From patchwork Wed Feb 12 12:43:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Namjae Jeon X-Patchwork-Id: 13971892 Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 017C220C487 for ; Wed, 12 Feb 2025 12:44:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739364292; cv=none; b=NWsqPdAiDfBsJwy/MErZmM+7iK0Y28s2s1ns+i+HObJ9oWbNZEO6oUDFxtaXcojzO7vRVLuamYYrJto6gKtP199+RwnyvNHIZ9wDcGj6AQ65gbg+m1Jlig7A2VVmOcvifAwSg1z/ad2vbegOVYcxAjJfqAMV5kkiTwJciO4siP8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739364292; c=relaxed/simple; bh=GI5kQZl0mzTzJ9RTkbhbPtF+3vQfHkm4vLmeq6uVigc=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=ACYSZ6/vdRIQqLNjmukwcFrRJuUTWx3wnx8Vbo7n/xC/hS/nP2TUvRCrI5+5/ZlThU4zWB3DUcR2ydGNYcNpDtwhrcfXsZHB6drHFUQPxbpj1hx2iGrT3cfDsrO7Q0qYYPdOLg2EPCSGpI0DUYtpR1BmL9gieEwW+MqwsTaXr5s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.214.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-220bff984a0so11946505ad.3 for ; Wed, 12 Feb 2025 04:44:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739364290; x=1739969090; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nUnTNnXpeOR0J9OGXHKIO0akNmvV5BR/W8bv2xbh2gw=; b=p5Bn29y1d1x+8S93GinMkTfNbIIavKfcydfQZ1l1v63eYW1YmVU0M3J9hwOPisnIyA cJYUiey17pxoEs16Qk5j2LRlBMWG44ks25HG8m6aIYDSVm+jP3GqGe+/Wl8F4uLR7iwX oGZDLBnENz+FO2uRoA3PVc2I7rOIVhTyMVKZ/RWEyHITDplGHIJgKk4mSfuTrh9b6GKx Km/cTgIMGdZwTU3qIsbKt8LenKx6lz/AvGrU0/WBmqpHEK6gXumIP56xw53ZFl9na9WD HGK/yWQmnfsK4BU190dKPycPuZxxbojuesntZxLGD54moQzkT6V3hp4ob0Q7ZqtUJYPz 4k7g== X-Gm-Message-State: AOJu0YwZt0265rlNt417MCBOir7hAer50Ozp8kXCn24FN8MTLOT5/tFB zYmVNAnNu/b09JXkjdqsjA3IUF8eD5TdMnPXD1Tg0qoR3l4W7viSTDU7Mg== X-Gm-Gg: ASbGnctXNPyJ1UysDqev1UC5qQWO0xU1piqUQOrlFUbEpopQArWV0cxmCP/ms5hkNe1 kPhxWGLtAJaDKG2rZ6JfgCLqgihKo/SWD4251jWZN83PHLX4V7zWYi/xGxBKXdNZcU01vN4tZQR YPlz2kDJoy3nxycKI4Lw66wkhAtoMlWwcOykStU7YUXGdtiQa37w4YBXBP5O+1z5y3x0B6FOrJ7 /QoNil4LOI3+5fC9mF07oVIv8/wOjaXc8qX6nAUvdfinzx6DypYH1aJUF3Ly+IaYuT8kHWMySGM +iXz7ybaGmyjqV91Fhyv0Ri1X3pZNg== X-Google-Smtp-Source: AGHT+IHGdODcAmG4WAfv1IN79Qs5TiNfEbvB66gXsfjKV8EN8zvvLeqoGqyyqGywbtp/GzcrmNabrQ== X-Received: by 2002:a05:6a20:2450:b0:1e1:bdae:e04d with SMTP id adf61e73a8af0-1ee5c85db6bmr6525516637.36.1739364290004; Wed, 12 Feb 2025 04:44:50 -0800 (PST) Received: from localhost.localdomain ([1.227.206.162]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-ad51af7b744sm11248738a12.77.2025.02.12.04.44.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 Feb 2025 04:44:49 -0800 (PST) From: Namjae Jeon To: linux-cifs@vger.kernel.org Cc: smfrench@gmail.com, senozhatsky@chromium.org, tom@talpey.com, atteh.mailbox@gmail.com, pc@manguebit.com, ronniesahlberg@gmail.com, sprasad@microsoft.com, bharathsm@microsoft.com, Namjae Jeon , Igor Leite Ladessa Subject: [PATCH 1/4] smb: common: change the data type of num_aces to le16 Date: Wed, 12 Feb 2025 21:43:37 +0900 Message-Id: <20250212124340.8034-1-linkinjeon@kernel.org> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 2.4.5 in [MS-DTYP].pdf describe the data type of num_aces as le16. AceCount (2 bytes): An unsigned 16-bit integer that specifies the count of the number of ACE records in the ACL. Change it to le16 and add reserved field to smb_acl struct. Reported-by: Igor Leite Ladessa Signed-off-by: Namjae Jeon --- fs/smb/client/cifsacl.c | 26 +++++++++++++------------- fs/smb/common/smbacl.h | 3 ++- fs/smb/server/smbacl.c | 27 ++++++++++++++------------- fs/smb/server/smbacl.h | 2 +- 4 files changed, 30 insertions(+), 28 deletions(-) diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index 699a3f76d083..7d953208046a 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -763,7 +763,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, struct cifs_fattr *fattr, bool mode_from_special_sid) { int i; - int num_aces = 0; + u16 num_aces = 0; int acl_size; char *acl_base; struct smb_ace **ppace; @@ -785,7 +785,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n", le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size), - le32_to_cpu(pdacl->num_aces)); + le16_to_cpu(pdacl->num_aces)); /* reset rwx permissions for user/group/other. Also, if num_aces is 0 i.e. DACL has no ACEs, @@ -795,7 +795,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, acl_base = (char *)pdacl; acl_size = sizeof(struct smb_acl); - num_aces = le32_to_cpu(pdacl->num_aces); + num_aces = le16_to_cpu(pdacl->num_aces); if (num_aces > 0) { umode_t denied_mode = 0; @@ -937,12 +937,12 @@ unsigned int setup_special_user_owner_ACE(struct smb_ace *pntace) static void populate_new_aces(char *nacl_base, struct smb_sid *pownersid, struct smb_sid *pgrpsid, - __u64 *pnmode, u32 *pnum_aces, u16 *pnsize, + __u64 *pnmode, u16 *pnum_aces, u16 *pnsize, bool modefromsid, bool posix) { __u64 nmode; - u32 num_aces = 0; + u16 num_aces = 0; u16 nsize = 0; __u64 user_mode; __u64 group_mode; @@ -1050,7 +1050,7 @@ static __u16 replace_sids_and_copy_aces(struct smb_acl *pdacl, struct smb_acl *p u16 size = 0; struct smb_ace *pntace = NULL; char *acl_base = NULL; - u32 src_num_aces = 0; + u16 src_num_aces = 0; u16 nsize = 0; struct smb_ace *pnntace = NULL; char *nacl_base = NULL; @@ -1058,7 +1058,7 @@ static __u16 replace_sids_and_copy_aces(struct smb_acl *pdacl, struct smb_acl *p acl_base = (char *)pdacl; size = sizeof(struct smb_acl); - src_num_aces = le32_to_cpu(pdacl->num_aces); + src_num_aces = le16_to_cpu(pdacl->num_aces); nacl_base = (char *)pndacl; nsize = sizeof(struct smb_acl); @@ -1090,11 +1090,11 @@ static int set_chmod_dacl(struct smb_acl *pdacl, struct smb_acl *pndacl, u16 size = 0; struct smb_ace *pntace = NULL; char *acl_base = NULL; - u32 src_num_aces = 0; + u16 src_num_aces = 0; u16 nsize = 0; struct smb_ace *pnntace = NULL; char *nacl_base = NULL; - u32 num_aces = 0; + u16 num_aces = 0; bool new_aces_set = false; /* Assuming that pndacl and pnmode are never NULL */ @@ -1112,7 +1112,7 @@ static int set_chmod_dacl(struct smb_acl *pdacl, struct smb_acl *pndacl, acl_base = (char *)pdacl; size = sizeof(struct smb_acl); - src_num_aces = le32_to_cpu(pdacl->num_aces); + src_num_aces = le16_to_cpu(pdacl->num_aces); /* Retain old ACEs which we can retain */ for (i = 0; i < src_num_aces; ++i) { @@ -1158,7 +1158,7 @@ static int set_chmod_dacl(struct smb_acl *pdacl, struct smb_acl *pndacl, } finalize_dacl: - pndacl->num_aces = cpu_to_le32(num_aces); + pndacl->num_aces = cpu_to_le16(num_aces); pndacl->size = cpu_to_le16(nsize); return 0; @@ -1293,7 +1293,7 @@ static int build_sec_desc(struct smb_ntsd *pntsd, struct smb_ntsd *pnntsd, dacloffset ? dacl_ptr->revision : cpu_to_le16(ACL_REVISION); ndacl_ptr->size = cpu_to_le16(0); - ndacl_ptr->num_aces = cpu_to_le32(0); + ndacl_ptr->num_aces = cpu_to_le16(0); rc = set_chmod_dacl(dacl_ptr, ndacl_ptr, owner_sid_ptr, group_sid_ptr, pnmode, mode_from_sid, posix); @@ -1653,7 +1653,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode, dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset); if (mode_from_sid) nsecdesclen += - le32_to_cpu(dacl_ptr->num_aces) * sizeof(struct smb_ace); + le16_to_cpu(dacl_ptr->num_aces) * sizeof(struct smb_ace); else /* cifsacl */ nsecdesclen += le16_to_cpu(dacl_ptr->size); } diff --git a/fs/smb/common/smbacl.h b/fs/smb/common/smbacl.h index 6a60698fc6f0..a624ec9e4a14 100644 --- a/fs/smb/common/smbacl.h +++ b/fs/smb/common/smbacl.h @@ -107,7 +107,8 @@ struct smb_sid { struct smb_acl { __le16 revision; /* revision level */ __le16 size; - __le32 num_aces; + __le16 num_aces; + __le16 reserved; } __attribute__((packed)); struct smb_ace { diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c index d39d3e553366..f820d0759c3c 100644 --- a/fs/smb/server/smbacl.c +++ b/fs/smb/server/smbacl.c @@ -333,7 +333,7 @@ void posix_state_to_acl(struct posix_acl_state *state, pace->e_perm = state->other.allow; } -int init_acl_state(struct