[{"id":3678459,"web_url":"http://patchwork.ozlabs.org/comment/3678459/","msgid":"<CAKYAXd94w_Mi0gzAKrHiMnV2LsVk-Rzo6JcGtXNbEJZG4xXF4Q@mail.gmail.com>","list_archive_url":null,"date":"2026-04-17T02:46:59","subject":"Re: [PATCH] ksmbd: validate num_aces and harden ACE walk in\n smb_inherit_dacl()","submitter":{"id":79386,"url":"http://patchwork.ozlabs.org/api/people/79386/","name":"Namjae Jeon","email":"linkinjeon@kernel.org"},"content":"On Fri, Apr 17, 2026 at 5:05 AM Michael Bommarito\n<michael.bommarito@gmail.com> wrote:\n>\n> Another one on the smbd side this time. smb_inherit_dacl() trusts\n> the on-disk num_aces value from the parent directory's DACL xattr\n> and uses it to size a heap allocation:\n>\n>   aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, ...);\n>\n> num_aces is a u16 read from le16_to_cpu(parent_pdacl->num_aces)\n> without checking that it is consistent with the declared pdacl_size.\n> An authenticated client that can set a crafted DACL on a parent\n> directory can declare num_aces = 65535 while providing minimal actual\n> ACE data.  This causes a ~2.6 MB allocation (not kzalloc, so\n> uninitialized) that the subsequent loop only partially populates, and\n> may also overflow the three-way size_t multiply on 32-bit kernels.\n>\n> Additionally, the ACE walk loop uses the weaker\n> offsetof(struct smb_ace, access_req) minimum size check rather than\n> the minimum valid on-wire ACE size, and does not reject ACEs whose\n> declared size is below the minimum.\n>\n> Reproduced the ACE walk OOB under UML + KASAN by constructing a\n> 12-byte DACL (smb_acl(8) + 4-byte undersized ACE with size=4,\n> num_aces=1).  The old 4-byte guard passes, then reading\n> ace->access_req at offset 4 within the ACE triggers:\n>\n>   BUG: KASAN: slab-out-of-bounds in kcifs3_test_inherit_dacl_old\n>   Read of size 4 at addr ... by task mount.nfs4/220\nThere is no kcifs3_test_inherit_dacl_old function in ksmbd. How did\nyou reproduce the problem?","headers":{"Return-Path":"\n <linux-cifs+bounces-10884-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=U5fngzlY;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10884-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"U5fngzlY\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxfSD0c7fz1yD3\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 17 Apr 2026 12:47:40 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id 9219D30206FF\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 17 Apr 2026 02:47:16 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id E9D452E974D;\n\tFri, 17 Apr 2026 02:47:13 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id BFB1B262FC0\n\tfor <linux-cifs@vger.kernel.org>; Fri, 17 Apr 2026 02:47:13 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id 6C1A6C2BCB5\n\tfor <linux-cifs@vger.kernel.org>; Fri, 17 Apr 2026 02:47:13 +0000 (UTC)","by mail-ej1-f46.google.com with SMTP id\n a640c23a62f3a-b9c01854477so44997666b.0\n        for <linux-cifs@vger.kernel.org>;\n Thu, 16 Apr 2026 19:47:13 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776394033; cv=none;\n