--- /dev/null
+From 1b8b67f3c5e5169535e26efedd3e422172e2db64 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 12 Feb 2025 09:32:11 +0900
+Subject: ksmbd: fix incorrect validation for num_aces field of smb_acl
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 1b8b67f3c5e5169535e26efedd3e422172e2db64 upstream.
+
+parse_dcal() validate num_aces to allocate posix_ace_state_array.
+
+if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
+
+It is an incorrect validation that we can create an array of size ULONG_MAX.
+smb_acl has ->size field to calculate actual number of aces in request buffer
+size. Use this to check invalid num_aces.
+
+Reported-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
+Tested-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smbacl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/smbacl.c
++++ b/fs/smb/server/smbacl.c
+@@ -398,7 +398,9 @@ static void parse_dacl(struct user_names
+ if (num_aces <= 0)
+ return;
+
+- if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
++ if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) /
++ (offsetof(struct smb_ace, sid) +
++ offsetof(struct smb_sid, sub_auth) + sizeof(__le16)))
+ return;
+
+ ret = init_acl_state(&acl_state, num_aces);
+@@ -432,6 +434,7 @@ static void parse_dacl(struct user_names
+ offsetof(struct smb_sid, sub_auth);
+
+ if (end_of_acl - acl_base < acl_size ||
++ ppace[i]->sid.num_subauth == 0 ||
+ ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||
+ (end_of_acl - acl_base <
+ acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||
projects / thirdparty / kernel / stable-queue.git / commitdiff
