From: Greg Kroah-Hartman Date: Wed, 17 Jun 2026 07:44:59 +0000 (+0530) Subject: 6.1-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2a977fca6b163d6649bc74f7022aa7b2092a102f;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: ksmbd-oob-read-regression-in-smb_check_perm_dacl-ace-walk-loops.patch --- diff --git a/queue-6.1/ksmbd-oob-read-regression-in-smb_check_perm_dacl-ace-walk-loops.patch b/queue-6.1/ksmbd-oob-read-regression-in-smb_check_perm_dacl-ace-walk-loops.patch new file mode 100644 index 0000000000..0719290507 --- /dev/null +++ b/queue-6.1/ksmbd-oob-read-regression-in-smb_check_perm_dacl-ace-walk-loops.patch @@ -0,0 +1,61 @@ +From 0e60dafe97eca61721f3db456f97d97a80c6c8ae Mon Sep 17 00:00:00 2001 +From: Ali Ganiyev +Date: Mon, 25 May 2026 10:23:47 +0900 +Subject: ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops + +From: Ali Ganiyev + +commit 0e60dafe97eca61721f3db456f97d97a80c6c8ae upstream. + +Commit d07b26f39246 ("ksmbd: require minimum ACE size in +smb_check_perm_dacl()") introduced a transposed bounds check: + + if (offsetof(struct smb_ace, sid) + aces_size < CIFS_SID_BASE_SIZE) + +Since offsetof(..sid) is 8 and CIFS_SID_BASE_SIZE is 8, this evaluates +to `aces_size < 0`. Because `aces_size` is always non-negative, this +check becomes dead code and never breaks the loop. + +Worse, that commit removed the old 4-byte guard, meaning the loop now +reads `ace->size` (offset 2) even when `aces_size` is 0-3 bytes. This +re-opens a 2-byte heap out-of-bounds (OOB) read past the pntsd allocation +during subsequent SMB2_CREATE operations. + +Fix this by properly transposing the comparison to require at least +16 bytes (8-byte offset + 8-byte SID base), matching the correct form +used in smb_inherit_dacl(). + +Fixes: d07b26f39246 ("ksmbd: require minimum ACE size in smb_check_perm_dacl()") +Cc: stable@vger.kernel.org +Signed-off-by: Ali Ganiyev +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smbacl.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/smb/server/smbacl.c ++++ b/fs/smb/server/smbacl.c +@@ -1297,8 +1297,8 @@ int smb_check_perm_dacl(struct ksmbd_con + ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl)); + aces_size = acl_size - sizeof(struct smb_acl); + for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) { +- if (offsetof(struct smb_ace, sid) + +- aces_size < CIFS_SID_BASE_SIZE) ++ if (aces_size < offsetof(struct smb_ace, sid) + ++ CIFS_SID_BASE_SIZE) + break; + ace_size = le16_to_cpu(ace->size); + if (ace_size > aces_size || +@@ -1321,8 +1321,8 @@ int smb_check_perm_dacl(struct ksmbd_con + ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl)); + aces_size = acl_size - sizeof(struct smb_acl); + for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) { +- if (offsetof(struct smb_ace, sid) + +- aces_size < CIFS_SID_BASE_SIZE) ++ if (aces_size < offsetof(struct smb_ace, sid) + ++ CIFS_SID_BASE_SIZE) + break; + ace_size = le16_to_cpu(ace->size); + if (ace_size > aces_size || diff --git a/queue-6.1/series b/queue-6.1/series index e67e109a9f..7e63d3be49 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -526,3 +526,4 @@ crypto-nx-fix-context-leak-in-nx842_crypto_free_ctx.patch media-rc-ttusbir-fix-inverted-error-logic.patch batman-adv-tp_meter-fix-tp_vars-reference-leak-in-receiver-shutdown.patch media-rc-igorplugusb-fix-control-request-setup-packet.patch +ksmbd-oob-read-regression-in-smb_check_perm_dacl-ace-walk-loops.patch