b=IuQMnlC/uUgJERoa0sCJRp3Dkj6ikduC0ZL8t0+BxwcTd/maEvDdMkjLheLseUbJuOoIOq/mExNwhewpvH/zgnPQC/MtY0q9TO2Vm4QnknfgpWs49WL3Ejl8YnCvmliGRf3jUiwiAgRxi/xCjD3HhSusFnF/bTa7ApKZ3dk4W9U=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776394033; c=relaxed/simple;\n\tbh=ag30l3ZtgL468KA3t+V/54BIptC5Ir8/kedwWC6NrEU=;\n\th=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:\n\t To:Cc:Content-Type;\n b=To0cTOqFPbc4lP9WCZowmByErBXxyU+/3Cd6iv9Fs4PUxDxdvtHNBfkfm18hZU3yQdpvV2U47XII+apgMQr95x1mE7+V0nt0AR0kcsnfaLqBqc5SnW4saCfN0ar40yrWlrLITMxO0IhbgogrlstnQYQHUvuhA07KV2MhRdQ54rE=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=U5fngzlY; arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1776394033;\n\tbh=ag30l3ZtgL468KA3t+V/54BIptC5Ir8/kedwWC6NrEU=;\n\th=References:In-Reply-To:From:Date:Subject:To:Cc:From;\n\tb=U5fngzlY1zgzop3mljeI2ezz9/vYkufvhLv0EgVM/TsGEr1M5DISNUTrlqtRAKOkZ\n\t m9f6nWfDTzjJED1Y0fIC8UY1FIEIqkAusbeajlnydUbN4oAiLvyVSpWF+gkmxWnxfx\n\t oFWv1Ieyizs0RNUk7hqjiEEo/ZixcwEk147vc0lSGC2/yTEkhgg3TIR9SqU7YR1/dt\n\t jDuKG1FgIsCvhvBDXs+7pBavbhKBu9ODCCXvilnAujak6Ah0tF4JylWa4+zO6ViSGf\n\t Ku7pSgRgmB+Ihj2ceP5QYJvpZL2VvPvTDUH4/JTOQdeR2F0GzRzPh8F/EQA1r3ftD6\n\t o7eIbgqpS94nw==","X-Forwarded-Encrypted":"i=1;\n AFNElJ/Myf1gtaLRM/90QJIt/M5d6HjqqJosQN+RSod1iegJT5tmLdCP9X3sr73LCycrTa+aVwtbhDzllr49@vger.kernel.org","X-Gm-Message-State":"AOJu0Yw8+EhBqLStv7k0GfS0Jtw/hrzCQCypRBTNpc/lE/wrtS35PlTj\n\tHE+ESWwPba23t9sThMKplrY3XtCVeiA07BRtl8IDIdpeQWgVz1PcvWHRCNmHqLrWD6jSFTKd0Pk\n\thWAjs849DHJ35xMeMoRpBMoMWyo7xUA8=","X-Received":"by 2002:a17:906:c145:b0:b94:1df4:3525 with SMTP id\n a640c23a62f3a-ba41bad0123mr47054066b.1.1776394031997; Thu, 16 Apr 2026\n 19:47:11 -0700 (PDT)","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"<linux-cifs.vger.kernel.org>","List-Subscribe":"<mailto:linux-cifs+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-cifs+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","References":"<20260416200439.2987930-1-michael.bommarito@gmail.com>","In-Reply-To":"<20260416200439.2987930-1-michael.bommarito@gmail.com>","From":"Namjae Jeon <linkinjeon@kernel.org>","Date":"Fri, 17 Apr 2026 11:46:59 +0900","X-Gmail-Original-Message-ID":"\n <CAKYAXd94w_Mi0gzAKrHiMnV2LsVk-Rzo6JcGtXNbEJZG4xXF4Q@mail.gmail.com>","X-Gm-Features":"AQROBzBRonctEOhm_0Xni-0WQTv6zF5MG4w8OvP7PAUiLUDZd7Fz8lsWruW5q94","Message-ID":"\n <CAKYAXd94w_Mi0gzAKrHiMnV2LsVk-Rzo6JcGtXNbEJZG4xXF4Q@mail.gmail.com>","Subject":"Re: [PATCH] ksmbd: validate num_aces and harden ACE walk in\n smb_inherit_dacl()","To":"Michael Bommarito <michael.bommarito@gmail.com>","Cc":"Steve French <smfrench@gmail.com>, linux-cifs@vger.kernel.org,\n\tSergey Senozhatsky <senozhatsky@chromium.org>, Tom Talpey <tom@talpey.com>,\n stable@vger.kernel.org","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable"}},{"id":3678461,"web_url":"http://patchwork.ozlabs.org/comment/3678461/","msgid":"<CAJJ9bXzRpb0-B8LwUNc_yx4ADt2CEzH_wSbtQ5CZP6K+YKS7rw@mail.gmail.com>","list_archive_url":null,"date":"2026-04-17T02:58:38","subject":"Re: [PATCH] ksmbd: validate num_aces and harden ACE walk in\n smb_inherit_dacl()","submitter":{"id":93078,"url":"http://patchwork.ozlabs.org/api/people/93078/","name":"Michael Bommarito","email":"michael.bommarito@gmail.com"},"content":"On Thu, Apr 16, 2026 at 10:47 PM Namjae Jeon <linkinjeon@kernel.org> wrote:\n> There is no kcifs3_test_inherit_dacl_old function in ksmbd. How did\n> you reproduce the problem?