{"id":2223245,"url":"http://patchwork.ozlabs.org/api/covers/2223245/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-cifs-client/cover/20260414191533.1467353-1-michael.bommarito@gmail.com/","project":{"id":12,"url":"http://patchwork.ozlabs.org/api/projects/12/?format=json","name":"Linux CIFS Client","link_name":"linux-cifs-client","list_id":"linux-cifs.vger.kernel.org","list_email":"linux-cifs@vger.kernel.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260414191533.1467353-1-michael.bommarito@gmail.com>","list_archive_url":null,"date":"2026-04-14T19:15:30","name":"[0/3] ksmbd: harden IPC response arithmetic and ACE walk","submitter":{"id":93078,"url":"http://patchwork.ozlabs.org/api/people/93078/?format=json","name":"Michael Bommarito","email":"michael.bommarito@gmail.com"},"mbox":"http://patchwork.ozlabs.org/project/linux-cifs-client/cover/20260414191533.1467353-1-michael.bommarito@gmail.com/mbox/","series":[{"id":499887,"url":"http://patchwork.ozlabs.org/api/series/499887/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=499887","date":"2026-04-14T19:15:31","name":"ksmbd: harden IPC response arithmetic and ACE walk","version":1,"mbox":"http://patchwork.ozlabs.org/series/499887/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/covers/2223245/comments/","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=scTvEk2p;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10817-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"scTvEk2p\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.219.42","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwDbD6bDbz1y2d\n\tfor ; Wed, 15 Apr 2026 05:18:48 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id A7092304753B\n\tfor ; Tue, 14 Apr 2026 19:15:39 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 34445299A8F;\n\tTue, 14 Apr 2026 19:15:39 +0000 (UTC)","from mail-qv1-f42.google.com (mail-qv1-f42.google.com\n [209.85.219.42])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id BEE62282F25\n\tfor ; Tue, 14 Apr 2026 19:15:37 +0000 (UTC)","by mail-qv1-f42.google.com with SMTP id\n 6a1803df08f44-899a9f445cbso67115936d6.0\n for ;\n Tue, 14 Apr 2026 12:15:37 -0700 (PDT)","from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])\n by smtp.gmail.com with ESMTPSA id\n 6a1803df08f44-8aca478a70csm77229126d6.27.2026.04.14.12.15.34\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 14 Apr 2026 12:15:35 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776194139; cv=none;\n b=ohk2vR0oPsfSsaT5yJ69Qo99uyy8A+00nOa7ie2lAMgwaLx0J0lPTs2lLbskmX1QGkClp1Kh00NwCl2dZzS+3lX4F+jWKZuXVpcg4Ql+CUOOVwBkUb8itd1RieBhHx+hihj70SsNEqimmn+lnn1nTEkk8sY0ZIbJIyBCPuz04EQ=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776194139; c=relaxed/simple;\n\tbh=OP+X7N1cl7Z1dU4RmWLJlo1ZnQ+9ylvjg9Rirta7jeA=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=kueT/xM+EaHRL9jja63Bc1vwrcSthq27G15D2Oav0GMaHc/9go680kS5Hvs1jEaXHLfJzNvsanN5o8UY3eDvNfwMOeD0n3dT/VXTI22pyeSGEm+z0XXwSxozD2wn87zE3TpCm7dT3t+pZG3+bvtU/FZD5vm8xaFbRGo4zsBwEac=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=scTvEk2p; arc=none smtp.client-ip=209.85.219.42","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776194136; x=1776798936;\n darn=vger.kernel.