GET

Cover Letter Detail

Show a cover letter.

GET /api/covers/2223245/?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2223245,
    "url": "http://patchwork.ozlabs.org/api/covers/2223245/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/cover/20260414191533.1467353-1-michael.bommarito@gmail.com/",
    "project": {
        "id": 12,
        "url": "http://patchwork.ozlabs.org/api/projects/12/?format=api",
        "name": "Linux CIFS Client",
        "link_name": "linux-cifs-client",
        "list_id": "linux-cifs.vger.kernel.org",
        "list_email": "linux-cifs@vger.kernel.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": "",
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260414191533.1467353-1-michael.bommarito@gmail.com>",
    "list_archive_url": null,
    "date": "2026-04-14T19:15:30",
    "name": "[0/3] ksmbd: harden IPC response arithmetic and ACE walk",
    "submitter": {
        "id": 93078,
        "url": "http://patchwork.ozlabs.org/api/people/93078/?format=api",
        "name": "Michael Bommarito",
        "email": "michael.bommarito@gmail.com"
    },
    "mbox": "http://patchwork.ozlabs.org/project/linux-cifs-client/cover/20260414191533.1467353-1-michael.bommarito@gmail.com/mbox/",
    "series": [
        {
            "id": 499887,
            "url": "http://patchwork.ozlabs.org/api/series/499887/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=499887",
            "date": "2026-04-14T19:15:31",
            "name": "ksmbd: harden IPC response arithmetic and ACE walk",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/499887/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/covers/2223245/comments/",
    "headers": {
        "Return-Path": "\n <linux-cifs+bounces-10817-incoming=patchwork.ozlabs.org@vger.kernel.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "linux-cifs@vger.kernel.org"
        ],
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=scTvEk2p;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10817-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)",
            "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"scTvEk2p\"",
            "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.219.42",
            "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com",
            "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"
        ],
        "Received": [
            "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwDbD6bDbz1y2d\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 05:18:48 +1000 (AEST)",
            "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id A7092304753B\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 14 Apr 2026 19:15:39 +0000 (UTC)",
            "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 34445299A8F;\n\tTue, 14 Apr 2026 19:15:39 +0000 (UTC)",
            "from mail-qv1-f42.google.com (mail-qv1-f42.google.com\n [209.85.219.42])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id BEE62282F25\n\tfor <linux-cifs@vger.kernel.org>; Tue, 14 Apr 2026 19:15:37 +0000 (UTC)",
            "by mail-qv1-f42.google.com with SMTP id\n 6a1803df08f44-899a9f445cbso67115936d6.0\n        for <linux-cifs@vger.kernel.org>;\n Tue, 14 Apr 2026 12:15:37 -0700 (PDT)",
            "from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])\n        by smtp.gmail.com with ESMTPSA id\n 6a1803df08f44-8aca478a70csm77229126d6.27.2026.04.14.12.15.34\n        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n        Tue, 14 Apr 2026 12:15:35 -0700 (PDT)"
        ],
        "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776194139; cv=none;\n b=ohk2vR0oPsfSsaT5yJ69Qo99uyy8A+00nOa7ie2lAMgwaLx0J0lPTs2lLbskmX1QGkClp1Kh00NwCl2dZzS+3lX4F+jWKZuXVpcg4Ql+CUOOVwBkUb8itd1RieBhHx+hihj70SsNEqimmn+lnn1nTEkk8sY0ZIbJIyBCPuz04EQ=",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776194139; c=relaxed/simple;\n\tbh=OP+X7N1cl7Z1dU4RmWLJlo1ZnQ+9ylvjg9Rirta7jeA=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=kueT/xM+EaHRL9jja63Bc1vwrcSthq27G15D2Oav0GMaHc/9go680kS5Hvs1jEaXHLfJzNvsanN5o8UY3eDvNfwMOeD0n3dT/VXTI22pyeSGEm+z0XXwSxozD2wn87zE3TpCm7dT3t+pZG3+bvtU/FZD5vm8xaFbRGo4zsBwEac=",
