[{"id":3678947,"web_url":"http://patchwork.ozlabs.org/comment/3678947/","msgid":"<CAKYAXd-C358TaLXHAMdfEn8FBNjjfN1ONq3tuDSAyguzc2qEjg@mail.gmail.com>","list_archive_url":null,"date":"2026-04-18T06:28:06","subject":"Re: [PATCH v2] ksmbd: validate num_aces and harden ACE walk in\n smb_inherit_dacl()","submitter":{"id":79386,"url":"http://patchwork.ozlabs.org/api/people/79386/","name":"Namjae Jeon","email":"linkinjeon@kernel.org"},"content":"On Sat, Apr 18, 2026 at 3:46 AM Michael Bommarito\n<michael.bommarito@gmail.com> wrote:\n>\n> smb_inherit_dacl() trusts the on-disk num_aces value from the parent\n> directory's DACL xattr and uses it to size a heap allocation:\n>\n>   aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, ...);\n>\n> num_aces is a u16 read from le16_to_cpu(parent_pdacl->num_aces)\n> without checking that it is consistent with the declared pdacl_size.\n> An authenticated client whose parent directory's security.NTACL is\n> tampered (e.g. via offline xattr corruption or a concurrent path that\n> bypasses parse_dacl()) can present num_aces = 65535 with minimal\n> actual ACE data.  This causes a ~8 MB allocation (not kzalloc, so\n> uninitialized) that the subsequent loop only partially populates, and\n> may also overflow the three-way size_t multiply on 32-bit kernels.\n>\n> Additionally, the ACE walk loop uses the weaker\n> offsetof(struct smb_ace, access_req) minimum size check rather than\n> the minimum valid on-wire ACE size, and does not reject ACEs whose\n> declared size is below the minimum.\n>\n> Reproduced on UML + KASAN + LOCKDEP against the real ksmbd code path.\n> A legitimate mount.cifs client creates a parent directory over SMB\n> (ksmbd writes a valid security.NTACL xattr), then the NTACL blob on\n> the backing filesystem is rewritten to set num_aces = 0xFFFF while\n> keeping the posix_acl_hash bytes intact so ksmbd_vfs_get_sd_xattr()'s\n> hash check still passes.  A subsequent SMB2 CREATE of a child under\n> that parent drives smb2_open() into smb_inherit_dacl() (share has\n> \"vfs objects = acl_xattr\" set), which fails the page allocator:\n>\n>   WARNING: mm/page_alloc.c:5226 at __alloc_frozen_pages_noprof+0x46c/0x9c0\n>   Workqueue: ksmbd-io handle_ksmbd_work\n>    __alloc_frozen_pages_noprof+0x46c/0x9c0\n>    ___kmalloc_large_node+0x68/0x130\n>    __kmalloc_large_node_noprof+0x24/0x70\n>    __kmalloc_noprof+0x4c9/0x690\n>    smb_inherit_dacl+0x394/0x2430\n>    smb2_open+0x595d/0xabe0\n>    handle_ksmbd_work+0x3d3/0x1140\n>\n> With the patch applied the added guard rejects the tampered value\n> with -EINVAL before any large allocation runs, smb2_open() falls back\n> to smb2_create_sd_buffer(), and the child is created with a default\n> SD.  No warning, no splat.\n>\n> Fix by:\n>\n>   1. Validating num_aces against pdacl_size using the same formula\n>      applied in parse_dacl().\n>\n>   2. Replacing the raw kmalloc(sizeof * num_aces * 2) with\n>      kmalloc_array(num_aces * 2, sizeof(...)) for overflow-safe\n>      allocation.\n>\n>   3. Tightening the per-ACE loop guard to require the minimum valid\n>      ACE size (offsetof(smb_ace, sid) + CIFS_SID_BASE_SIZE) and\n>      rejecting under-sized ACEs, matching the hardening in\n>      smb_check_perm_dacl() and parse_dacl().\n>\n> v1 -> v2:\n>   - Replace the synthetic test-module splat in the changelog with a\n>     real-path UML + KASAN reproduction driven through mount.cifs and\n>     SMB2 CREATE; Namjae flagged the kcifs3_test_inherit_dacl_old name\n>     in v1 since it does not exist in ksmbd.\n>   - Drop the commit-hash citation from the code comment per Namjae's\n>     review; keep the parse_dacl() pointer.\n>\n> Fixes: e2f34481b24d (\"cifsd: add server-side procedures for SMB3\")\n> Cc: stable@vger.kernel.org\n> Assisted-by: Claude:claude-opus-4-6\n> Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>\nApplied it to #ksmbd-for-next-next.