From 792c6a3bf7601a4fb701a2dd5aa8c87cd473870b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 14 Jul 2026 16:45:05 +0200 Subject: [PATCH] 6.1-stable patches added patches: ksmbd-add-a-permission-check-for-fsctl_set_zero_data.patch ksmbd-add-a-write_dac-write_owner-check-to-smb2-set_info-security.patch ksmbd-add-per-handle-permission-check-to-file_link_information.patch ksmbd-add-permission-checks-for-fsctl_duplicate_extents_to_file.patch ksmbd-fix-uaf-of-struct-file_lock-in-smb2_lock-deferred-lock-cancellation.patch ksmbd-require-source-read-access-for-duplicate-extents.patch ksmbd-run-set-info-with-opener-credentials.patch ksmbd-serialize-query_directory-requests-per-file.patch smb-client-fix-next-buffer-leak-in-receive_encrypted_standard.patch smb-client-harden-posix-sid-length-parsing.patch smb-client-mask-server-provided-mode-to-07777-in-modefromsid.patch smb-client-use-unaligned-reads-in-parse_posix_ctxt.patch --- ...ission-check-for-fsctl_set_zero_data.patch | 50 +++++++++++ ...wner-check-to-smb2-set_info-security.patch | 60 +++++++++++++ ...ssion-check-to-file_link_information.patch | 49 +++++++++++ ...-for-fsctl_duplicate_extents_to_file.patch | 48 +++++++++++ ...smb2_lock-deferred-lock-cancellation.patch | 86 +++++++++++++++++++ ...ce-read-access-for-duplicate-extents.patch | 40 +++++++++ ...run-set-info-with-opener-credentials.patch | 68 +++++++++++++++ ...ze-query_directory-requests-per-file.patch | 86 +++++++++++++++++++ queue-6.1/series | 12 +++ ...r-leak-in-receive_encrypted_standard.patch | 52 +++++++++++ ...ient-harden-posix-sid-length-parsing.patch | 40 +++++++++ ...rovided-mode-to-07777-in-modefromsid.patch | 34 ++++++++ ...-unaligned-reads-in-parse_posix_ctxt.patch | 38 ++++++++ 13 files changed, 663 insertions(+) create mode 100644 queue-6.1/ksmbd-add-a-permission-check-for-fsctl_set_zero_data.patch create mode 100644 queue-6.1/ksmbd-add-a-write_dac-write_owner-check-to-smb2-set_info-security.patch create mode 100644 queue-6.1/ksmbd-add-per-handle-permission-check-to-file_link_information.patch create mode 100644 queue-6.1/ksmbd-add-permission-checks-for-fsctl_duplicate_extents_to_file.patch create mode 100644 queue-6.1/ksmbd-fix-uaf-of-struct-file_lock-in-smb2_lock-deferred-lock-cancellation.patch create mode 100644 queue-6.1/ksmbd-require-source-read-access-for-duplicate-extents.patch create mode 100644 queue-6.1/ksmbd-run-set-info-with-opener-credentials.patch create mode 100644 queue-6.1/ksmbd-serialize-query_directory-requests-per-file.patch create mode 100644 queue-6.1/smb-client-fix-next-buffer-leak-in-receive_encrypted_standard.patch create mode 100644 queue-6.1/smb-client-harden-posix-sid-length-parsing.patch create mode 100644 queue-6.1/smb-client-mask-server-provided-mode-to-07777-in-modefromsid.patch create mode 100644 queue-6.1/smb-client-use-unaligned-reads-in-parse_posix_ctxt.patch diff --git a/queue-6.1/ksmbd-add-a-permission-check-for-fsctl_set_zero_data.patch b/queue-6.1/ksmbd-add-a-permission-check-for-fsctl_set_zero_data.patch new file mode 100644 index 0000000000..ba813c573f --- /dev/null +++ b/queue-6.1/ksmbd-add-a-permission-check-for-fsctl_set_zero_data.patch @@ -0,0 +1,50 @@ +From 3320ba068198adc144c89d6661b805acce01735b Mon Sep 17 00:00:00 2001 +From: Gil Portnoy +Date: Wed, 10 Jun 2026 20:07:04 +0900 +Subject: ksmbd: add a permission check for FSCTL_SET_ZERO_DATA + +From: Gil Portnoy + +commit 3320ba068198adc144c89d6661b805acce01735b upstream. + +FSCTL_SET_ZERO_DATA in smb2_ioctl() destroys file data