Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2225231/?format=api
{ "id": 2225231, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2225231/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260420144747.662761-1-michael.bommarito@gmail.com/", "project": { "id": 12, "url": "http://patchwork.ozlabs.org/api/1.1/projects/12/?format=api", "name": "Linux CIFS Client", "link_name": "linux-cifs-client", "list_id": "linux-cifs.vger.kernel.org", "list_email": "linux-cifs@vger.kernel.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260420144747.662761-1-michael.bommarito@gmail.com>", "date": "2026-04-20T14:47:47", "name": "smb: client: validate dacloffset before building DACL pointers", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "bf8c78a79796a7c4721c1ed0eb9059347bd321cd", "submitter": { "id": 93078, "url": "http://patchwork.ozlabs.org/api/1.1/people/93078/?format=api", "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260420144747.662761-1-michael.bommarito@gmail.com/mbox/", "series": [ { "id": 500640, "url": "http://patchwork.ozlabs.org/api/1.1/series/500640/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=500640", "date": "2026-04-20T14:47:47", "name": "smb: client: validate dacloffset before building DACL pointers", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/500640/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2225231/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2225231/checks/", "tags": {}, "headers": { "Return-Path": "\n <linux-cifs+bounces-10942-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "linux-cifs@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=hJtZKKAh;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10942-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"hJtZKKAh\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.160.173", "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com" ], "Received": [ "from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzs6L0ZnKz1yD4\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 02:54:50 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 2968B35C0288\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 15:11:28 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id BFF0E29D281;\n\tMon, 20 Apr 2026 14:48:04 +0000 (UTC)", "from mail-qt1-f173.google.com (mail-qt1-f173.google.com\n [209.85.160.173])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 480D7292918\n\tfor <linux-cifs@vger.kernel.org>; Mon, 20 Apr 2026 14:48:03 +0000 (UTC)", "by mail-qt1-f173.google.com with SMTP id\n d75a77b69052e-50baafd6c4aso37011831cf.1\n for <linux-cifs@vger.kernel.org>;\n Mon, 20 Apr 2026 07:48:03 -0700 (PDT)", "from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])\n by smtp.gmail.com with ESMTPSA id\n d75a77b69052e-50e39495192sm85384781cf.27.2026.04.20.07.48.00\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 20 Apr 2026 07:48:01 -0700 (PDT)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776696484; cv=none;\n b=F9EeQaAJXrxrbPbT0WKcSsGEU6iPnZLP/M6WJCJtsqoO8AvhJ8BKo5xRikWdhF/m1X0DULr38ZeJn96HM8aE/Hy1UfHzWieYKRoarqRKQx9jB1FcgB2pz5iC/7PrXSv5KSA7UCyj6o9LU1PbShqzzT9edp4x664a0KITL18/L9Q=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776696484; c=relaxed/simple;\n\tbh=248LEv+sRvAPKQEXTiDFIqrD1Z8GTMB8AFG3XTGI1w8=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=aG7eHBFgI8hS9hGQhCsZG4yJ8+0uXra/mis97+zqiRw1C3iviwkRtIUNuUlrWx1Eq4XrrlZ5/r+b67p9VBGqcfJIrfBjZBNvSS0VS/8d7wnJvDIu5LwLFlAdk1ntvUWHpTFp8vjSY85HOAZm21kcBJPmv39Mpnb1seCTwUUparE=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=hJtZKKAh; arc=none smtp.client-ip=209.85.160.173", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776696482; x=1777301282;\n darn=vger.kernel.