git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Ali Ganiyev <ali.qaniyev@gmail.com>
	Mon, 25 May 2026 01:23:47 +0000 (10:23 +0900)
committer	Steve French <stfrench@microsoft.com>
	Wed, 27 May 2026 01:36:36 +0000 (20:36 -0500)
commit	0e60dafe97eca61721f3db456f97d97a80c6c8ae
tree	2b2b625ddd008443fd057b6fb271ff2d4f5dc66f	tree \| snapshot
parent	e7ae89a0c97ce2b68b0983cd01eda67cf373517d	commit \| diff

ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops

Commit d07b26f39246 ("ksmbd: require minimum ACE size in
smb_check_perm_dacl()") introduced a transposed bounds check:

if (offsetof(struct smb_ace, sid) + aces_size < CIFS_SID_BASE_SIZE)

Since offsetof(..sid) is 8 and CIFS_SID_BASE_SIZE is 8, this evaluates
to `aces_size < 0`. Because `aces_size` is always non-negative, this
check becomes dead code and never breaks the loop.

Worse, that commit removed the old 4-byte guard, meaning the loop now
reads `ace->size` (offset 2) even when `aces_size` is 0-3 bytes. This
re-opens a 2-byte heap out-of-bounds (OOB) read past the pntsd allocation
during subsequent SMB2_CREATE operations.

Fix this by properly transposing the comparison to require at least
16 bytes (8-byte offset + 8-byte SID base), matching the correct form
used in smb_inherit_dacl().

Fixes: d07b26f39246 ("ksmbd: require minimum ACE size in smb_check_perm_dacl()")
Cc: stable@vger.kernel.org
Signed-off-by: Ali Ganiyev <ali.qaniyev@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>