\n\nSorry for the confusing splat.  I pulled the pre-fix ACE-walk loop\nfrom smb_inherit_dacl()  to simplify the setup in a test module and\nre-used names from another harness.  _old keeps the original weak\noffset guard, _new uses the tightened size, and the patched version\nsurvives.  If you want, I can run through a full repro with qemu\ntomorrow using the real paths.","headers":{"Return-Path":"\n <linux-cifs+bounces-10885-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=lDbNydmJ;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10885-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"lDbNydmJ\"","smtp.subspace.kernel.org;\n arc=pass smtp.client-ip=74.125.224.43","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxfjD1qk0z1yDF\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 17 Apr 2026 12:58:56 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 8B952300C313\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 17 Apr 2026 02:58:52 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 937C32F5A12;\n\tFri, 17 Apr 2026 02:58:51 +0000 (UTC)","from mail-yx1-f43.google.com (mail-yx1-f43.google.com\n [74.125.224.43])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F5732EACF2\n\tfor <linux-cifs@vger.kernel.org>; Fri, 17 Apr 2026 02:58:50 +0000 (UTC)","by mail-yx1-f43.google.com with SMTP id\n 956f58d0204a3-651d692e833so212030d50.3\n        for <linux-cifs@vger.kernel.org>;\n Thu, 16 Apr 2026 19:58:50 -0700 (PDT)"],"ARC-Seal":["i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776394731; cv=pass;\n b=FNDwlFR88uQn+9LfWdkH0KHfeEk6ieoQNk79VCDVdCxDBjierQvc9npxFAsMlfu+9a+PW450McvptoYuKg+R1sz2Gb+VWpx/MbttNb4JO/n0i3hqU11adRNECSzCbNZKarrCQK9knFolrjvwdaKAi10AZhPAy0or4m3088nXxW0=","i=1; a=rsa-sha256; t=1776394729; cv=none;\n        d=google.com; s=arc-20240605;\n        b=C46bISo/ZAfr2n5xnlOOuH7GCMeTlMXV7KB/wez786PfY2EJvNSAoMKPbgroAMJEgN\n         6fsPQZMnGKUt07vpnd9FL5kx6MtLac5F49G33cXOskvyVUWU5cpiBvOZSUXHSbpqroSo\n         66fBkOXTZX4wT+4/9a7k8PdiGgaKOb/SbDoGV2e8tSgULkXwQeRUnnRQQPuhx6kjCfnx\n         Cxz+x0GvMdVAgnVqH7/2fIOM/QdfAtvqFFd5mWUM0GE/Uptgx1gEU9f19qDrAPlnqO22\n         hj0ZXcrOd3qqA6RFzBw4LHKfLCH8TcJtn3lpPvkuoWJceyuuEwHEAxMhk/Yde2LzEvXz\n         RhIg=="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776394731; c=relaxed/simple;\n\tbh=rR1liQlAztVMGE+LKdTCzP+X3Rl7c7twLoi7YOzzO90=;\n\th=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:\n\t To:Cc:Content-Type;\n b=PcOpqRiPofx1YeCioR0Plzri2iRxNwYDLAxwCWzDFuSS4Nat1MFNFDgYDbSPeBy/6fY9JqNkTLuFQJ7dKH/asOm0lwAgDkn7f70A2GUNtYuIw0WSWHGSUT45ioFo+mEZkf7e6jHP+tG+bs/jHfBPHh6Ql8eu6q+jeWzaIF12GmE=","i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n        h=content-transfer-encoding:cc:to:subject:message-id:date:from\n         :in-reply-to:references:mime-version:dkim-signature;\n        bh=zMky0cVeh2idyOgOmX8kaKwnJVvVHTaqDBxjuS2oOdg=;\n        fh=JZlc3zGrcF4XllN+25mf/LNVk/xgPOYRUxBBHEr23HQ=;\n        