6.1-stable patches

added patches:
	ksmbd-oob-read-regression-in-smb_check_perm_dacl-ace-walk-loops.patch

diff --git a/queue-6.1/ksmbd-oob-read-regression-in-smb_check_perm_dacl-ace-walk-loops.patch b/queue-6.1/ksmbd-oob-read-regression-in-smb_check_perm_dacl-ace-walk-loops.patch
new file mode 100644 (file)
index 0000000..0719290
--- /dev/null
+++ b/queue-6.1/ksmbd-oob-read-regression-in-smb_check_perm_dacl-ace-walk-loops.patch
@@ -0,0 +1,61 @@
+From 0e60dafe97eca61721f3db456f97d97a80c6c8ae Mon Sep 17 00:00:00 2001
+From: Ali Ganiyev <ali.qaniyev@gmail.com>
+Date: Mon, 25 May 2026 10:23:47 +0900
+Subject: ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
+
+From: Ali Ganiyev <ali.qaniyev@gmail.com>
+
+commit 0e60dafe97eca61721f3db456f97d97a80c6c8ae upstream.
+
+Commit d07b26f39246 ("ksmbd: require minimum ACE size in
+smb_check_perm_dacl()") introduced a transposed bounds check:
+
+    if (offsetof(struct smb_ace, sid) + aces_size < CIFS_SID_BASE_SIZE)
+
+Since offsetof(..sid) is 8 and CIFS_SID_BASE_SIZE is 8, this evaluates
+to `aces_size < 0`. Because `aces_size` is always non-negative, this
+check becomes dead code and never breaks the loop.
+
+Worse, that commit removed the old 4-byte guard, meaning the loop now
+reads `ace->size` (offset 2) even when `aces_size` is 0-3 bytes. This
+re-opens a 2-byte heap out-of-bounds (OOB) read past the pntsd allocation
+during subsequent SMB2_CREATE operations.
+
+Fix this by properly transposing the comparison to require at least
+16 bytes (8-byte offset + 8-byte SID base), matching the correct form
+used in smb_inherit_dacl().
+
+Fixes: d07b26f39246 ("ksmbd: require minimum ACE size in smb_check_perm_dacl()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ali Ganiyev <ali.qaniyev@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smbacl.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/smb/server/smbacl.c
++++ b/fs/smb/server/smbacl.c
+@@ -1297,8 +1297,8 @@ int smb_check_perm_dacl(struct ksmbd_con
+               ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
+               aces_size = acl_size - sizeof(struct smb_acl);
+               for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) {
+-                      if (offsetof(struct smb_ace, sid) +
+-                          aces_size < CIFS_SID_BASE_SIZE)
++                      if (aces_size < offsetof(struct smb_ace, sid) +
++                          CIFS_SID_BASE_SIZE)
+                               break;
+                       ace_size = le16_to_cpu(ace->size);
+                       if (ace_size > aces_size ||
+@@ -1321,8 +1321,8 @@ int smb_check_perm_dacl(struct ksmbd_con
+       ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
+       aces_size = acl_size - sizeof(struct smb_acl);
+       for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) {
+-              if (offsetof(struct smb_ace, sid) +
+-                  aces_size < CIFS_SID_BASE_SIZE)
++              if (aces_size < offsetof(struct smb_ace, sid) +
++                  CIFS_SID_BASE_SIZE)
+                       break;
+               ace_size = le16_to_cpu(ace->size);
+               if (ace_size > aces_size ||

diff --git a/queue-6.1/series b/queue-6.1/series
index e67e109a9f6f4af71bb157cab91212e9fb95c1d3..7e63d3be49bfff619473f43943c5aa32192d88d5 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -526,3 +526,4 @@ crypto-nx-fix-context-leak-in-nx842_crypto_free_ctx.patch
 media-rc-ttusbir-fix-inverted-error-logic.patch
 batman-adv-tp_meter-fix-tp_vars-reference-leak-in-receiver-shutdown.patch
 media-rc-igorplugusb-fix-control-request-setup-packet.patch
+ksmbd-oob-read-regression-in-smb_check_perm_dacl-ace-walk-loops.patch