Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2224105/?format=api
{ "id": 2224105, "url": "http://patchwork.ozlabs.org/api/patches/2224105/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260416200439.2987930-1-michael.bommarito@gmail.com/", "project": { "id": 12, "url": "http://patchwork.ozlabs.org/api/projects/12/?format=api", "name": "Linux CIFS Client", "link_name": "linux-cifs-client", "list_id": "linux-cifs.vger.kernel.org", "list_email": "linux-cifs@vger.kernel.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260416200439.2987930-1-michael.bommarito@gmail.com>", "list_archive_url": null, "date": "2026-04-16T20:04:39", "name": "ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "c16b433abff2ab8ce2fdee354cd646b1e15c7774", "submitter": { "id": 93078, "url": "http://patchwork.ozlabs.org/api/people/93078/?format=api", "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260416200439.2987930-1-michael.bommarito@gmail.com/mbox/", "series": [ { "id": 500200, "url": "http://patchwork.ozlabs.org/api/series/500200/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=500200", "date": "2026-04-16T20:04:39", "name": "ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/500200/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2224105/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2224105/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <linux-cifs+bounces-10872-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "linux-cifs@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=eLNWkov4;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10872-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"eLNWkov4\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.128.175", "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com" ], "Received": [ "from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxTX70Ywkz1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 17 Apr 2026 06:05:27 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id C28893046232\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 20:05:23 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 65DAE3ED5DD;\n\tThu, 16 Apr 2026 20:05:08 +0000 (UTC)", "from mail-yw1-f175.google.com (mail-yw1-f175.google.com\n [209.85.128.175])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 9BAE439A80E\n\tfor <linux-cifs@vger.kernel.org>; Thu, 16 Apr 2026 20:05:02 +0000 (UTC)", "by mail-yw1-f175.google.com with SMTP id\n 00721157ae682-7b186dfc1d0so17608057b3.1\n for <linux-cifs@vger.kernel.org>;\n Thu, 16 Apr 2026 13:05:01 -0700 (PDT)", "from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net.\n [68.48.65.54])\n by smtp.gmail.com with ESMTPSA id\n af79cd13be357-8e640504254sm208810585a.28.2026.04.16.13.04.58\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 16 Apr 2026 13:04:58 -0700 (PDT)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776369907; cv=none;\n b=nVRVjTyBK6kz5hFRxat71jYJdgjoYTMDLiZO2jAc3ldmQwFUX6m7lK3fkzsN7dJQlfWaQlADD1sw4WSjJExpVWGeGTsOa7Haf4tJf0DWTu+GoAy2EnWKRL9nkFL0Wyxv0iBwX5URbeH8AJr9R6x5Hskhqhbabnu0EURZvkxn3q8=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776369907; c=relaxed/simple;\n\tbh=A4WGfbNBFS+TdPdlv/yvtGkWO3BanuhGpctzicatogg=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=h6V8aZS5N+GF5JvMy6g+Eb7dDwwdAosp5nZcegXooRJjDpLUqxPK/fhbKYXjhsFId0lYezp3bDW4GYy+GqsvjCMD53EJkz3wxACOj96uBYCu64ohecZWOEhwTcrVZc9R6TMkBSTBiPMG2o+jcQmSBmP+igbSnaz75813TF+My5Y=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=eLNWkov4; arc=none smtp.client-ip=209.85.128.175", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776369899; x=1776974699;\n darn=vger.kernel.