diff options
| author | Ali Ganiyev <ali.qaniyev@gmail.com> | 2026-05-25 10:23:47 +0900 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2026-05-26 20:36:36 -0500 |
| commit | 0e60dafe97eca61721f3db456f97d97a80c6c8ae (patch) | |
| tree | 2b2b625ddd008443fd057b6fb271ff2d4f5dc66f /scripts/objdiff | |
| parent | e7ae89a0c97ce2b68b0983cd01eda67cf373517d (diff) | |
ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
Commit d07b26f39246 ("ksmbd: require minimum ACE size in
smb_check_perm_dacl()") introduced a transposed bounds check:
if (offsetof(struct smb_ace, sid) + aces_size < CIFS_SID_BASE_SIZE)
Since offsetof(..sid) is 8 and CIFS_SID_BASE_SIZE is 8, this evaluates
to `aces_size < 0`. Because `aces_size` is always non-negative, this
check becomes dead code and never breaks the loop.
Worse, that commit removed the old 4-byte guard, meaning the loop now
reads `ace->size` (offset 2) even when `aces_size` is 0-3 bytes. This
re-opens a 2-byte heap out-of-bounds (OOB) read past the pntsd allocation
during subsequent SMB2_CREATE operations.
Fix this by properly transposing the comparison to require at least
16 bytes (8-byte offset + 8-byte SID base), matching the correct form
used in smb_inherit_dacl().
Fixes: d07b26f39246 ("ksmbd: require minimum ACE size in smb_check_perm_dacl()")
Cc: stable@vger.kernel.org
Signed-off-by: Ali Ganiyev <ali.qaniyev@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'scripts/objdiff')
0 files changed, 0 insertions, 0 deletions