\nThanks!","headers":{"Return-Path":"\n <linux-cifs+bounces-10897-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=kJhtncX6;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10897-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"kJhtncX6\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fyML23jYkz1y1V\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 18 Apr 2026 16:29:46 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 59E143017028\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 18 Apr 2026 06:28:21 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id AECCB248F7C;\n\tSat, 18 Apr 2026 06:28:20 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 8BD431B78F3\n\tfor <linux-cifs@vger.kernel.org>; Sat, 18 Apr 2026 06:28:20 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id 70ABDC4AF0C\n\tfor <linux-cifs@vger.kernel.org>; Sat, 18 Apr 2026 06:28:20 +0000 (UTC)","by mail-ed1-f54.google.com with SMTP id\n 4fb4d7f45d1cf-6634bb959a2so1916487a12.1\n        for <linux-cifs@vger.kernel.org>;\n Fri, 17 Apr 2026 23:28:20 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776493700; cv=none;\n b=XFWqB0bJZnNFW6PGGZjuEEiEIr67wcW9ts2tJKlQXrzUaV5GVqzzk/1dw5ImYFxNHo1jUGbLpmgbFlsh0JsRBSxTHnYDIWTT47rG8Flj96RnLdMKrxnJEF4ZFUj257CubxmeqkUw3LhO2Nv5uPCyWkOSUVaRYOV6vQRLxHI6GUc=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776493700; c=relaxed/simple;\n\tbh=OKKixADUa7Qf6rDznlLGRF7ZfXVBuUqdH9SbW6P5uA8=;\n\th=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:\n\t To:Cc:Content-Type;\n b=n7K6Kfxn2aYdMw93YtsrCAbkHhAks5Bml9w4qrirqSyCvCC3mp5JzO9jylz59CTIlmqXM/3DSkFerWBerM9FcndQeHYaUuSVuuPiuXGPOUpTQUjO9ESros9mQhDOmPvX1OrZpysIpcnDn+oqa3y8cfjrq95Ja23V/uK4IxHHwhU=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=kJhtncX6; arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1776493700;\n\tbh=OKKixADUa7Qf6rDznlLGRF7ZfXVBuUqdH9SbW6P5uA8=;\n\th=References:In-Reply-To:From:Date:Subject:To:Cc:From;\n\tb=kJhtncX6vJAa9PCdqesPeHRLM5VMsy61rrXYaj4M4Y5zbbDzNgDW8BooY8YDwdu56\n\t Gqq/Vz7KwEMtJzmz0O276eTjtQBTomA0iEZyRS6LWt+Hg89TgM2LMT1GHdcA8QyMn6\n\t Rr7kGWQZpzZSNYwDKzp/pqZl5VW8pOle3rZ5f7cIxcLVJn+W8YyuZI2gL2XkQp8Gep\n\t gHaSD7+aDglEgK/7r7ufxIusnyTZeASAYfPBy7Epa5ONZLXj9/SaoLayTEFM+IxBwD\n\t rAws1UK5+FwYZN9GnInmNQpor20ZkxRPMnF7PV58vyFiW4Gmz8CE8KoTJbrk4xOgTF\n\t my9gW0DoLSiWQ==","X-Forwarded-Encrypted":"i=1;\n AFNElJ9xlUc7dJmraHNwoq+b0QAb546MHpm7Pq+Spb1nKc/MBFLbA8/uMBvNZpDdgfRTe9rxLZNpmpCm/m46@vger.kernel.org","X-Gm-Message-State":"AOJu0YyfE48HqONFkLeFuy3oI2YhjZGNBlNE82CgzDFye2c0YIg8c9xC\n\tGLEhUZCfj+en3aRcQuHqnkmwlBoEcLc5cetJDCdCIZdKc9co+AOSavYe73HYNtKQftsw6/7slVA\n\tiWJ6wOi4WZMhS1v+FKz3TQwTP8sa1Oco=","X-Received":"by 2002:a05:6402:90a:b0:66e:aade:e2e3 with SMTP id\n 4fb4d7f45d1cf-672bfdde7b4mr2966711a12.27.1776493698960; Fri, 17 Apr 2026\n 23:28:18 -0700 (PDT)","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"<linux-cifs.vger.kernel.org>","List-Subscribe":"<mailto:linux-cifs+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-cifs+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","References":"<20260416200439.2987930-1-michael.bommarito@gmail.com>\n <20260417184557.1138554-1-michael.bommarito@gmail.com>","In-Reply-To":"<20260417184557.1138554-1-michael.bommarito@gmail.com>","From":"Namjae Jeon <linkinjeon@kernel.org>","Date":"Sat, 18 Apr 2026 15:28:06 +0900","X-Gmail-Original-Message-ID":"\n <CAKYAXd-C358TaLXHAMdfEn8FBNjjfN1ONq3tuDSAyguzc2qEjg@mail.gmail.com>","X-Gm-Features":"AQROBzD3WcGqkyfD9s3HibPWpNoDBmgBkHVuGv04v9w7DgczlUEFgZ5QZ1DlAPQ","Message-ID":"\n <CAKYAXd-C358TaLXHAMdfEn8FBNjjfN1ONq3tuDSAyguzc2qEjg@mail.gmail.com>","Subject":"Re: [PATCH v2] ksmbd: validate num_aces and harden ACE walk in\n smb_inherit_dacl()","To":"Michael Bommarito <michael.bommarito@gmail.com>","Cc":"Steve French <smfrench@gmail.com>, linux-cifs@vger.kernel.org,\n\tSergey Senozhatsky <senozhatsky@chromium.org>, Tom Talpey <tom@talpey.com>,\n\tHyunchul Lee <hyc.lee@gmail.com>, Ronnie Sahlberg <lsahlber@redhat.com>,\n stable@vger.kernel.org","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable"}}]