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=gONB6BslV1gZB8sBPqe9TWmoGjs9CoGOCXEnrliVxGA=;\n b=hJtZKKAh4HinATYR9azugKKRHDVQVJIkh+8ggcFCTpetQxrZa0/tquKBacNPzjgXSM\n EBHYfW8rZOBYqn2UMDxMyVUMqJavPneL6HTlFC9FYi4ppt2bQHF0enOvYh1aOZSfhUfu\n w6fgsq4qlL411VoRhFGI7UXeKz4WsoMn9crsxxtFRspeFQSTsZERMNZ8sqFTTnYhnFN/\n pCWGhecZmsh2NqxC2buX0ZKqtfM6M8AFMlqVHifaZH2DJ6EdJuKtJpyn7wzADFnd0mx6\n 5SiQXTfTbZywd9RvTmvAL6UgA4ZTFfyou93F7w+GUBaoBYaKn8RKSjOz3XGdo6YjiiO4\n 6+Hg==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776696482; x=1777301282;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=gONB6BslV1gZB8sBPqe9TWmoGjs9CoGOCXEnrliVxGA=;\n b=JQgCPA4Lw8mWf0VRPEelwC8w07gcmWvxpQoeBvljD/INSw5WDFexVvM3EPJxu9OSla\n vnR2uiDZ9pryHOK9TRr1DJ20RetfbNcTW/oWbjcRdHqJDtJnQnqCQKhbU9tJuKGX4IG2\n j3P2VXExYdmym6TUaXdS8sGiMuN4BYqDOiVu6SkpJwZW31SkwuNvI00Hg8Uu849ZVcp2\n 2ft7xqxlhrPkXPutH6zJ9/SjZWgN704MEsnnsL1E9iwfu4ag+x0yexBNFD8goa2Q8cCH\n MgEJ64GtDq5rqhlufjWwDpZ6Jw9DV/1+Csm5+zjVW3KGkxRSY+Sj1eh/r29eW7FOz1CP\n ZOwQ==", "X-Forwarded-Encrypted": "i=1;\n AFNElJ877pwTHHzi0mQU7Adzzch0Mdvh7wi2D1DB3bUD51Py4fxdfsLSmSaMDzBW1IVwxwV2PBA/sBSl2koi@vger.kernel.org", "X-Gm-Message-State": "AOJu0YysFEJGXR5uvKmLdBrxRvdJYQuGSzmIomrdGJ2FBp6FbYd+4eKW\n\t8JbBJv/ms+/FjAgSBvHWN2NtQsZkmxodWFhKfHZl5BfCuJtAVBN4IFwA", "X-Gm-Gg": "AeBDieuhq3xUg5ZKRsmFEAt3aAp0lmoV+vZ7Ih0jQrODJPzK+dKpb3RCVkDQskvaZFi\n\ts0fnc369xH80I8jiHJ6VDoBiRjLjYdVguJc6jsiJNiIMH4pNn3BwgBLyVXr8BYM6gd66kYXN/CG\n\t8QQeauFbfC0ArN1FSBGndMfdwzFaCsRPldUrT8RiK07QSHPzDjPC3kSra0xyMT9b1uoVGZqET2w\n\tXzqhPHWLf50/6Ol6p8r3nJNrd79dzgHM4TrkGYrWbvDzRamAcwJKMOgyEVZ2TXK6QoVCxLBm75H\n\tQyOazeR8ksBlSQYmXKg6dI7excJVLziBrN58r/veRdb5m0Ubp6dkvJyGu/XjZWn7tFUITGJYIw/\n\tihfSnvlDkep9MI9LFsEgGmlkap2BCDiq8DUGVqNx2IOFwnGkRRQarpyChzTLj1STK4qN+lD80h3\n\tp2HDBu/JH8tc3piMKiDW0t6S3NptFHcyAziKbbn2CIJjz/Zjg/clUQ6tKkg27AfbIzPaK6J2/Hb\n\tszXru0M5FdopwHhTh7pj7WNg38/Wx8=", "X-Received": "by 2002:a05:622a:8404:10b0:50e:57de:40d7 with SMTP id\n d75a77b69052e-50e57de4894mr54079011cf.19.1776696482038;\n Mon, 20 Apr 2026 07:48:02 -0700 (PDT)", "From": "Michael Bommarito <michael.bommarito@gmail.com>", "To": "Steve French <sfrench@samba.org>,\n\tNamjae Jeon <linkinjeon@kernel.org>,\n\tlinux-cifs@vger.kernel.org", "Cc": "Paulo Alcantara <pc@manguebit.org>,\n\tRonnie Sahlberg <ronniesahlberg@gmail.com>,\n\tShyam Prasad N <sprasad@microsoft.com>,\n\tTom Talpey <tom@talpey.com>,\n\tBharath SM <bharathsm@microsoft.com>,\n\tsamba-technical@lists.samba.org,\n\tlinux-kernel@vger.kernel.org,\n\tstable@vger.kernel.org", "Subject": "[PATCH] smb: client: validate dacloffset before building DACL\n pointers", "Date": "Mon, 20 Apr 2026 10:47:47 -0400", "Message-ID": "<20260420144747.662761-1-michael.bommarito@gmail.com>", "X-Mailer": "git-send-email 2.53.0", "Precedence": "bulk", "X-Mailing-List": "linux-cifs@vger.kernel.org", "List-Id": "<linux-cifs.vger.kernel.org>", "List-Subscribe": "<mailto:linux-cifs+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:linux-cifs+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "parse_sec_desc(), build_sec_desc(), and the chown path in\nid_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd\nbefore proving a DACL header fits inside the returned security\ndescriptor.\n\nOn 32-bit builds a malicious server can return dacloffset near\nU32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip\npast the later pointer-based bounds checks. build_sec_desc() and\nid_mode_to_cifs_acl() can then dereference DACL fields from the wrapped\npointer in the chmod/chown rewrite paths.\n\nValidate dacloffset numerically before building any DACL pointer and\nreuse the same helper at the three DACL entry points.\n\nFixes: bc3e9dd9d104 (\"cifs: Change SIDs in ACEs while transferring file ownership.\")\nCc: stable@vger.kernel.org\nAssisted-by: Claude:claude-opus-4-6\nSigned-off-by: Michael Bommarito <michael.bommarito@gmail.com>\n---\nThis applies on top of\n\n [PATCH v2] smb: client: validate the whole DACL before rewriting it\n in cifsacl\n https://lore.kernel.org/linux-cifs/20260420001131.2865776-1-michael.bommarito@gmail.com/\n\nso that the new dacl_offset_valid() numeric precheck sits upstream of\nthat series' validate_dacl() structural check at all three call sites.