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=AiiYXSwG5ruRWxUExLzY5qAI02mOLD9DcmFtQKqN3Hw=;\n b=eLNWkov4H05Og4pWFrsxQ/DAKPjhjqj2CgcKZRmNGVUU5niWTO80IsxxqsYkj+Y5sx\n 0r6VpOl+pSbybxQDaBs3A+VplPsPGC+iBd8qfwgxMB/4697t51Q6EjQ46+957Vvezw3e\n uPzYjQYpnOJ3/VOS6cPVNDz3+LHdsrdqBqBOsfJx5FvbdB1ccGsZIV+uWEVByebV3tAi\n I8HXuclvegWdSHJR+3Mruhz45IJnaKGiu8glT0dtMVfrpq8Sj+VVFKQNS4RuXpajlYxD\n 6kMrWk9a3e1Wx3jhzI4UijZRHFlglc3j7TKEb//m2R+aaB87jqJIJIiLi/hNCKutikPx\n xnSw==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776369899; x=1776974699;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=AiiYXSwG5ruRWxUExLzY5qAI02mOLD9DcmFtQKqN3Hw=;\n b=tDMaTK9419rer6wdJVvKVow3LnlRtH2dhCx28c0YRBuimNjFXdtLdnWQffLNRfHRHV\n P6xgH7xsGfHgFAb984muK8RVwvkuWS/QNfcb+gmcoRBhce1eefun0CGoZKBoPfofQSgx\n H4hLa80lTEs13xMNRfr3h1ckVh00gfC/63XiYH5qAF5mR94WzVZ1RL/56JVdzPa+TqLo\n 4mY8hyPz3Cge1CUqLipBBcFNcxNptvpr8NvcX5BHJpH2TyJxUr78rPZGxFwmyNBuEyOz\n wJJtzMYjhofySrOJxRcbVXSAy26/I6ZE6SfOIrUPBdp4SniAka+0uXaBxRiUM933yFrW\n hsMA==", "X-Forwarded-Encrypted": "i=1;\n AFNElJ96LbMvRcLJXBq9Z5ezSZX3po6LrMlUKvrgxo9KHCU7MKdnokZzyud/wQM+8EbehKPhDCduAqpYInrb@vger.kernel.org", "X-Gm-Message-State": "AOJu0YzWC4a/NErliPdCRXT6xL5+u/s6EdxCsQcp8k2YG6S1qC5vJrq9\n\trtGx5DyKVVHBvTYIJpheo7HHwgZVE92Er18l33OSXnOFnv02AJ6OUQ7Q", "X-Gm-Gg": "AeBDiestdHhTDgeCJjLN4bvoePxp2rI9D34x2kNmrQfTPwDhF1AjouXqKFVbVQN5zdd\n\t2Yze6Z894bCNOTaTQmVhXxLYNycvjTkT+kY9wQrj8eGhoOwz6o92TadTJcRRb1yIhjIp8CRF0QL\n\tEJ7VvQgnrrH1YINH9BGwV3lSsE2u1CXfT1kaKLR40t+rtadCakko09rQKRJoNQ+XCT+O6n8Rpk/\n\t6Hu1AlZVXl5BNXFf71NFKUSUCTzNbw7IkJ4GwvOf4LDPiN4TQ0BJZMurz+V7J2Zda0pE93p4ja3\n\toyGnSVpXuSFaFGND7oo2PvxQlGGqscaz1RhijiUgCfeECCKx3/GKVde7DWuoE+i69vNJnAVxSiP\n\twC/cWnuJwJfxw5hFanU4hbiYjftwD5vgXSIIiDSmjwomvzS30ZOwac3Y5zg56WV98pfZ6qSymoe\n\tekzmH1nUjPimNqlRr8TIIRzLHUZMnjB7PXYFu61jMOPbZmXpnx1oI4AVJEy3bSKKT8ViDvFMrsD\n\txG3FsV9mN1uXtHikhZXb6O+6CsdTI/9+mSq6WInRkH6h7wZ5V5lPU3NKsC0d1is", "X-Received": "by 2002:a05:690c:86:b0:7b0:3180:e827 with SMTP id\n 00721157ae682-7b9d8195b11mr5990557b3.22.1776369899204;\n Thu, 16 Apr 2026 13:04:59 -0700 (PDT)", "From": "Michael Bommarito <michael.bommarito@gmail.com>", "To": "Namjae Jeon <linkinjeon@kernel.org>,\n\tSteve French <smfrench@gmail.com>,\n\tlinux-cifs@vger.kernel.org", "Cc": "Sergey Senozhatsky <senozhatsky@chromium.org>,\n\tTom Talpey <tom@talpey.com>,\n\tstable@vger.kernel.org", "Subject": "[PATCH] ksmbd: validate num_aces and harden ACE walk in\n smb_inherit_dacl()", "Date": "Thu, 16 Apr 2026 16:04:39 -0400", "Message-ID": "<20260416200439.2987930-1-michael.bommarito@gmail.com>", "X-Mailer": "git-send-email 2.53.0", "Precedence": "bulk", "X-Mailing-List": "linux-cifs@vger.kernel.org", "List-Id": "<linux-cifs.vger.kernel.org>", "List-Subscribe": "<mailto:linux-cifs+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:linux-cifs+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "Another one on the smbd side this time. smb_inherit_dacl() trusts\nthe on-disk num_aces value from the parent directory's DACL xattr\nand uses it to size a heap allocation:\n\n aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, ...);\n\nnum_aces is a u16 read from le16_to_cpu(parent_pdacl->num_aces)\nwithout checking that it is consistent with the declared pdacl_size.\nAn authenticated client that can set a crafted DACL on a parent\ndirectory can declare num_aces = 65535 while providing minimal actual\nACE data. This causes a ~2.6 MB allocation (not kzalloc, so\nuninitialized) that the subsequent loop only partially populates, and\nmay also overflow the three-way size_t multiply on 32-bit kernels.\n\nAdditionally, the ACE walk loop uses the weaker\noffsetof(struct smb_ace, access_req) minimum size check rather than\nthe minimum valid on-wire ACE size, and does not reject ACEs whose\ndeclared size is below the minimum.