b=Sb/StRrCeNUhjYJ7OzA2W8i+d531y5pxQ9uz6PcoFg+y9KWdvC3f7t5tY5o5kXD1T3\n         /jegm+70Hx63tUP5Ron8XbPcZxISd//kMuz+73Iqgn8t19CgIPpPmXUOxhxaoC+2xTio\n         41XIdt75QFIp8SW4Dyi1LOJEzwGpFe0/+U1+D0vnpbaYI0juyMecGG3YE4c5XlPCEyrs\n         eClwDtQ73FW9a6EX6Kg8dOiyGboL7CYMzGVy7/rsabzvjZdKvyRKPoSkWtKTGxj7Qe95\n         8eki6Bo+HdT2CPMAVBfUZ0hfVyKHuVx3QTVbAOfS+Rm3tMjmZdtMyHrjQvWZy+zASV0S\n         k1vA==;\n        darn=vger.kernel.org"],"ARC-Authentication-Results":["i=2; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=lDbNydmJ; arc=pass smtp.client-ip=74.125.224.43","i=1; mx.google.com; arc=none"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=gmail.com; s=20251104; t=1776394729; x=1776999529;\n darn=vger.kernel.org;\n        h=content-transfer-encoding:cc:to:subject:message-id:date:from\n         :in-reply-to:references:mime-version:from:to:cc:subject:date\n         :message-id:reply-to;\n        bh=zMky0cVeh2idyOgOmX8kaKwnJVvVHTaqDBxjuS2oOdg=;\n        b=lDbNydmJsIBdhQ/ZKHbwlkhnkvCaSpOEfmFZ97Y2Emh4OZQdmHRjDWjWdN4FDmKEQG\n         6HmG0hUrBYVtTjIIOh/05/ozo0I/y2PKngOjQ5L6d1viyflOKr7z8L8bu0ETdXBGqPlM\n         yUoSItgqIVSvi6DVt307nDZ5VYPwr2CnsvNOmiqx50vUjDrad+CDUIzVmTBPINfHeotp\n         ArhwFBK4e8/hAJdUkeMpOcahNypIar8xE6324GJ9yrXxu/8MlqLlHMQvJAnY/W5BCKzV\n         4FTaKObGvRF33TfMyzNcfz6N7UrAboTZ8Kwk5tB1JrXMNzB8eDoYMbV296zAxYTEt+4h\n         FnCA==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20251104; t=1776394729; x=1776999529;\n        h=content-transfer-encoding:cc:to:subject:message-id:date:from\n         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from\n         :to:cc:subject:date:message-id:reply-to;\n        bh=zMky0cVeh2idyOgOmX8kaKwnJVvVHTaqDBxjuS2oOdg=;\n        b=UCl+3VD1kNukYh0YzGsH613FBDfPD/u+2+RH7kQREWl5+m4mtQiq1XeUti06btviHU\n         wKEC/C4wfhj8d+gyS+q7UMTKUtu5iwADUbNLB2/obabzvZd8OSqv4nZknbHf4ms/Mn5q\n         feGw4f1mIdeYCtblH3YH6uj6cG5US0GiaM3fFe/Z0sKeZM0Kaenz4rUHXcDDWrirIcgy\n         jZ5LdR+8Ak2bgjjfTb7UmhPjEcPhbdeXXQSImyv4nOfiJuLf2nilMITvSwSNqBATwSw+\n         VKIdVSBMKtpfSgq7kVroPlFwI41X54suPKCz8okh3PbMWkH54gsZ+3yQi7qycDoXEzEn\n         a73Q==","X-Forwarded-Encrypted":"i=1;\n AFNElJ9DM+pxbo0JuylZMrYlJDt7Xyvql2VBKPxy4jcvIvRlgXP0xMjWwsTrulUM/1v4O6BMKHpk9yUvgjD+@vger.kernel.org","X-Gm-Message-State":"AOJu0Yyq2o7vv5AM8NDHcYhuYWLUAa/YPxQyeGgf3TLVSFATqsBCaJv1\n\t6dVJyO1R19+ikO76eZ2+uh0Ph5lW5H4D2gz0j4l4F+Kz2ziDfdAwFHATxa29QesPNNkRHeqpzw0\n\trmQCAs1CEwzgLrLxdspm+tJX9XjtPZoI=","X-Gm-Gg":"AeBDieuNPX740kgfNyeVaaIfZSZD9k2Me9GX/asMRgv4MvBVzgEYFGJNWBAVYpgpnJo\n\t83jJxBoytuWaW6CRBiGHVMkfhLWMEspUJr8aiWs1XB26q8UG1GrC7tlM3mKdB1nioIPyZ46ivS3\n\t5tJywtNAydVeViaf/JyZAOx5jSvJPqiqkdbNUb68ReB/7+bgchxXYFK8C3uyzZAmeJbFdEfOnje\n\tc3mqusAQuzZoRUwunDd9Nv1AtBibJiACpnbaznahALZw6gbYfAEMqGTKDM3cTIlD7RgTwWxAAey\n\tJQLew4CEgFj6jpANlWAEXO4r//xFZe2940poQBwym0DXpYo=","X-Received":"by 2002:a05:690e:13c9:b0:650:5316:175b with SMTP id\n 956f58d0204a3-65310b028f7mr1140874d50.52.1776394729349; Thu, 16 Apr 2026\n 19:58:49 -0700 (PDT)","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"<linux-cifs.vger.kernel.org>","List-Subscribe":"<mailto:linux-cifs+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-cifs+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","References":"<20260416200439.2987930-1-michael.bommarito@gmail.com>\n <CAKYAXd94w_Mi0gzAKrHiMnV2LsVk-Rzo6JcGtXNbEJZG4xXF4Q@mail.gmail.com>","In-Reply-To":"\n <CAKYAXd94w_Mi0gzAKrHiMnV2LsVk-Rzo6JcGtXNbEJZG4xXF4Q@mail.gmail.com>","From":"Michael Bommarito <michael.bommarito@gmail.com>","Date":"Thu, 16 Apr 2026 22:58:38 -0400","X-Gm-Features":"AQROBzAQfRoNPv_BCLl4UjKUpp-kGov1M25b6YcO0KYyM5811sPTveZqffffwHg","Message-ID":"\n <CAJJ9bXzRpb0-B8LwUNc_yx4ADt2CEzH_wSbtQ5CZP6K+YKS7rw@mail.gmail.com>","Subject":"Re: [PATCH] ksmbd: validate num_aces and harden ACE walk in\n smb_inherit_dacl()","To":"Namjae Jeon <linkinjeon@kernel.org>","Cc":"Steve French <smfrench@gmail.com>, linux-cifs@vger.kernel.org,\n\tSergey Senozhatsky <senozhatsky@chromium.org>, Tom Talpey <tom@talpey.com>,\n stable@vger.kernel.org","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable"}},{"id":3678526,"web_url":"http://patchwork.ozlabs.org/comment/3678526/","msgid":"<CAKYAXd-qQoK_qJYOCBxm87b9XH_8dExb0N94QktMmOHDLhDG3w@mail.gmail.com>","list_archive_url":null,"date":"2026-04-17T07:07:04","subject":"Re: [PATCH] ksmbd: validate num_aces and harden ACE walk in\n smb_inherit_dacl()","submitter":{"id":79386,"url":"http://patchwork.ozlabs.org/api/people/79386/","name":"Namjae Jeon","email":"linkinjeon@kernel.org"},"content":"> diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c\n> index d5943256c071..fc4fcd48d6c9 100644\n> --- a/fs/smb/server/smbacl.c\n> +++ b/fs/smb/server/smbacl.c\n> @@ -1105,8 +1105,25 @@ int smb_inherit_dacl(struct ksmbd_conn *conn,\n>                 goto free_parent_pntsd;\n>         }\n>\n> -       aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2,\n> -                           KSMBD_DEFAULT_GFP);\n> +       aces_size = pdacl_size - sizeof(struct smb_acl);\n> +\n> +       /*\n> +        * Validate num_aces against the DACL payload before allocating.\n> +        * Each ACE must be at least as large as its fixed-size header\n> +        * (up to the SID base), so num_aces cannot exceed the payload\n> +        * divided by the minimum ACE size.  This mirrors the check in\n> +        * parse_dacl() added by commit 1b8b67f3c5e5 (\"ksmbd: fix\n> +        * incorrect validation for num_aces field of smb_acl\").\n> +        */\nPlease remove the specific commit hash and patch name in the comments.\nThanks.","headers":{"Return-Path":"\n <linux-cifs+bounces-10888-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=DxsAES9c;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10888-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"DxsAES9c\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxmJN4cDFz1yGt\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 17 Apr 2026 17:11:16 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 5FF54302E903\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 17 Apr 2026 07:07:19 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 857BC3396F4;\n\tFri, 17 Apr 2026 07:07:18 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 62E97331A44\n\tfor <linux-cifs@vger.kernel.org>; Fri, 17 Apr 2026 07:07:18 