        "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=scTvEk2p; arc=none smtp.client-ip=209.85.219.42",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=gmail.com; s=20251104; t=1776194136; x=1776798936;\n darn=vger.kernel.org;\n        h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n         :to:from:from:to:cc:subject:date:message-id:reply-to;\n        bh=PMAOyE6FGPQM6cNvFV9IHH4uR3bD/7YSN/uFIDfWSw0=;\n        b=scTvEk2psCGOW5h0gXFD5MCUvasgzC5B73AkuRoMlZnTwKEMFScUUspwNj+jY26HPy\n         wuwCSpDSLj44tKQiHYwV5M0slmZ9nSSpyOpm8Wn/x8xR6+A8HTqhHQNFFn9SUKj6woE1\n         D+hWO4SOaZnUtpiXZa0JDw77rd6RXDBe6gjBMC0gGpqzn2blKyyKl4AsTghHP8VTIf19\n         SoegTVAm6eKjABnhI8pRsttswReRpLB4tizaRw2ib9XKbt7OOaGUO4iFecxpc9iHLfJ1\n         3mpS9+x1eIEwaR2GzrhGIiSYN1ju/GOEvKLbaXBKjUOuOwyh7JT7S9dk0F2b86sbAkeu\n         yySQ==",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20251104; t=1776194136; x=1776798936;\n        h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n         :message-id:reply-to;\n        bh=PMAOyE6FGPQM6cNvFV9IHH4uR3bD/7YSN/uFIDfWSw0=;\n        b=deNu4GhTVG6DhkCf8hzalnpFCwMdb6sQOWQtmKKn+r1qYUGZU8y0+YRvofowMqXgqW\n         1KugjMG6WU/l7CxBMv2IrnMToIzGO46sxgQkeKk9pAUHd0XvxHE4drrGJ4YYdf9DYNWI\n         A5E1+1lfHjM2vNOzJ4lfvL4LLHkhZse3VcsGp8IsLpSVSLHEi53Q7RWhqmbzNddY+DOc\n         3zGvU4MRHBNak9KpT/tTVLkztt28WUG/36hCu+/KdWGn1wOs3MzolRkH/hc0i6qN4rkK\n         T6SEalUxAw8+V1qLa6kCfar8A/yxuh5foILDm9hhvi47sHtuUzsFNUkVt2CpDBFy8pld\n         Ni9g==",
        "X-Gm-Message-State": "AOJu0YxTtPcac3JGnTCHB3yeaFX6vIC3n7Ab2ZEzwrqJUU98Q4cBkw76\n\tJmpPe5BceKqvnFhgmb5GmNdX0mPwCSqaj14/wfzIaYS6GXfPnpVpMxljpdBs3QPu",
        "X-Gm-Gg": "AeBDieunIgDN3BG0ZnrRtTrB8nQmiFZEZz5hHKZ5goHtRuEV2Sn39K7/pmZfKItz19b\n\tSMwOUPRcYw2Ujkpni1oVk+R+uSm7eEZdZ0Hh6DCCFrL4vQzx9WBI9vFux3Gu3Pluo/ky7UF9RmS\n\thI4FDFvgKdtD3xzr1qy5JLFBWYcw5WjqCfbspPjh3w/zngcmHZXxb62oKiaaJZ9x7Hc9zyHfswd\n\tey6kQ2/xLjnJqnrh4VPeZJy17Fjek6b9y0W1D5x+5W4OTJN0x2OSfYV9EfZqcwDHMds6A6mq5tg\n\tHqEQHQOG8uodvSAeb7tdkqOyS/YgWI2a+k7bKluqDTDx9ioIE80hHkFdne4iPoVeXk2IwMtl3Ar\n\t+PTZG9YAvi1y2UJvM6Pq/NijIxHWZs8tMR9C9gzj/5Is6jX5uOX4Ajc5pAnN1D6wnFKaSR3uQ6/\n\t0x4vybT5A2xLrm7EsZhdejednOzTVFGe8bikFMxkfd+h79lIQLr0te7dlyelSUfRFV9i8Orlija\n\tpBdgVLTWSNsLSRcvuc8Hmic2GeqKWloe+6toFp37g==",
        "X-Received": "by 2002:a05:6214:2024:b0:8a3:7d76:6a6f with SMTP id\n 6a1803df08f44-8ac8616001dmr308462016d6.5.1776194135984;\n        Tue, 14 Apr 2026 12:15:35 -0700 (PDT)",
        "From": "Michael Bommarito <michael.bommarito@gmail.com>",
        "To": "linux-cifs@vger.kernel.org,\n\tNamjae Jeon <linkinjeon@kernel.org>,\n\tSteve French <smfrench@gmail.com>",
        "Cc": "Sergey Senozhatsky <senozhatsky@chromium.org>,\n\tTom Talpey <tom@talpey.com>,\n\tstable@vger.kernel.org",
        "Subject": "[PATCH 0/3] ksmbd: harden IPC response arithmetic and ACE walk",
        "Date": "Tue, 14 Apr 2026 15:15:30 -0400",
        "Message-ID": "<20260414191533.1467353-1-michael.bommarito@gmail.com>",
        "X-Mailer": "git-send-email 2.53.0",
        "Precedence": "bulk",
        "X-Mailing-List": "linux-cifs@vger.kernel.org",
        "List-Id": "<linux-cifs.vger.kernel.org>",
        "List-Subscribe": "<mailto:linux-cifs+subscribe@vger.kernel.org>",
        "List-Unsubscribe": "<mailto:linux-cifs+unsubscribe@vger.kernel.org>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit"
    },
