Skip to content

Commit 0a8cf16

Browse files
mjbommarsmfrench
mjbommar
authored and
smfrench
committed
smb: client: validate the whole DACL before rewriting it in cifsacl
build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild the chmod/chown security descriptor. The original fix only checked that the struct smb_acl header fits before reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate header-field OOB read, but the rewrite helpers still walk ACEs based on pdacl->num_aces with no structural validation of the incoming DACL body. A malicious server can return a truncated DACL that still contains a header, claims one or more ACEs, and then drive replace_sids_and_copy_aces() or set_chmod_dacl() past the validated extent while they compare or copy attacker-controlled ACEs. Factor the DACL structural checks into validate_dacl(), extend them to validate each ACE against the DACL bounds, and use the shared validator before the chmod/chown rebuild paths. parse_dacl() reuses the same validator so the read-side parser and write-side rewrite paths agree on what constitutes a well-formed incoming DACL. Fixes: bc3e9dd ("cifs: Change SIDs in ACEs while transferring file ownership.") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Signed-off-by: Steve French <stfrench@microsoft.com>
1 parent a58c5af commit 0a8cf16

1 file changed

Lines changed: 85 additions & 31 deletions

File tree

fs/smb/client/cifsacl.c

Lines changed: 85 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -758,14 +758,85 @@ static void dump_ace(struct smb_ace *pace, char *end_of_acl)
758758
}
759759
#endif
760760

761+
static int validate_dacl(struct smb_acl *pdacl, char *end_of_acl)
762+
{
763+
int i, ace_hdr_size, ace_size, min_ace_size;
764+
u16 dacl_size, num_aces;
765+
char *acl_base, *end_of_dacl;
766+
struct smb_ace *pace;
767+
768+
if (!pdacl)
769+
return 0;
770+
771+
if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl)) {
772+
cifs_dbg(VFS, "ACL too small to parse DACL\n");
773+
return -EINVAL;
774+
}
775+
776+
dacl_size = le16_to_cpu(pdacl->size);
777+
if (dacl_size < sizeof(struct smb_acl) ||
778+
end_of_acl < (char *)pdacl + dacl_size) {
779+
cifs_dbg(VFS, "ACL too small to parse DACL\n");
780+
return -EINVAL;
781+
}
782+
783+
num_aces = le16_to_cpu(pdacl->num_aces);
784+
if (!num_aces)
785+
return 0;
786+
787+
ace_hdr_size = offsetof(struct smb_ace, sid) +
788+
offsetof(struct smb_sid, sub_auth);
789+
min_ace_size = ace_hdr_size + sizeof(__le32);
790+
if (num_aces > (dacl_size - sizeof(struct smb_acl)) / min_ace_size) {
791+
cifs_dbg(VFS, "ACL too small to parse DACL\n");
792+
return -EINVAL;
793+
}
794+
795+
end_of_dacl = (char *)pdacl + dacl_size;
796+
acl_base = (char *)pdacl;
797+
ace_size = sizeof(struct smb_acl);
798+
799+
for (i = 0; i < num_aces; ++i) {
800+
if (end_of_dacl - acl_base < ace_size) {
801+
cifs_dbg(VFS, "ACL too small to parse ACE\n");
802+
return -EINVAL;
803+
}
804+
805+
pace = (struct smb_ace *)(acl_base + ace_size);
806+
acl_base = (char *)pace;
807+
808+
if (end_of_dacl - acl_base < ace_hdr_size ||
809+
pace->sid.num_subauth == 0 ||
810+
pace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES) {
811+
cifs_dbg(VFS, "ACL too small to parse ACE\n");
812+
return -EINVAL;
813+
}
814+
815+
ace_size = ace_hdr_size + sizeof(__le32) * pace->sid.num_subauth;
816+
if (end_of_dacl - acl_base < ace_size ||
817+
le16_to_cpu(pace->size) < ace_size) {
818+
cifs_dbg(VFS, "ACL too small to parse ACE\n");
819+
return -EINVAL;
820+
}
821+
822+
ace_size = le16_to_cpu(pace->size);
823+
if (end_of_dacl - acl_base < ace_size) {
824+
cifs_dbg(VFS, "ACL too small to parse ACE\n");
825+
return -EINVAL;
826+
}
827+
}
828+
829+
return 0;
830+
}
831+
761832
static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
762833
struct smb_sid *pownersid, struct smb_sid *pgrpsid,
763834
struct cifs_fattr *fattr, bool mode_from_special_sid)
764835
{
765836
int i;
766837
u16 num_aces = 0;
767838
int acl_size;
768-
char *acl_base;
839+
char *acl_base, *end_of_dacl;
769840
struct smb_ace **ppace;
770841