\n\nReproduced the ACE walk OOB under UML + KASAN by constructing a\n12-byte DACL (smb_acl(8) + 4-byte undersized ACE with size=4,\nnum_aces=1). The old 4-byte guard passes, then reading\nace->access_req at offset 4 within the ACE triggers:\n\n BUG: KASAN: slab-out-of-bounds in kcifs3_test_inherit_dacl_old\n Read of size 4 at addr ... by task mount.nfs4/220\n\nConfirmed clean exit without splat after patch applied: the new\n16-byte minimum (offsetof(smb_ace, sid) + CIFS_SID_BASE_SIZE)\nrejects the undersized ACE before any field read.\n\nFix by:\n\n 1. Validating num_aces against pdacl_size using the same formula\n applied in parse_dacl() by commit 1b8b67f3c5e5169535e2\n (\"ksmbd: fix incorrect validation for num_aces field of\n smb_acl\").\n\n 2. Replacing the raw kmalloc(sizeof * num_aces * 2) with\n kmalloc_array(num_aces * 2, sizeof(...)) for overflow-safe\n allocation.\n\n 3. Tightening the per-ACE loop guard to require the minimum valid\n ACE size (offsetof(smb_ace, sid) + CIFS_SID_BASE_SIZE) and\n rejecting under-sized ACEs, matching the hardening in\n smb_check_perm_dacl() and parse_dacl().\n\nLet me know if you want 2/2 instead of this single patch.\n\nFixes: e2f34481b24d (\"cifsd: add server-side procedures for SMB3\")\nCc: stable@vger.kernel.org\nAssisted-by: Claude:claude-opus-4-6\nSigned-off-by: Michael Bommarito <michael.bommarito@gmail.com>\n---\n fs/smb/server/smbacl.c | 29 ++++++++++++++++++++++++-----\n 1 file changed, 24 insertions(+), 5 deletions(-)", "diff": "diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c\nindex d5943256c071..fc4fcd48d6c9 100644\n--- a/fs/smb/server/smbacl.c\n+++ b/fs/smb/server/smbacl.c\n@@ -1105,8 +1105,25 @@ int smb_inherit_dacl(struct ksmbd_conn *conn,\n \t\tgoto free_parent_pntsd;\n \t}\n \n-\taces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2,\n-\t\t\t KSMBD_DEFAULT_GFP);\n+\taces_size = pdacl_size - sizeof(struct smb_acl);\n+\n+\t/*\n+\t * Validate num_aces against the DACL payload before allocating.\n+\t * Each ACE must be at least as large as its fixed-size header\n+\t * (up to the SID base), so num_aces cannot exceed the payload\n+\t * divided by the minimum ACE size. This mirrors the check in\n+\t * parse_dacl() added by commit 1b8b67f3c5e5 (\"ksmbd: fix\n+\t * incorrect validation for num_aces field of smb_acl\").\n+\t */\n+\tif (num_aces > aces_size / (offsetof(struct smb_ace, sid) +\n+\t\t\t\t offsetof(struct smb_sid, sub_auth) +\n+\t\t\t\t sizeof(__le16))) {\n+\t\trc = -EINVAL;\n+\t\tgoto free_parent_pntsd;\n+\t}\n+\n+\taces_base = kmalloc_array(num_aces * 2, sizeof(struct smb_ace),\n+\t\t\t\t KSMBD_DEFAULT_GFP);\n \tif (!aces_base) {\n \t\trc = -ENOMEM;\n \t\tgoto free_parent_pntsd;\n@@ -1115,7 +1132,6 @@ int smb_inherit_dacl(struct ksmbd_conn *conn,\n \taces = (struct smb_ace *)aces_base;\n \tparent_aces = (struct smb_ace *)((char *)parent_pdacl +\n \t\t\tsizeof(struct smb_acl));\n-\taces_size = acl_len - sizeof(struct smb_acl);\n \n \tif (pntsd_type & DACL_AUTO_INHERITED)\n \t\tinherited_flags = INHERITED_ACE;\n@@ -1123,11 +1139,14 @@ int smb_inherit_dacl(struct ksmbd_conn *conn,\n \tfor (i = 0; i < num_aces; i++) {\n \t\tint pace_size;\n \n-\t\tif (offsetof(struct smb_ace, access_req) > aces_size)\n+\t\tif (aces_size < offsetof(struct smb_ace, sid) +\n+\t\t CIFS_SID_BASE_SIZE)\n \t\t\tbreak;\n \n \t\tpace_size = le16_to_cpu(parent_aces->size);\n-\t\tif (pace_size > aces_size)\n+\t\tif (pace_size > aces_size ||\n+\t\t pace_size < offsetof(struct smb_ace, sid) +\n+\t\t\t\tCIFS_SID_BASE_SIZE)\n \t\t\tbreak;\n \n \t\taces_size -= pace_size;\n", "prefixes": [] }