    "content": "Hi,\n\nThree ksmbd patches: two hardening fixes for the kernel <-> mountd\nIPC arithmetic, plus one authenticated OOB-read fix in the DACL\nACE walker.  All three reproduced under UML + KASAN on v7.0-rc7.\nPatch 3 reproduces end-to-end over loopback SMB2 from a guest\nclient against UML ksmbd + ksmbd.mountd:\n\n  pre-fix:\n    BUG: KASAN: slab-out-of-bounds in compare_sids+0x2b1/0x440\n     compare_sids\n     smb_check_perm_dacl+0x4fe/0x11a0\n     smb2_open+0x4eb2/0xad50\n     handle_ksmbd_work+0x3d3/0x1140\n    \"The buggy address is located 4 bytes to the right of\n    allocated 32-byte region\" with the allocation trace pointing\n    at ndr_decode_v4_ntacl() reading the stored xattr.\n  post-fix:\n    CREATE returns STATUS_ACCESS_DENIED; no KASAN splat; granted\n    bits stay at 0 because the tightened bound rejects ace_size=4\n    before compare_sids is called.\n\nPatches 1 and 2 reproduced with in-kernel synthetic triggers that\nhand ipc_validate_msg() a response with a wrap-matching size:\n\n  patch 1 (RPC_REQUEST payload_sz):\n    pre-fix  returns 0 (u32 wrap bypass)\n    post-fix returns -EINVAL (payload_sz > KSMBD_IPC_MAX_PAYLOAD)\n\n  patch 1 + 2 (LOGIN_REQUEST_EXT ngroups=-1):\n    pre-fix  returns 0 (signed->size_t wrap matches msg_sz)\n    post-fix returns -EINVAL (explicit ngroups<0 gate)\n\nSame threat model as the earlier hardening commits aab98e2dbd64\n(\"ksmbd: fix integer overflows on 32 bit systems\") and 6f40e50ceb99\n(\"ksmbd: transport_ipc: validate payload size before reading\nhandle\"): the kernel should not trust arithmetic on attacker-\ncontrolled fields even when those fields come from a cooperating\nroot daemon or an authenticated client writing an xattr.\n\nPatch 1/3 caps the attacker-controlled fields in ipc_validate_msg()\nagainst the existing KSMBD_IPC_MAX_PAYLOAD / NGROUPS_MAX bounds\nbefore they feed the size-computation arithmetic.  Three cases:\n\n  - KSMBD_EVENT_RPC_REQUEST: sizeof(struct) + resp->payload_sz\n    (__u32) can wrap in unsigned int; downstream consumer at\n    smb2pdu.c:6742 uses rpc_resp->payload_sz for a memcpy.  Cap\n    payload_sz against KSMBD_IPC_MAX_PAYLOAD, matching the\n    request-side cap in aab98e2dbd64.\n  - KSMBD_EVENT_SHARE_CONFIG_REQUEST: sizeof(struct) +\n    resp->payload_sz same class; same cap.\n  - KSMBD_EVENT_LOGIN_REQUEST_EXT: resp->ngroups is __s32 signed,\n    so the existing > NGROUPS_MAX comparison at user_config.c:59\n    misses negative values, and the mul sizeof(gid_t) mixes signed\n    and size_t in a surprising way.  Reject ngroups outside the\n    signed [0, NGROUPS_MAX] range up front.\n\nPatch 2/3 fixes user_config.c so ksmbd_alloc_user() also rejects\nnegative ngroups explicitly, independent of ipc_validate_msg.\n\nPatch 3/3 tightens bounds checking in smb_check_perm_dacl()'s two\nACE-walk loops.  Today they only require the 4-byte ACE header to\nfit in the remaining DACL buffer; an attacker-declared ace->size\nof 4 passes both guards, after which the loop reads access_req\n(offset 4) and ace->sid (offset 8+) past the real buffer.\nparse_sec_desc() already performs an equivalent check; this patch\nbrings smb_check_perm_dacl() up to the same bar.\n\nPractical exploitation of patches 1-2 is narrow: the wrap-bypass\nrequires ksmbd.mountd to send a response crafted around the wrapped\nsize while preserving consistent field values, and the downstream\nkvmalloc almost always fails for u32-wrap sizes.  Patch 3 is\nreachable post-auth by any client that can SET an ACL and then\nOPEN the affected file.\n\nThe patch 3 exploit chain is authenticated but otherwise untrusted:\nguest session -> TREE_CONNECT -> CREATE evil.dat -> SET_INFO with a\ncrafted security descriptor (one ACE with size=4) -> close -> re-open\nthe file, which triggers smb_check_perm_dacl() in smb2_open().  The\nmalformed SD is accepted by SET_INFO without validation on the write\nside; parsing happens on the next open.\n\nInstrumentation, triggers, client, and both console logs are\navailable on request.\n\nMichael Bommarito (3):\n  ksmbd: cap response sizes in ipc_validate_msg()\n  ksmbd: reject negative ngroups in ksmbd_alloc_user()\n  ksmbd: require minimum ACE size in smb_check_perm_dacl()\n\n fs/smb/server/mgmt/user_config.c |  2 +-\n fs/smb/server/smbacl.c           | 17 +++++++++++++----\n fs/smb/server/transport_ipc.c    | 42 +++++++++++++++++++++++++++++-----\n 3 files changed, 49 insertions(+), 12 deletions(-)\n\n--\n2.53.0"
}