via +ksmbd_vfs_zero_data() -> vfs_fallocate(PUNCH_HOLE/ZERO_RANGE) after +checking only the share-level KSMBD_TREE_CONN_FLAG_WRITABLE, with no +per-handle access check. A handle opened with only FILE_WRITE_ATTRIBUTES +still yields an FMODE_WRITE filp (FILE_WRITE_ATTRIBUTES is part of +FILE_WRITE_DESIRE_ACCESS_LE, so smb2_create_open_flags() opens it +O_WRONLY), so the vfs_fallocate FMODE_WRITE check does not stop it; only +the missing fp->daccess gate would. Reproduced on mainline 7.1-rc7 with +KASAN by an authenticated SMB client: a FILE_WRITE_ATTRIBUTES-only handle +zeroed 4096 bytes of file data it had no FILE_WRITE_DATA right to +(6/6; a FILE_READ_DATA-only handle was correctly denied). + +This is the unfixed sibling of commit cc57232cae23 ("ksmbd: fix FSCTL +permission bypass by adding a permission check for FSCTL_SET_SPARSE"). +Because SET_ZERO_DATA writes data (not an attribute), require +FILE_WRITE_DATA. + +Cc: stable@vger.kernel.org +Signed-off-by: Gil Portnoy +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -7958,6 +7958,12 @@ int smb2_ioctl(struct ksmbd_work *work) + goto out; + } + ++ if (!(fp->daccess & FILE_WRITE_DATA_LE)) { ++ ksmbd_fd_put(work, fp); ++ ret = -EACCES; ++ goto out; ++ } ++ + ret = ksmbd_vfs_zero_data(work, fp, off, len); + ksmbd_fd_put(work, fp); + if (ret < 0) diff --git a/queue-6.1/ksmbd-add-a-write_dac-write_owner-check-to-smb2-set_info-security.patch b/queue-6.1/ksmbd-add-a-write_dac-write_owner-check-to-smb2-set_info-security.patch new file mode 100644 index 0000000000..b2ff706c90 --- /dev/null +++ b/queue-6.1/ksmbd-add-a-write_dac-write_owner-check-to-smb2-set_info-security.patch @@ -0,0 +1,60 @@ +From 44df157a1183a7f746caa970c169255da5ac61f8 Mon Sep 17 00:00:00 2001 +From: Gil Portnoy +Date: Tue, 9 Jun 2026 00:00:00 +0000 +Subject: ksmbd: add a WRITE_DAC/WRITE_OWNER check to SMB2 SET_INFO SECURITY +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gil Portnoy + +commit 44df157a1183a7f746caa970c169255da5ac61f8 upstream. + +commit cc57232cae23 ("ksmbd: fix FSCTL permission bypass by adding a +permission check for FSCTL_SET_SPARSE") added a fp->daccess gate to +fsctl_set_sparse and noted that "similar handle-level checks exist in other +functions but are missing here." The SMB2 SET_INFO SECURITY arm is one of +the missing ones, and the most security-relevant: smb2_set_info_sec() calls +set_info_sec() with no per-handle access check. + +set_info_sec() (fs/smb/server/smbacl.c) re-permissions the file: it +rewrites owner/group/mode via notify_change(), rewrites the POSIX ACL via +set_posix_acl(), and on KSMBD_SHARE_FLAG_ACL_XATTR shares removes and +rewrites the Windows security descriptor via ksmbd_vfs_set_sd_xattr(). +Every other persistent-mutation arm of the sibling handler +smb2_set_info_file() checks fp->daccess first (FILE_WRITE_DATA / +FILE_DELETE / FILE_WRITE_EA / FILE_WRITE_ATTRIBUTES); the SECURITY arm — +which mutates the access control itself — is the only one with no gate. + +A client can therefore open a handle with FILE_WRITE_ATTRIBUTES only (no +FILE_WRITE_DAC / FILE_WRITE_OWNER) and use SMB2_SET_INFO with InfoType +SMB2_O_INFO_SECURITY to rewrite the file's DACL and owner, granting itself +access the handle's daccess never carried. Unlike the FSCTL data arms this +is a metadata/xattr operation, so there is no FMODE_WRITE VFS backstop — +the missing fp->daccess check is the entire gate. + +Setting a security descriptor is the WRITE_DAC / WRITE_OWNER operation, so +require at least one of those on the handle before re-permissioning the +file. -EACCES is mapped to STATUS_ACCESS_DENIED by smb2_set_info(). + +Cc: stable@vger.kernel.org +Signed-off-by: Gil Portnoy +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -6117,6 +6117,9 @@ static int smb2_set_info_sec(struct ksmb + + fp->saccess |= FILE_SHARE_DELETE_LE; + ++ if (!