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=PMAOyE6FGPQM6cNvFV9IHH4uR3bD/7YSN/uFIDfWSw0=;\n b=scTvEk2psCGOW5h0gXFD5MCUvasgzC5B73AkuRoMlZnTwKEMFScUUspwNj+jY26HPy\n wuwCSpDSLj44tKQiHYwV5M0slmZ9nSSpyOpm8Wn/x8xR6+A8HTqhHQNFFn9SUKj6woE1\n D+hWO4SOaZnUtpiXZa0JDw77rd6RXDBe6gjBMC0gGpqzn2blKyyKl4AsTghHP8VTIf19\n SoegTVAm6eKjABnhI8pRsttswReRpLB4tizaRw2ib9XKbt7OOaGUO4iFecxpc9iHLfJ1\n 3mpS9+x1eIEwaR2GzrhGIiSYN1ju/GOEvKLbaXBKjUOuOwyh7JT7S9dk0F2b86sbAkeu\n yySQ==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776194136; x=1776798936;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=PMAOyE6FGPQM6cNvFV9IHH4uR3bD/7YSN/uFIDfWSw0=;\n b=deNu4GhTVG6DhkCf8hzalnpFCwMdb6sQOWQtmKKn+r1qYUGZU8y0+YRvofowMqXgqW\n 1KugjMG6WU/l7CxBMv2IrnMToIzGO46sxgQkeKk9pAUHd0XvxHE4drrGJ4YYdf9DYNWI\n A5E1+1lfHjM2vNOzJ4lfvL4LLHkhZse3VcsGp8IsLpSVSLHEi53Q7RWhqmbzNddY+DOc\n 3zGvU4MRHBNak9KpT/tTVLkztt28WUG/36hCu+/KdWGn1wOs3MzolRkH/hc0i6qN4rkK\n T6SEalUxAw8+V1qLa6kCfar8A/yxuh5foILDm9hhvi47sHtuUzsFNUkVt2CpDBFy8pld\n Ni9g==","X-Gm-Message-State":"AOJu0YxTtPcac3JGnTCHB3yeaFX6vIC3n7Ab2ZEzwrqJUU98Q4cBkw76\n\tJmpPe5BceKqvnFhgmb5GmNdX0mPwCSqaj14/wfzIaYS6GXfPnpVpMxljpdBs3QPu","X-Gm-Gg":"AeBDieunIgDN3BG0ZnrRtTrB8nQmiFZEZz5hHKZ5goHtRuEV2Sn39K7/pmZfKItz19b\n\tSMwOUPRcYw2Ujkpni1oVk+R+uSm7eEZdZ0Hh6DCCFrL4vQzx9WBI9vFux3Gu3Pluo/ky7UF9RmS\n\thI4FDFvgKdtD3xzr1qy5JLFBWYcw5WjqCfbspPjh3w/zngcmHZXxb62oKiaaJZ9x7Hc9zyHfswd\n\tey6kQ2/xLjnJqnrh4VPeZJy17Fjek6b9y0W1D5x+5W4OTJN0x2OSfYV9EfZqcwDHMds6A6mq5tg\n\tHqEQHQOG8uodvSAeb7tdkqOyS/YgWI2a+k7bKluqDTDx9ioIE80hHkFdne4iPoVeXk2IwMtl3Ar\n\t+PTZG9YAvi1y2UJvM6Pq/NijIxHWZs8tMR9C9gzj/5Is6jX5uOX4Ajc5pAnN1D6wnFKaSR3uQ6/\n\t0x4vybT5A2xLrm7EsZhdejednOzTVFGe8bikFMxkfd+h79lIQLr0te7dlyelSUfRFV9i8Orlija\n\tpBdgVLTWSNsLSRcvuc8Hmic2GeqKWloe+6toFp37g==","X-Received":"by 2002:a05:6214:2024:b0:8a3:7d76:6a6f with SMTP id\n 6a1803df08f44-8ac8616001dmr308462016d6.5.1776194135984;\n Tue, 14 Apr 2026 12:15:35 -0700 (PDT)","From":"Michael Bommarito ","To":"linux-cifs@vger.kernel.org,\n\tNamjae Jeon ,\n\tSteve French ","Cc":"Sergey Senozhatsky ,\n\tTom Talpey ,\n\tstable@vger.kernel.org","Subject":"[PATCH 0/3] ksmbd: harden IPC response arithmetic and ACE walk","Date":"Tue, 14 Apr 2026 15:15:30 -0400","Message-ID":"<20260414191533.1467353-1-michael.bommarito@gmail.com>","X-Mailer":"git-send-email 2.53.0","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"Hi,\n\nThree ksmbd patches: two hardening fixes for the kernel <-> mountd\nIPC arithmetic, plus one authenticated OOB-read fix in the DACL\nACE walker. All three reproduced under UML + KASAN on v7.0-rc7.\nPatch 3 reproduces end-to-end over loopback SMB2 from a guest\nclient against UML ksmbd + ksmbd.mountd:\n\n pre-fix:\n BUG: KASAN: slab-out-of-bounds in compare_sids+0x2b1/0x440\n compare_sids\n smb_check_perm_dacl+0x4fe/0x11a0\n smb2_open+0x4eb2/0xad50\n handle_ksmbd_work+0x3d3/0x1140\n \"The buggy address is located 4 bytes to the right of\n allocated 32-byte region\" with the allocation trace pointing\n at ndr_decode_v4_ntacl() reading the stored xattr.\n post-fix:\n CREATE returns STATUS_ACCESS_DENIED; no KASAN splat; granted\n bits stay at 0 because the tightened bound rejects ace_size=4\n before compare_sids is called.\n\nPatches 1 and 2 reproduced with in-kernel synthetic triggers that\nhand ipc_validate_msg() a response with a wrap-matching size:\n\n patch 1 (RPC_REQUEST payload_sz):\n pre-fix returns 0 (u32 wrap bypass)\n post-fix returns -EINVAL (payload_sz > KSMBD_IPC_MAX_PAYLOAD)\n\n patch 1 + 2 (LOGIN_REQUEST_EXT ngroups=-1):\n pre-fix returns 0 (signed->size_t wrap matches msg_sz)\n post-fix returns -EINVAL (explicit ngroups<0 gate)\n\nSame threat model as the earlier hardening commits aab98e2dbd64\n(\"ksmbd: fix integer overflows on 32 bit systems\") and 6f40e50ceb99\n(\"ksmbd: transport_ipc: validate payload size before reading\nhandle\"): the kernel should not trust arithmetic on attacker-\ncontrolled fields even when those fields come from a cooperating\nroot daemon or an authenticated client writing an xattr.\n\nPatch 1/3 caps the attacker-controlled fields in ipc_validate_msg()\nagainst the existing KSMBD_IPC_MAX_PAYLOAD / NGROUPS_MAX bounds\nbefore they feed the size-computation arithmetic. Three cases:\n\n - KSMBD_EVENT_RPC_REQUEST: sizeof(struct) + resp->payload_sz\n (__u32) can wrap in unsigned int; downstream consumer at\n smb2pdu.c:6742 uses rpc_resp->payload_sz for a memcpy. Cap\n payload_sz against KSMBD_IPC_MAX_PAYLOAD, matching the\n request-side cap in aab98e2dbd64.\n - KSMBD_EVENT_SHARE_CONFIG_REQUEST: sizeof(struct) +\n resp->payload_sz same class; same cap.\n - KSMBD_EVENT_LOGIN_REQUEST_EXT: resp->ngroups is __s32 signed,\n so the existing > NGROUPS_MAX comparison at user_config.c:59\n misses negative values, and the mul sizeof(gid_t) mixes signed\n and size_t in a surprising way. Reject ngroups outside the\n signed [0, NGROUPS_MAX] range up front.\n\nPatch 2/3 fixes user_config.c so ksmbd_alloc_user() also rejects\nnegative ngroups explicitly, independent of ipc_validate_msg.\n\nPatch 3/3 tightens bounds checking in smb_check_perm_dacl()'s two\nACE-walk loops. Today they only require the 4-byte ACE header to\nfit in the remaining DACL buffer; an attacker-declared ace->size\nof 4 passes both guards, after which the loop reads access_req\n(offset 4) and ace->sid (offset 8+) past the real buffer.\nparse_sec_desc() already performs an equivalent check; this patch\nbrings smb_check_perm_dacl() up to the same bar.\n\nPractical exploitation of patches 1-2 is narrow: the wrap-bypass\nrequires ksmbd.mountd to send a response crafted around the wrapped\nsize while preserving consistent field values, and the downstream\nkvmalloc almost always fails for u32-wrap sizes. Patch 3 is\nreachable post-auth by any client that can SET an ACL and then\nOPEN the affected file.\n\nThe patch 3 exploit chain is authenticated but otherwise untrusted:\nguest session -> TREE_CONNECT -> CREATE evil.dat -> SET_INFO with a\ncrafted security descriptor (one ACE with size=4) -> close -> re-open\nthe file, which triggers smb_check_perm_dacl() in smb2_open(). The\nmalformed SD is accepted by SET_INFO without validation on the write\nside; parsing happens on the next open.\n\nInstrumentation, triggers, client, and both console logs are\navailable on request.\n\nMichael Bommarito (3):\n ksmbd: cap response sizes in ipc_validate_msg()\n ksmbd: reject negative ngroups in ksmbd_alloc_user()\n ksmbd: require minimum ACE size in smb_check_perm_dacl()\n\n fs/smb/server/mgmt/user_config.c | 2 +-\n fs/smb/server/smbacl.c | 17 +++++++++++++----\n fs/smb/server/transport_ipc.c | 42 +++++++++++++++++++++++++++++-----\n 3 files changed, 49 insertions(+), 12 deletions(-)\n\n--\n2.53.0"}