/smb/server/smbacl.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c
index c1d1f34581d6..9161e9d7ed24 100644
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -643,8 +643,10 @@ static void set_posix_acl_entries_dacl(struct mnt_idmap *idmap,
 		ntace = (struct smb_ace *)((char *)pndace + *size);
 		ace_sz = fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, flags,
 				pace->e_perm, 0777);
-		if (check_add_overflow(*size, ace_sz, size))
+		if (check_add_overflow(*size, ace_sz, size)) {
+			kfree(sid);
 			break;
+		}
 		(*num_aces)++;
 		if (pace->e_tag == ACL_USER)
 			ntace->access_req |=
@@ -655,8 +657,10 @@ static void set_posix_acl_entries_dacl(struct mnt_idmap *idmap,
 			ntace = (struct smb_ace *)((char *)pndace + *size);
 			ace_sz = fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED,
 					0x03, pace->e_perm, 0777);
-			if (check_add_overflow(*size, ace_sz, size))
+			if (check_add_overflow(*size, ace_sz, size)) {
+				kfree(sid);
 				break;
+			}
 			(*num_aces)++;
 			if (pace->e_tag == ACL_USER)
 				ntace->access_req |=
@@ -698,8 +702,10 @@ static void set_posix_acl_entries_dacl(struct mnt_idmap *idmap,
 		ntace = (struct smb_ace *)((char *)pndace + *size);
 		ace_sz = fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, 0x0b,
 				pace->e_perm, 0777);
-		if (check_add_overflow(*size, ace_sz, size))
+		if (check_add_overflow(*size, ace_sz, size)) {
+			kfree(sid);
 			break;
+		}
 		(*num_aces)++;
 		if (pace->e_tag == ACL_USER)
 			ntace->access_req |=
-- 
2.43.5


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow
  2026-05-11 13:18 [PATCH] ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow Ferry Meng
@ 2026-05-12  0:32 ` Namjae Jeon
  0 siblings, 0 replies; 2+ messages in thread
From: Namjae Jeon @ 2026-05-12  0:32 UTC (permalink / raw)
  To: Ferry Meng
  Cc: Steve French, Sergey Senozhatsky, Tom Talpey, Tristan Madani,
	linux-cifs, linux-kernel, stable

On Mon, May 11, 2026 at 10:18 PM Ferry Meng <mengferry@linux.alibaba.com> wrote:
>
> Commit 299f962c0b02 ("ksmbd: use check_add_overflow() to prevent u16
> DACL size overflow") added check_add_overflow() guards that break out
> of the ACE-building loops in set_posix_acl_entries_dacl() when the
> accumulated DACL size would wrap past 65535.
>
> However, each iteration allocates a struct smb_sid via kmalloc_obj()
> at the top of the loop and relies on the kfree(sid) call at the end
> of the loop body (the 'pass_same_sid' label in the first loop, and
> the explicit kfree at the tail of the second loop) to release it.
> The newly introduced 'break' statements bypass those kfree() calls,
> leaking the sid buffer every time an overflow is detected.
>
> A malicious or malformed file with enough POSIX ACL entries to trip
> the overflow check will leak one or more struct smb_sid allocations
> on every request that touches the file's DACL, providing a trivial
> kernel memory exhaustion vector.
>
> Free sid before breaking out of the loops to plug the leak.
>
> Fixes: 299f962c0b02 ("ksmbd: use check_add_overflow() to prevent u16 DACL size overflow")
> Cc: stable@vger.kernel.org
> Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
Applied it to #ksmbd-for-next-next.
Thanks!

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-12  0:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-11 13:18 [PATCH] ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow Ferry Meng
2026-05-12  0:32 ` Namjae Jeon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox