| From 2757ad3e4b6f9e0fed4c7739594e702abc5cab21 Mon Sep 17 00:00:00 2001 |
| From: Michael Bommarito <michael.bommarito@gmail.com> |
| Date: Mon, 20 Apr 2026 09:50:58 -0400 |
| Subject: smb: client: require a full NFS mode SID before reading mode bits |
| |
| From: Michael Bommarito <michael.bommarito@gmail.com> |
| |
| commit 2757ad3e4b6f9e0fed4c7739594e702abc5cab21 upstream. |
| |
| parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS |
| mode SID and reads sid.sub_auth[2] to recover the mode bits. |
| |
| That assumes the ACE carries three subauthorities, but compare_sids() |
| only compares min(a, b) subauthorities. A malicious server can return |
| an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still |
| matches sid_unix_NFS_mode and then drives the sub_auth[2] read four |
| bytes past the end of the ACE. |
| |
| Require num_subauth >= 3 before treating the ACE as an NFS mode SID. |
| This keeps the fix local to the special-SID mode path without changing |
| compare_sids() semantics for the rest of cifsacl. |
| |
| Fixes: e2f8fbfb8d09 ("cifs: get mode bits from special sid on stat") |
| Cc: stable@vger.kernel.org |
| Assisted-by: Claude:claude-opus-4-6 |
| Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> |
| Signed-off-by: Steve French <stfrench@microsoft.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| fs/smb/client/cifsacl.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/fs/smb/client/cifsacl.c |
| +++ b/fs/smb/client/cifsacl.c |
| @@ -807,6 +807,7 @@ static void parse_dacl(struct cifs_acl * |
| dump_ace(ppace[i], end_of_acl); |
| #endif |
| if (mode_from_special_sid && |
| + ppace[i]->sid.num_subauth >= 3 && |
| (compare_sids(&(ppace[i]->sid), |
| &sid_unix_NFS_mode) == 0)) { |
| /* |
