diff options
| author | Haofeng Li <lihaofeng@kylinos.cn> | 2026-06-25 14:48:07 +0000 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2026-06-30 21:29:45 -0500 |
| commit | 60908f7ebcd9b6cde74ad5711fab0f49c7970949 (patch) | |
| tree | 0c82b7e1d236f9f814339f3e1ce7a7cc084a51e9 /drivers/gpu/nova-core/fsp/git@git.tavy.me:linux.git | |
| parent | 7ac657bb9c5c1b0f7bdf1fa6d3ad532f969be5cf (diff) | |
ksmbd: reject undersized DACLs before parsing ACEs
parse_dacl() limits the attacker-controlled ACE count by comparing it
with the number of minimal ACEs that fit in the DACL size. The DACL size
field is 16 bits, but the expression subtracts sizeof(struct smb_acl).
Because sizeof() is unsigned, a DACL size smaller than the ACL header
underflows to a large size_t.
A malicious client can reach this with:
SMB2_SET_INFO (InfoType=SMB2_O_INFO_SECURITY)
-> smb2_set_info_sec()
-> set_info_sec()
-> parse_sec_desc()
-> parse_dacl()
-> init_acl_state(..., 0xffff)
-> init_acl_state(..., 0xffff)
-> kmalloc_objs(..., 0xffff)
Thus a malformed security descriptor can make num_aces pass the guard
and drive large temporary ACL state and pointer-array allocations.
Reject DACLs smaller than struct smb_acl before doing the subtraction,
so the ACE count check cannot be bypassed by the underflow.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Signed-off-by: Haofeng Li <lihaofeng@kylinos.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'drivers/gpu/nova-core/fsp/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions
