Commit 9f43c59b authored Apr 07, 2025 by Namjae Jeon Committed by Yongjian Sun Apr 07, 2025

ksmbd: fix incorrect validation for num_aces field of smb_acl

mainline inclusion
from mainline-v6.12-rc3
commit 1b8b67f3c5e5169535e26efedd3e422172e2db64
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBYED0
CVE: CVE-2025-21994

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1b8b67f3c5e5169535e26efedd3e422172e2db64



--------------------------------

parse_dcal() validate num_aces to allocate posix_ace_state_array.

if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))

It is an incorrect validation that we can create an array of size ULONG_MAX.
smb_acl has ->size field to calculate actual number of aces in request buffer
size. Use this to check invalid num_aces.

Reported-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
Tested-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Yongjian Sun <sunyongjian1@huawei.com>

parent ee9df505

fs/smb/server/smbacl.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -398,7 +398,9 @@ static void parse_dacl(struct mnt_idmap *idmap,
		if (num_aces <= 0)
		return;

		if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
		if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) /
		(offsetof(struct smb_ace, sid) +
		offsetof(struct smb_sid, sub_auth) + sizeof(__le16)))
		return;

		ret = init_acl_state(&acl_state, num_aces);
		@@ -432,6 +434,7 @@ static void parse_dacl(struct mnt_idmap *idmap,
		offsetof(struct smb_sid, sub_auth);

		if (end_of_acl - acl_base < acl_size \|\|
		ppace[i]->sid.num_subauth == 0 \|\|
		ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES \|\|
		(end_of_acl - acl_base <
		acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) \|\|