771842
/* BB need to add parm so we can store the SID BB */
@@ -777,12 +848,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
777848
return;
778849
}
779850

780-
/* validate that we do not go past end of acl */
781-
if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl) ||
782-
end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
783-
cifs_dbg(VFS, "ACL too small to parse DACL\n");
851+
if (validate_dacl(pdacl, end_of_acl))
784852
return;
785-
}
786853

787854
cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n",
788855
le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
@@ -793,42 +860,23 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
793860
user/group/other have no permissions */
794861
fattr->cf_mode &= ~(0777);
795862

863+
end_of_dacl = (char *)pdacl + le16_to_cpu(pdacl->size);
796864
acl_base = (char *)pdacl;
797865
acl_size = sizeof(struct smb_acl);
798866

799867
num_aces = le16_to_cpu(pdacl->num_aces);
800868
if (num_aces > 0) {
801869
umode_t denied_mode = 0;
802870

803-
if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) /
804-
(offsetof(struct smb_ace, sid) +
805-
offsetof(struct smb_sid, sub_auth) + sizeof(__le16)))
806-
return;
807-
808871
ppace = kmalloc_objs(struct smb_ace *, num_aces);
809872
if (!ppace)
810873
return;
811874

812875
for (i = 0; i < num_aces; ++i) {
813-
if (end_of_acl - acl_base < acl_size)
814-
break;
815-
816876
ppace[i] = (struct smb_ace *) (acl_base + acl_size);
817-
acl_base = (char *)ppace[i];
818-
acl_size = offsetof(struct smb_ace, sid) +
819-
offsetof(struct smb_sid, sub_auth);
820-
821-
if (end_of_acl - acl_base < acl_size ||
822-
ppace[i]->sid.num_subauth == 0 ||
823-
ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||
824-
(end_of_acl - acl_base <
825-
acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||
826-
(le16_to_cpu(ppace[i]->size) <
827-
acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth))
828-
break;
829877

830878
#ifdef CONFIG_CIFS_DEBUG2
831-
dump_ace(ppace[i], end_of_acl);
879+
dump_ace(ppace[i], end_of_dacl);
832880
#endif
833881
if (mode_from_special_sid &&
834882
(compare_sids(&(ppace[i]->sid),
@@ -870,6 +918,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
870918
(void *)ppace[i],
871919
sizeof(struct smb_ace)); */
872920

921+
acl_base = (char *)ppace[i];
873922
acl_size = le16_to_cpu(ppace[i]->size);
874923
}
875924

@@ -1293,10 +1342,9 @@ static int build_sec_desc(struct smb_ntsd *pntsd, struct smb_ntsd *pnntsd,
12931342
dacloffset = le32_to_cpu(pntsd->dacloffset);
12941343
if (dacloffset) {
12951344
dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
1296-
if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) {
1297-
cifs_dbg(VFS, "Server returned illegal ACL size\n");
1298-
return -EINVAL;
1299-
}
1345+
rc = validate_dacl(dacl_ptr, end_of_acl);
1346+
if (rc)
1347+
return rc;
13001348
}
13011349

13021350
owner_sid_ptr = (struct smb_sid *)((char *)pntsd +
@@ -1662,6 +1710,12 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode,
16621710
dacloffset = le32_to_cpu(pntsd->dacloffset);
16631711
if (dacloffset) {
16641712
dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
1713+
rc = validate_dacl(dacl_ptr, (char *)pntsd + secdesclen);
1714+
if (rc) {
1715+
kfree(pntsd);
1716+
cifs_put_tlink(tlink);
1717+
return rc;
1718+
}
16651719
if (mode_from_sid)
16661720
nsecdesclen +=
16671721
le16_to_cpu(dacl_ptr->num_aces) * sizeof(struct smb_ace);

0 commit comments

Comments
 (0)