(fp->daccess & (FILE_WRITE_DAC_LE | FILE_WRITE_OWNER_LE))) ++ return -EACCES; ++ + return set_info_sec(fp->conn, fp->tcon, &fp->filp->f_path, pntsd, + buf_len, false, true); + } diff --git a/queue-6.1/ksmbd-add-per-handle-permission-check-to-file_link_information.patch b/queue-6.1/ksmbd-add-per-handle-permission-check-to-file_link_information.patch new file mode 100644 index 0000000000..5dd930e5b4 --- /dev/null +++ b/queue-6.1/ksmbd-add-per-handle-permission-check-to-file_link_information.patch @@ -0,0 +1,49 @@ +From 13f3942f2bf45856bb751faed2f0c4618f41ca20 Mon Sep 17 00:00:00 2001 +From: Gil Portnoy +Date: Wed, 10 Jun 2026 20:13:51 +0900 +Subject: ksmbd: add per-handle permission check to FILE_LINK_INFORMATION + +From: Gil Portnoy + +commit 13f3942f2bf45856bb751faed2f0c4618f41ca20 upstream. + +The FILE_LINK_INFORMATION arm of smb2_set_info_file() calls +smb2_create_link() with no per-handle fp->daccess check. On the +ReplaceIfExists path smb2_create_link() unlinks an existing file at the +target name (ksmbd_vfs_remove_file) and creates a hardlink +(ksmbd_vfs_link); neither helper checks daccess. A handle opened with +FILE_READ_DATA only (no FILE_DELETE, no FILE_WRITE_DATA) can therefore +delete an arbitrary file in the share and plant a hardlink over its name. + +The sibling delete/move arms in the same switch already gate: +FILE_RENAME_INFORMATION and FILE_DISPOSITION_INFORMATION both require +FILE_DELETE_LE; FILE_FULL_EA_INFORMATION requires FILE_WRITE_EA_LE. Gate +the link arm the same way as its closest analogue (rename), since it +mutates the namespace and, on replace, deletes an existing entry. + +This is a sibling of commit cc57232cae23 ("ksmbd: fix FSCTL permission +bypass by adding a permission check for FSCTL_SET_SPARSE"). + +Cc: stable@vger.kernel.org +Signed-off-by: Gil Portnoy +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -6060,6 +6060,11 @@ static int smb2_set_info_file(struct ksm + } + case FILE_LINK_INFORMATION: + { ++ if (!(fp->daccess & FILE_DELETE_LE)) { ++ pr_err("no right to delete : 0x%x\n", fp->daccess); ++ return -EACCES; ++ } ++ + if (buf_len < sizeof(struct smb2_file_link_info)) + return -EINVAL; + diff --git a/queue-6.1/ksmbd-add-permission-checks-for-fsctl_duplicate_extents_to_file.patch b/queue-6.1/ksmbd-add-permission-checks-for-fsctl_duplicate_extents_to_file.patch new file mode 100644 index 0000000000..c4cfd15998 --- /dev/null +++ b/queue-6.1/ksmbd-add-permission-checks-for-fsctl_duplicate_extents_to_file.patch @@ -0,0 +1,48 @@ +From 388e4139db27a9e3612c9d356b826f5b1ff6a9e3 Mon Sep 17 00:00:00 2001 +From: Gil Portnoy +Date: Fri, 12 Jun 2026 07:15:38 +0900 +Subject: ksmbd: add permission checks for FSCTL_DUPLICATE_EXTENTS_TO_FILE + +From: Gil Portnoy + +commit 388e4139db27a9e3612c9d356b826f5b1ff6a9e3 upstream. + +The FSCTL_DUPLICATE_EXTENTS_TO_FILE arm of smb2_ioctl() overwrites the +destination file's data via vfs_clone_file_range() with neither the +share-level KSMBD_TREE_CONN_FLAG_WRITABLE check nor a per-handle +fp->daccess check that the other write-bearing arms carry. A client can +overwrite destination data on a read-only share, or from a handle opened +with only FILE_WRITE_ATTRIBUTES (which still yields an FMODE_WRITE filp). +FILE_WRITE_ATTRIBUTES-only destination handle overwrote the file's data via +the clone. Add both checks, matching the FSCTL_SET_SPARSE permission fix; +require FILE_WRITE_DATA since this writes data. + +Cc: stable@vger.kernel.org +Signed-off-by: Gil Portnoy +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -8033,6 +8033,17 @@ int smb2_ioctl(struct ksmbd_work *work) + goto dup_ext_out; + } + ++ if (!test_tree_conn_flag(work->tcon, ++ KSMBD_TREE_CONN_FLAG_WRITABLE)) { ++ ret = -EACCES; ++ goto dup_ext_out; ++ } ++ ++ if (!(fp_out->daccess & FILE_WRITE_DATA_LE)) { ++ ret = -EACCES; ++ goto dup_ext_out; ++ } ++ + src_off = le64_to_cpu(dup_ext->SourceFileOffset); + dst_off = le64_to_cpu(dup_ext->TargetFileOffset); + length = le64_to_cpu(dup_ext->ByteCount); diff --git a/queue-6.1/ksmbd-fix-uaf-of-struct-file_lock-in-smb2_lock-deferred-lock-cancellation.patch b/queue-6.1/ksmbd-fix-uaf-of-struct-file_lock-in-smb2_lock-deferred-lock-cancellation.patch new file mode 100644 index 0000000000..3bed245027 --- /dev/null +++ b/queue-6.1/ksmbd-fix-uaf-of-struct-file_lock-in-smb2_lock-deferred-lock-cancellation.patch @@ -0,0 +1,86 @@ +From d20d1c8ba5765d1d12eefc0aee6385ab3f240e1e Mon Sep 17 00:00:00 2001 +From: Davide Ornaghi +Date: Sat, 6 Jun 2026 16:11:04 +0900 +Subject: ksmbd: fix UAF of struct file_lock in SMB2_LOCK deferred-lock cancellation + +From: Davide Ornaghi + +commit d20d1c8ba5765d1d12eefc0aee6385ab3f240e1e upstream. + +When a blocking byte-range lock request is deferred in the +FILE_LOCK_DEFERRED path, ksmbd registers the asynchronous work into +the connection's async_requests list via setup_async_work(). The cancel +callback smb2_remove_blocked_lock() holds a reference to the flock. + +If the lock waiter is subsequently woken up but the work state is no +longer KSMBD_WORK_ACTIVE (e.g., due to a concurrent cancellation), the +cleanup path calls locks_free_lock(flock) without dequeuing the work from +the async_requests list. Concurrently, smb2_cancel() walks the list +under conn->request_lock and invokes the cancel callback, which then +dereferences the already freed 'flock'. This leads to a slab-use-after-free +inside __wake_up_common. + +Fix this by restructuring the cleanup logic after the worker returns +from ksmbd_vfs_posix_lock_wait(). Move list_del(&smb_lock->llist) and +release_async_work(work) to the top of the cleanup block. This guarantees +that the async work is completely dequeued and serialized under +conn->request_lock before locks_free_lock(flock) is called, rendering +the flock unreachable for any concurrent smb2_cancel(). + +Cc: stable@vger.kernel.org +Signed-off-by: Davide Ornaghi +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 34 ++++++++++++++++------------------ + 1 file changed, 16 insertions(+), 18 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -7229,29 +7229,27 @@ skip: + list_del(&work->fp_entry); + spin_unlock(&fp->f_lock); + +- if (work->state != KSMBD_WORK_ACTIVE) { +- list_del(&smb_lock->llist); +- locks_free_lock(flock); ++ list_del(&smb_lock->llist); ++ release_async_work(work); ++ ++ if (work->state == KSMBD_WORK_ACTIVE) ++ goto retry; + +- if (work->state == KSMBD_WORK_CANCELLED) { +- rsp->hdr.Status = +- STATUS_CANCELLED; +- kfree(smb_lock); +- smb2_send_interim_resp(work, +- STATUS_CANCELLED); +- work->send_no_response = 1; +- goto out; +- } ++ locks_free_lock(flock); + +- rsp->hdr.Status = +- STATUS_RANGE_NOT_LOCKED; ++ if (work->state == KSMBD_WORK_CANCELLED) { ++ rsp->hdr.Status = STATUS_CANCELLED; + kfree(smb_lock); +- goto out2; ++ smb2_send_interim_resp(work, ++ STATUS_CANCELLED); ++ work->send_no_response = 1; ++ goto out; + } + +- list_del(&smb_lock->llist); +- release_async_work(work); +- goto retry; ++ rsp->hdr.Status = ++ STATUS_RANGE_NOT_LOCKED; ++ kfree(smb_lock); ++ goto out2; + } else if (!rc) { + list_add(&smb_lock->llist, &rollback_list); + spin_lock(&work->conn->llist_lock); diff --git a/queue-6.1/ksmbd-require-source-read-access-for-duplicate-extents.patch b/queue-6.1/ksmbd-require-source-read-access-for-duplicate-extents.patch new file mode 100644 index 0000000000..d2cadb1fad --- /dev/null +++ b/queue-6.1/ksmbd-require-source-read-access-for-duplicate-extents.patch @@ -0,0 +1,40 @@ +From cedff600f1642aa982178503552f0d007bc829c8 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sat, 13 Jun 2026 22:00:02 +0900 +Subject: ksmbd: require source read access for duplicate extents + +From: Namjae Jeon + +commit cedff600f1642aa982178503552f0d007bc829c8 upstream. + +FSCTL_DUPLICATE_EXTENTS_TO_FILE passes the source file directly to +vfs_clone_file_range() or vfs_copy_file_range() without checking the SMB +access mask granted to the source handle. A handle opened with attribute +access can consequently be used to copy file contents into an +attacker-readable destination. + +Require FILE_READ_DATA on the source handle before either VFS operation, +matching other ksmbd data-copy paths. + +Cc: stable@vger.kernel.org +Reported-by: Musaab Khan +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -8051,6 +8051,10 @@ int smb2_ioctl(struct ksmbd_work *work) + ret = -EACCES; + goto dup_ext_out; + } ++ if (!(fp_in->daccess & FILE_READ_DATA_LE)) { ++ ret = -EACCES; ++ goto dup_ext_out; ++ } + + src_off = le64_to_cpu(dup_ext->SourceFileOffset); + dst_off = le64_to_cpu(dup_ext->TargetFileOffset); diff --git a/queue-6.1/ksmbd-run-set-info-with-opener-credentials.patch b/queue-6.1/ksmbd-run-set-info-with-opener-credentials.patch new file mode 100644 index 0000000000..d45f79d9c9 --- /dev/null +++ b/queue-6.1/ksmbd-run-set-info-with-opener-credentials.patch @@ -0,0 +1,68 @@ +From b383bcad3d2fe634b26efbce53e22bbb5753a520 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sat, 13 Jun 2026 22:00:01 +0900 +Subject: ksmbd: run set info with opener credentials + +From: Namjae Jeon + +commit b383bcad3d2fe634b26efbce53e22bbb5753a520 upstream. + +SMB2 SET_INFO handlers call path-based VFS helpers after checking the +access mask granted to the SMB handle. Those helpers perform their owner, +inode permission and LSM checks using the current ksmbd worker credentials. + +Run the complete SET_INFO dispatch with the credentials captured when the +handle was opened. This also removes the separate security information +credential setup and keeps all SET_INFO classes under one credential scope. + +Direct override_creds() is used because it can nest with the request +credential overrides already used by rename and link helpers. + +Cc: stable@vger.kernel.org +Reported-by: Musaab Khan +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -6132,6 +6132,7 @@ static int smb2_set_info_sec(struct ksmb + */ + int smb2_set_info(struct ksmbd_work *work) + { ++ const struct cred *saved_cred; + struct smb2_set_info_req *req; + struct smb2_set_info_rsp *rsp; + struct ksmbd_file *fp = NULL; +@@ -6173,6 +6174,7 @@ int smb2_set_info(struct ksmbd_work *wor + goto err_out; + } + ++ saved_cred = override_creds(fp->filp->f_cred); + switch (req->InfoType) { + case SMB2_O_INFO_FILE: + ksmbd_debug(SMB, "GOT SMB2_O_INFO_FILE\n"); +@@ -6180,19 +6182,15 @@ int smb2_set_info(struct ksmbd_work *wor + break; + case SMB2_O_INFO_SECURITY: + ksmbd_debug(SMB, "GOT SMB2_O_INFO_SECURITY\n"); +- if (ksmbd_override_fsids(work)) { +- rc = -ENOMEM; +- goto err_out; +- } + rc = smb2_set_info_sec(fp, + le32_to_cpu(req->AdditionalInformation), + (char *)req + le16_to_cpu(req->BufferOffset), + le32_to_cpu(req->BufferLength)); +- ksmbd_revert_fsids(work); + break; + default: + rc = -EOPNOTSUPP; + } ++ revert_creds(saved_cred); + + if (rc < 0) + goto err_out; diff --git a/queue-6.1/ksmbd-serialize-query_directory-requests-per-file.patch b/queue-6.1/ksmbd-serialize-query_directory-requests-per-file.patch new file mode 100644 index 0000000000..dceed74dd7 --- /dev/null +++ b/queue-6.1/ksmbd-serialize-query_directory-requests-per-file.patch @@ -0,0 +1,86 @@ +From be6d26bf27499977c746abc163659915082348d8 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 12 Jun 2026 08:00:00 +0900 +Subject: ksmbd: serialize QUERY_DIRECTORY requests per file + +From: Namjae Jeon + +commit be6d26bf27499977c746abc163659915082348d8 upstream. + +smb2_query_dir() stores a pointer to its stack-allocated private data in +the ksmbd_file readdir_data. Concurrent QUERY_DIRECTORY requests using the +same file handle can overwrite this pointer while an iterate_dir() callback +is still using it, resulting in a stack use-after-free. + +Add a per-file mutex and hold it while accessing the shared directory +enumeration state. The lock covers scan restart, dot entry state, +readdir_data setup and iteration, and response construction. This prevents +another request from replacing readdir_data.private before the current +request has finished using it and also serializes the shared file position. + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-30527 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 4 ++++ + fs/smb/server/vfs_cache.c | 1 + + fs/smb/server/vfs_cache.h | 2 ++ + 3 files changed, 7 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -4126,6 +4126,8 @@ int smb2_query_dir(struct ksmbd_work *wo + ksmbd_debug(SMB, "Search pattern is %s\n", srch_ptr); + } + ++ mutex_lock(&dir_fp->readdir_lock); ++ + if (srch_flag & SMB2_REOPEN || srch_flag & SMB2_RESTART_SCANS) { + ksmbd_debug(SMB, "Restart directory scan\n"); + generic_file_llseek(dir_fp->filp, 0, SEEK_SET); +@@ -4230,6 +4232,7 @@ no_buf_len: + goto err_out; + } + ++ mutex_unlock(&dir_fp->readdir_lock); + kfree(srch_ptr); + ksmbd_fd_put(work, dir_fp); + ksmbd_revert_fsids(work); +@@ -4237,6 +4240,7 @@ no_buf_len: + + err_out: + pr_err("error while processing smb2 query dir rc = %d\n", rc); ++ mutex_unlock(&dir_fp->readdir_lock); + kfree(srch_ptr); + + err_out2: +--- a/fs/smb/server/vfs_cache.c ++++ b/fs/smb/server/vfs_cache.c +@@ -574,6 +574,7 @@ struct ksmbd_file *ksmbd_open_fd(struct + INIT_LIST_HEAD(&fp->node); + INIT_LIST_HEAD(&fp->lock_list); + spin_lock_init(&fp->f_lock); ++ mutex_init(&fp->readdir_lock); + atomic_set(&fp->refcount, 1); + + fp->filp = filp; +--- a/fs/smb/server/vfs_cache.h ++++ b/fs/smb/server/vfs_cache.h +@@ -8,6 +8,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -103,6 +104,7 @@ struct ksmbd_file { + + /* if ls is happening on directory, below is valid*/ + struct ksmbd_readdir_data readdir_data; ++ struct mutex readdir_lock; + int dot_dotdot[2]; + unsigned int f_state; + bool reserve_lease_break; diff --git a/queue-6.1/series b/queue-6.1/series index e4400cd6e1..4b640909dc 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -132,3 +132,15 @@ bluetooth-bnep-pin-l2cap-connection-during-netdev-registration.patch bluetooth-fix-uaf-in-bt_accept_dequeue.patch bluetooth-l2cap-validate-option-length-before-reading-conf-opt-value.patch net-drop-the-lock-in-skb_may_tx_timestamp.patch +ksmbd-add-permission-checks-for-fsctl_duplicate_extents_to_file.patch +ksmbd-add-a-permission-check-for-fsctl_set_zero_data.patch +ksmbd-serialize-query_directory-requests-per-file.patch +ksmbd-fix-uaf-of-struct-file_lock-in-smb2_lock-deferred-lock-cancellation.patch +ksmbd-require-source-read-access-for-duplicate-extents.patch +ksmbd-add-a-write_dac-write_owner-check-to-smb2-set_info-security.patch +ksmbd-run-set-info-with-opener-credentials.patch +ksmbd-add-per-handle-permission-check-to-file_link_information.patch +smb-client-fix-next-buffer-leak-in-receive_encrypted_standard.patch +smb-client-use-unaligned-reads-in-parse_posix_ctxt.patch +smb-client-harden-posix-sid-length-parsing.patch +smb-client-mask-server-provided-mode-to-07777-in-modefromsid.patch diff --git a/queue-6.1/smb-client-fix-next-buffer-leak-in-receive_encrypted_standard.patch b/queue-6.1/smb-client-fix-next-buffer-leak-in-receive_encrypted_standard.patch new file mode 100644 index 0000000000..0a5f455f21 --- /dev/null +++ b/queue-6.1/smb-client-fix-next-buffer-leak-in-receive_encrypted_standard.patch @@ -0,0 +1,52 @@ +From 1c6267a1d5cf4c73b656f8181b310cbbb3e4767b Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Tue, 23 Jun 2026 09:45:38 +0800 +Subject: smb: client: Fix next buffer leak in receive_encrypted_standard() + +From: Haoxiang Li + +commit 1c6267a1d5cf4c73b656f8181b310cbbb3e4767b upstream. + +receive_encrypted_standard() allocates next_buffer before checking +whether the number of compound PDUs already reached MAX_COMPOUND. If +the limit check fails, the function returns immediately and the newly +allocated next_buffer is not assigned to server->smallbuf/server->bigbuf, +making it leaked. + +Move the MAX_COMPOUND check before allocating next_buffer. + +Fixes: b24df3e30cbf ("cifs: update receive_encrypted_standard to handle compounded responses") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2ops.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -5189,6 +5189,12 @@ receive_encrypted_standard(struct TCP_Se + one_more: + shdr = (struct smb2_hdr *)buf; + next_cmd = le32_to_cpu(shdr->NextCommand); ++ ++ if (*num_mids >= MAX_COMPOUND) { ++ cifs_server_dbg(VFS, "too many PDUs in compound\n"); ++ return -1; ++ } ++ + if (next_cmd) { + if (WARN_ON_ONCE(next_cmd > pdu_length)) + return -1; +@@ -5212,10 +5218,6 @@ one_more: + mid_entry->resp_buf_size = server->pdu_size; + } + +- if (*num_mids >= MAX_COMPOUND) { +- cifs_server_dbg(VFS, "too many PDUs in compound\n"); +- return -1; +- } + bufs[*num_mids] = buf; + mids[(*num_mids)++] = mid_entry; + diff --git a/queue-6.1/smb-client-harden-posix-sid-length-parsing.patch b/queue-6.1/smb-client-harden-posix-sid-length-parsing.patch new file mode 100644 index 0000000000..67ddfbc8da --- /dev/null +++ b/queue-6.1/smb-client-harden-posix-sid-length-parsing.patch @@ -0,0 +1,40 @@ +From 7ad2bcf2441430bb2e918fb3ef9a90d775a6e422 Mon Sep 17 00:00:00 2001 +From: Zihan Xi +Date: Sun, 28 Jun 2026 17:19:24 +0800 +Subject: smb: client: harden POSIX SID length parsing + +From: Zihan Xi + +commit 7ad2bcf2441430bb2e918fb3ef9a90d775a6e422 upstream. + +posix_info_sid_size() reads sid[1] to obtain the subauthority count, +but its existing boundary check still accepts buffers with only one +remaining byte. Require two bytes before reading sid[1] so all client +paths that reuse the helper reject truncated POSIX SIDs safely. + +Fixes: 349e13ad30b4 ("cifs: add smb2 POSIX info level") +Cc: stable@vger.kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Assisted-by: Codex:gpt-5.4 +Signed-off-by: Zihan Xi +Signed-off-by: Ren Wei +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -4857,7 +4857,7 @@ int posix_info_sid_size(const void *beg, + size_t subauth; + int total; + +- if (beg + 1 > end) ++ if (beg + 2 > end) + return -1; + + subauth = *(u8 *)(beg+1); diff --git a/queue-6.1/smb-client-mask-server-provided-mode-to-07777-in-modefromsid.patch b/queue-6.1/smb-client-mask-server-provided-mode-to-07777-in-modefromsid.patch new file mode 100644 index 0000000000..852ec4b647 --- /dev/null +++ b/queue-6.1/smb-client-mask-server-provided-mode-to-07777-in-modefromsid.patch @@ -0,0 +1,34 @@ +From e3d9c7160d483fc8f9e225aafad8ecbbc43f3151 Mon Sep 17 00:00:00 2001 +From: Norbert Manthey +Date: Thu, 9 Jul 2026 15:54:39 +0000 +Subject: smb: client: mask server-provided mode to 07777 in modefromsid + +From: Norbert Manthey + +commit e3d9c7160d483fc8f9e225aafad8ecbbc43f3151 upstream. + +When modefromsid is active, parse_dacl() applies the server-provided +sub_auth[2] value from the NFS mode SID to cf_mode without masking to +07777. Apply the correct masking, same as in the read path. + +Fixes: e2f8fbfb8d09c ("cifs: get mode bits from special sid on stat") +Signed-off-by: Norbert Manthey +Assisted-by: Kiro:claude-opus-4.6 +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsacl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/cifsacl.c ++++ b/fs/smb/client/cifsacl.c +@@ -887,7 +887,7 @@ static void parse_dacl(struct cifs_acl * + */ + fattr->cf_mode &= ~07777; + fattr->cf_mode |= +- le32_to_cpu(ppace[i]->sid.sub_auth[2]); ++ le32_to_cpu(ppace[i]->sid.sub_auth[2]) & 07777; + break; + } else { + if (compare_sids(&(ppace[i]->sid), pownersid) == 0) { diff --git a/queue-6.1/smb-client-use-unaligned-reads-in-parse_posix_ctxt.patch b/queue-6.1/smb-client-use-unaligned-reads-in-parse_posix_ctxt.patch new file mode 100644 index 0000000000..e8f4752ac4 --- /dev/null +++ b/queue-6.1/smb-client-use-unaligned-reads-in-parse_posix_ctxt.patch @@ -0,0 +1,38 @@ +From b86467cd2691192ad4809a5a6e922fc24b8e9839 Mon Sep 17 00:00:00 2001 +From: Zihan Xi +Date: Wed, 1 Jul 2026 18:23:21 +0800 +Subject: smb: client: use unaligned reads in parse_posix_ctxt() + +From: Zihan Xi + +commit b86467cd2691192ad4809a5a6e922fc24b8e9839 upstream. + +The server controls create-context DataOffset, so the POSIX context data +pointer may be misaligned on strict-alignment architectures. Use +get_unaligned_le32() when reading nlink, reparse_tag, and mode. + +Fixes: 69dda3059e7a ("cifs: add SMB2_open() arg to return POSIX data") +Cc: stable@vger.kernel.org +Signed-off-by: Zihan Xi +Signed-off-by: Ren Wei +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -2130,9 +2130,9 @@ parse_posix_ctxt(struct create_context * + + memset(posix, 0, sizeof(*posix)); + +- posix->nlink = le32_to_cpu(*(__le32 *)(beg + 0)); +- posix->reparse_tag = le32_to_cpu(*(__le32 *)(beg + 4)); +- posix->mode = le32_to_cpu(*(__le32 *)(beg + 8)); ++ posix->nlink = get_unaligned_le32(beg); ++ posix->reparse_tag = get_unaligned_le32(beg + 4); ++ posix->mode = get_unaligned_le32(beg + 8); + + sid = beg + 12; + sid_len = posix_info_sid_size(sid, end); -- 2.47.3