From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 24 Mar 2025 17:36:35 +0000 (-0700)
Subject: 6.12-stable patches
X-Git-Tag: v6.1.132~25
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c68ccfa57008c702dc43c27661b69a6d0ffa0313;p=thirdparty%2Fkernel%2Fstable-queue.git

6.12-stable patches

added patches:
	ksmbd-fix-incorrect-validation-for-num_aces-field-of-smb_acl.patch
---

diff --git a/queue-6.12/ksmbd-fix-incorrect-validation-for-num_aces-field-of-smb_acl.patch b/queue-6.12/ksmbd-fix-incorrect-validation-for-num_aces-field-of-smb_acl.patch
new file mode 100644
index 0000000000..f5100721c9
--- /dev/null
+++ b/queue-6.12/ksmbd-fix-incorrect-validation-for-num_aces-field-of-smb_acl.patch
@@ -0,0 +1,47 @@
+From 1b8b67f3c5e5169535e26efedd3e422172e2db64 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 12 Feb 2025 09:32:11 +0900
+Subject: ksmbd: fix incorrect validation for num_aces field of smb_acl
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 1b8b67f3c5e5169535e26efedd3e422172e2db64 upstream.
+
+parse_dcal() validate num_aces to allocate posix_ace_state_array.
+
+if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
+
+It is an incorrect validation that we can create an array of size ULONG_MAX.
+smb_acl has ->size field to calculate actual number of aces in request buffer
+size. Use this to check invalid num_aces.
+
+Reported-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
+Tested-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smbacl.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/smbacl.c
++++ b/fs/smb/server/smbacl.c
+@@ -398,7 +398,9 @@ static void parse_dacl(struct mnt_idmap
+ 	if (num_aces <= 0)
+ 		return;
+ 
+-	if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
++	if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) /
++			(offsetof(struct smb_ace, sid) +
++			 offsetof(struct smb_sid, sub_auth) + sizeof(__le16)))
+ 		return;
+ 
+ 	ret = init_acl_state(&acl_state, num_aces);
+@@ -432,6 +434,7 @@ static void parse_dacl(struct mnt_idmap
+ 			offsetof(struct smb_sid, sub_auth);
+ 
+ 		if (end_of_acl - acl_base < acl_size ||
++		    ppace[i]->sid.num_subauth == 0 ||
+ 		    ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||
+ 		    (end_of_acl - acl_base <
+ 		     acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||
diff --git a/queue-6.12/series b/queue-6.12/series
index 1598d4c36b..6e34f713bb 100644
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -99,3 +99,4 @@ drm-amdgpu-remove-jpeg-from-vega-and-carrizo-video-caps.patch
 drm-amdgpu-fix-mpeg2-mpeg4-and-vc1-video-caps-max-size.patch
 drm-amdgpu-fix-jpeg-video-caps-max-size-for-navi1x-and-raven.patch
 drm-amdkfd-fix-user-queue-validation-on-gfx7-8.patch
+ksmbd-fix-incorrect-validation-for-num_aces-field-of-smb_acl.patch