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id 2D631C2BCB8\n\tfor <linux-cifs@vger.kernel.org>; Fri, 17 Apr 2026 07:07:18 +0000 (UTC)","by mail-ed1-f53.google.com with SMTP id\n 4fb4d7f45d1cf-672645dbfeaso329314a12.0\n        for <linux-cifs@vger.kernel.org>;\n Fri, 17 Apr 2026 00:07:18 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776409638; cv=none;\n b=PWwNrbSIcTudIAL4UL0j+cPYUiKLWddhd06wb3TE6LcP5cFCokPoGIFqQVobOqMk/PSCqUGUDYgRm4dsvzUIzENc6In5oEw+j0sLpMLRaT2iOxlI3NovYD9d4GkVfvWYQIorNVqjEa19SAfvINwUI+JGiNR2n1wDywTq5GUtYaQ=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776409638; c=relaxed/simple;\n\tbh=HNQGHKio5lq8vfbKq9z43CZLNu4SHOMy5KYmqu/oPYU=;\n\th=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:\n\t To:Cc:Content-Type;\n b=qY2KSUzzqGZrpQF0WhraXxbFE/i7Ld14PjZ6vZjbdUDGdKeaIjpcmZIQE8yp0pXUCmSKVI+tyn2aEFdugrtjIBmlUBDjsVa8D1goV8AxS1IQgVFUU5WRiaNhqWEmLl1/ewI6LIwkoI7jKd6uK6+HxZvn8/chyd3cHFLXcKufs8w=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=DxsAES9c; arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1776409638;\n\tbh=HNQGHKio5lq8vfbKq9z43CZLNu4SHOMy5KYmqu/oPYU=;\n\th=References:In-Reply-To:From:Date:Subject:To:Cc:From;\n\tb=DxsAES9clQ4Ds5GrOS7NUS6/8jD286vZARDrLzQCKpb+xt62V3CmVt24Y5OUimikg\n\t XCdXHo59kHJ0tDvE1fzx3M3Y66bZ8kiS1XJghYfGi7L88NwB4zbjFhsKvj6JnfKVK6\n\t 8n4TH6A/bLNvjpo2DHnvzGFINEC1FcgCApTvkCwxJBXKIfgEPzolPy+WW/20x2mAop\n\t jjIAQVKvfzSRMxlXhBRLYSYAtBZy4CBkYZ6ap4/84pBHBhPvsPsOdH2T0+48LeEZkV\n\t a7UuJmMsC8Xyk4AL7RnprTlzARN0FXYb3KSxhRvofb8VuHL/vezEzV6J3lFRRMmjBP\n\t nR0vNOmutmiPQ==","X-Forwarded-Encrypted":"i=1;\n AFNElJ85mpfQ889JmSZYJ4DPpYfP4i3thUPEf+R1Dnyr1XwZvEyHqFC0G4DjNXOxLbN9GSuKTCku+g9yj1Kt@vger.kernel.org","X-Gm-Message-State":"AOJu0Yx7Z527yFa1y49PuR4hDFl5aLnrdKhsPo/TSi2ecg3Yn8PGDZhm\n\t6pNfXrdloDLaSGzeqOpprVI1gaagPV1u4XQPl1sfFIImS9SEnQ8bRc13UjxFXTT4kIjn1vkZk46\n\t9wHe+Cw593G/Y+FCWJu8Tm0B8noXiWdY=","X-Received":"by 2002:a05:6402:1598:b0:671:4f9c:f664 with SMTP id\n 4fb4d7f45d1cf-672bfde1bd4mr684806a12.27.1776409636596; Fri, 17 Apr 2026\n 00:07:16 -0700 (PDT)","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"<linux-cifs.vger.kernel.org>","List-Subscribe":"<mailto:linux-cifs+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-cifs+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","References":"<20260416200439.2987930-1-michael.bommarito@gmail.com>","In-Reply-To":"<20260416200439.2987930-1-michael.bommarito@gmail.com>","From":"Namjae Jeon <linkinjeon@kernel.org>","Date":"Fri, 17 Apr 2026 16:07:04 +0900","X-Gmail-Original-Message-ID":"\n <CAKYAXd-qQoK_qJYOCBxm87b9XH_8dExb0N94QktMmOHDLhDG3w@mail.gmail.com>","X-Gm-Features":"AQROBzAFck2vqQkBOH4pN5DOnEy_kJIlkfFReLxJ1_G8N5PEhRCsyFtUwcWsIKc","Message-ID":"\n <CAKYAXd-qQoK_qJYOCBxm87b9XH_8dExb0N94QktMmOHDLhDG3w@mail.gmail.com>","Subject":"Re: [PATCH] ksmbd: validate num_aces and harden ACE walk in\n smb_inherit_dacl()","To":"Michael Bommarito <michael.bommarito@gmail.com>","Cc":"Steve French <smfrench@gmail.com>, linux-cifs@vger.kernel.org,\n\tSergey Senozhatsky <senozhatsky@chromium.org>, Tom Talpey <tom@talpey.com>,\n stable@vger.kernel.org","Content-Type":"text/plain; charset=\"UTF-8\""}}]