summaryrefslogtreecommitdiff
path: root/lib/raid/raid6/git@git.tavy.me:linux-stable.git
diff options
context:
space:
mode:
authorHaofeng Li <lihaofeng@kylinos.cn>2026-06-25 14:48:07 +0000
committerSteve French <stfrench@microsoft.com>2026-06-30 21:29:45 -0500
commit60908f7ebcd9b6cde74ad5711fab0f49c7970949 (patch)
tree0c82b7e1d236f9f814339f3e1ce7a7cc084a51e9 /lib/raid/raid6/git@git.tavy.me:linux-stable.git
parent7ac657bb9c5c1b0f7bdf1fa6d3ad532f969be5cf (diff)
ksmbd: reject undersized DACLs before parsing ACEs
parse_dacl() limits the attacker-controlled ACE count by comparing it with the number of minimal ACEs that fit in the DACL size. The DACL size field is 16 bits, but the expression subtracts sizeof(struct smb_acl). Because sizeof() is unsigned, a DACL size smaller than the ACL header underflows to a large size_t. A malicious client can reach this with: SMB2_SET_INFO (InfoType=SMB2_O_INFO_SECURITY) -> smb2_set_info_sec() -> set_info_sec() -> parse_sec_desc() -> parse_dacl() -> init_acl_state(..., 0xffff) -> init_acl_state(..., 0xffff) -> kmalloc_objs(..., 0xffff) Thus a malformed security descriptor can make num_aces pass the guard and drive large temporary ACL state and pointer-array allocations. Reject DACLs smaller than struct smb_acl before doing the subtraction, so the ACE count check cannot be bypassed by the underflow. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Haofeng Li <lihaofeng@kylinos.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'lib/raid/raid6/git@git.tavy.me:linux-stable.git')
0 files changed, 0 insertions, 0 deletions