\nThe two patches are independent fixes for different bug classes on the\nsame three entry points; applying this one without the KCIFS2 v2 patch\nfirst will fail on the build_sec_desc() hunk because the trailing\ncontext line \"rc = validate_dacl(dacl_ptr, end_of_acl)\" only exists\nafter v2. If you prefer a different ordering, happy to reroll on a\nplain mainline base instead.\n\n fs/smb/client/cifsacl.c | 35 ++++++++++++++++++++++++++++++++---\n 1 file changed, 32 insertions(+), 3 deletions(-)", "diff": "diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c\nindex cb4060ba5e31..87d2a58fc8b4 100644\n--- a/fs/smb/client/cifsacl.c\n+++ b/fs/smb/client/cifsacl.c\n@@ -1263,6 +1263,17 @@ static int parse_sid(struct smb_sid *psid, char *end_of_acl)\n \treturn 0;\n }\n \n+static bool dacl_offset_valid(unsigned int acl_len, __u32 dacloffset)\n+{\n+\tif (acl_len < sizeof(struct smb_acl))\n+\t\treturn false;\n+\n+\tif (dacloffset < sizeof(struct smb_ntsd))\n+\t\treturn false;\n+\n+\treturn dacloffset <= acl_len - sizeof(struct smb_acl);\n+}\n+\n \n /* Convert CIFS ACL to POSIX form */\n static int parse_sec_desc(struct cifs_sb_info *cifs_sb,\n@@ -1283,7 +1294,6 @@ static int parse_sec_desc(struct cifs_sb_info *cifs_sb,\n \tgroup_sid_ptr = (struct smb_sid *)((char *)pntsd +\n \t\t\t\tle32_to_cpu(pntsd->gsidoffset));\n \tdacloffset = le32_to_cpu(pntsd->dacloffset);\n-\tdacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);\n \tcifs_dbg(NOISY, \"revision %d type 0x%x ooffset 0x%x goffset 0x%x sacloffset 0x%x dacloffset 0x%x\\n\",\n \t\t pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),\n \t\t le32_to_cpu(pntsd->gsidoffset),\n@@ -1314,11 +1324,18 @@ static int parse_sec_desc(struct cifs_sb_info *cifs_sb,\n \t\treturn rc;\n \t}\n \n-\tif (dacloffset)\n+\tif (dacloffset) {\n+\t\tif (!dacl_offset_valid(acl_len, dacloffset)) {\n+\t\t\tcifs_dbg(VFS, \"Server returned illegal DACL offset\\n\");\n+\t\t\treturn -EINVAL;\n+\t\t}\n+\n+\t\tdacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);\n \t\tparse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,\n \t\t\t group_sid_ptr, fattr, get_mode_from_special_sid);\n-\telse\n+\t} else {\n \t\tcifs_dbg(FYI, \"no ACL\\n\"); /* BB grant all or default perms? */\n+\t}\n \n \treturn rc;\n }\n@@ -1341,6 +1358,11 @@ static int build_sec_desc(struct smb_ntsd *pntsd, struct smb_ntsd *pnntsd,\n \n \tdacloffset = le32_to_cpu(pntsd->dacloffset);\n \tif (dacloffset) {\n+\t\tif (!dacl_offset_valid(secdesclen, dacloffset)) {\n+\t\t\tcifs_dbg(VFS, \"Server returned illegal DACL offset\\n\");\n+\t\t\treturn -EINVAL;\n+\t\t}\n+\n \t\tdacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);\n \t\trc = validate_dacl(dacl_ptr, end_of_acl);\n \t\tif (rc)\n@@ -1709,6 +1731,12 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode,\n \t\tnsecdesclen = sizeof(struct smb_ntsd) + (sizeof(struct smb_sid) * 2);\n \t\tdacloffset = le32_to_cpu(pntsd->dacloffset);\n \t\tif (dacloffset) {\n+\t\t\tif (!dacl_offset_valid(secdesclen, dacloffset)) {\n+\t\t\t\tcifs_dbg(VFS, \"Server returned illegal DACL offset\\n\");\n+\t\t\t\trc = -EINVAL;\n+\t\t\t\tgoto id_mode_to_cifs_acl_exit;\n+\t\t\t}\n+\n \t\t\tdacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);\n \t\t\trc = validate_dacl(dacl_ptr, (char *)pntsd + secdesclen);\n \t\t\tif (rc) {\n@@ -1751,6 +1779,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode,\n \t\trc = ops->set_acl(pnntsd, nsecdesclen, inode, path, aclflag);\n \t\tcifs_dbg(NOISY, \"set_cifs_acl rc: %d\\n\", rc);\n \t}\n+id_mode_to_cifs_acl_exit:\n \tcifs_put_tlink(tlink);\n \n \tkfree(pnntsd);\n", "prefixes": [] }