From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 24 Mar 2025 17:35:50 +0000 (-0700)
Subject: 6.1-stable patches
X-Git-Tag: v6.1.132~27
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5a6f75d5d4e7a03b728f411366f364d0abf7e6c2;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	ksmbd-fix-incorrect-validation-for-num_aces-field-of-smb_acl.patch
---

diff --git a/queue-6.1/ksmbd-fix-incorrect-validation-for-num_aces-field-of-smb_acl.patch b/queue-6.1/ksmbd-fix-incorrect-validation-for-num_aces-field-of-smb_acl.patch
new file mode 100644
index 0000000000..bb8d6cff80
--- /dev/null
+++ b/queue-6.1/ksmbd-fix-incorrect-validation-for-num_aces-field-of-smb_acl.patch
@@ -0,0 +1,47 @@
+From 1b8b67f3c5e5169535e26efedd3e422172e2db64 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 12 Feb 2025 09:32:11 +0900
+Subject: ksmbd: fix incorrect validation for num_aces field of smb_acl
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 1b8b67f3c5e5169535e26efedd3e422172e2db64 upstream.
+
+parse_dcal() validate num_aces to allocate posix_ace_state_array.
+
+if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
+
+It is an incorrect validation that we can create an array of size ULONG_MAX.
+smb_acl has ->size field to calculate actual number of aces in request buffer
+size. Use this to check invalid num_aces.
+
+Reported-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
+Tested-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smbacl.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/smbacl.c
++++ b/fs/smb/server/smbacl.c
+@@ -398,7 +398,9 @@ static void parse_dacl(struct user_names
+ 	if (num_aces <= 0)
+ 		return;
+ 
+-	if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
++	if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) /
++			(offsetof(struct smb_ace, sid) +
++			 offsetof(struct smb_sid, sub_auth) + sizeof(__le16)))
+ 		return;
+ 
+ 	ret = init_acl_state(&acl_state, num_aces);
+@@ -432,6 +434,7 @@ static void parse_dacl(struct user_names
+ 			offsetof(struct smb_sid, sub_auth);
+ 
+ 		if (end_of_acl - acl_base < acl_size ||
++		    ppace[i]->sid.num_subauth == 0 ||
+ 		    ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||
+ 		    (end_of_acl - acl_base <
+ 		     acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||
diff --git a/queue-6.1/series b/queue-6.1/series
index fb9ba710ae..5af33c095b 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -187,3 +187,4 @@ batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch
 soc-qcom-pdr-fix-the-potential-deadlock.patch
 drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch
 drm-amdgpu-fix-jpeg-video-caps-max-size-for-navi1x-and-raven.patch
+ksmbd-fix-incorrect-validation-for-num_aces-field-of-smb_acl.patch