posix_acl_state *state, int cnt) +int init_acl_state(struct posix_acl_state *state, u16 cnt) { int alloc; @@ -368,7 +368,7 @@ static void parse_dacl(struct mnt_idmap *idmap, struct smb_fattr *fattr) { int i, ret; - int num_aces = 0; + u16 num_aces = 0; unsigned int acl_size; char *acl_base; struct smb_ace **ppace; @@ -389,12 +389,12 @@ static void parse_dacl(struct mnt_idmap *idmap, ksmbd_debug(SMB, "DACL revision %d size %d num aces %d\n", le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size), - le32_to_cpu(pdacl->num_aces)); + le16_to_cpu(pdacl->num_aces)); acl_base = (char *)pdacl; acl_size = sizeof(struct smb_acl); - num_aces = le32_to_cpu(pdacl->num_aces); + num_aces = le16_to_cpu(pdacl->num_aces); if (num_aces <= 0) return; @@ -580,7 +580,7 @@ static void parse_dacl(struct mnt_idmap *idmap, static void set_posix_acl_entries_dacl(struct mnt_idmap *idmap, struct smb_ace *pndace, - struct smb_fattr *fattr, u32 *num_aces, + struct smb_fattr *fattr, u16 *num_aces, u16 *size, u32 nt_aces_num) { struct posix_acl_entry *pace; @@ -701,7 +701,7 @@ static void set_ntacl_dacl(struct mnt_idmap *idmap, struct smb_fattr *fattr) { struct smb_ace *ntace, *pndace; - int nt_num_aces = le32_to_cpu(nt_dacl->num_aces), num_aces = 0; + u16 nt_num_aces = le32_to_cpu(nt_dacl->num_aces), num_aces = 0; unsigned short size = 0; int i; @@ -728,7 +728,7 @@ static void set_ntacl_dacl(struct mnt_idmap *idmap, set_posix_acl_entries_dacl(idmap, pndace, fattr, &num_aces, &size, nt_num_aces); - pndacl->num_aces = cpu_to_le32(num_aces); + pndacl->num_aces = cpu_to_le16(num_aces); pndacl->size = cpu_to_le16(le16_to_cpu(pndacl->size) + size); } @@ -736,7 +736,7 @@ static void set_mode_dacl(struct mnt_idmap *idmap, struct smb_acl *pndacl, struct smb_fattr *fattr) { struct smb_ace *pace, *pndace; - u32 num_aces = 0; + u16 num_aces = 0; u16 size = 0, ace_size = 0; uid_t uid; const struct smb_sid *sid; @@ -792,7 +792,7 @@ static void set_mode_dacl(struct mnt_idmap *idmap, fattr->cf_mode, 0007); out: - pndacl->num_aces = cpu_to_le32(num_aces); + pndacl->num_aces = cpu_to_le16(num_aces); pndacl->size = cpu_to_le16(le16_to_cpu(pndacl->size) + size); } @@ -1007,7 +1007,8 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, struct dentry *parent = path->dentry->d_parent; struct mnt_idmap *idmap = mnt_idmap(path->mnt); int inherited_flags = 0, flags = 0, i, ace_cnt = 0, nt_size = 0, pdacl_size; - int rc = 0, num_aces, dacloffset, pntsd_type, pntsd_size, acl_len, aces_size; + int rc = 0, dacloffset, pntsd_type, pntsd_size, acl_len, aces_size; + u16 num_aces; char *aces_base; bool is_dir = S_ISDIR(d_inode(path->dentry)->i_mode); @@ -1023,7 +1024,7 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, parent_pdacl = (struct smb_acl *)((char *)parent_pntsd + dacloffset); acl_len = pntsd_size - dacloffset; - num_aces = le32_to_cpu(parent_pdacl->num_aces); + num_aces = le16_to_cpu(parent_pdacl->num_aces); pntsd_type = le16_to_cpu(parent_pntsd->type); pdacl_size = le16_to_cpu(parent_pdacl->size); @@ -1264,7 +1265,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, const struct path *path, ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl)); aces_size = acl_size - sizeof(struct smb_acl); - for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) { + for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) { if (offsetof(struct smb_ace, access_req) > aces_size) break; ace_size = le16_to_cpu(ace->size); @@ -1285,7 +1286,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, const struct path *path, ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl)); aces_size = acl_size - sizeof(struct smb_acl); - for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) { + for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) { if (offsetof(struct smb_ace, access_req) > aces_size) break; ace_size = le16_to_cpu(ace->size); diff --git a/fs/smb/server/smbacl.h b/fs/smb/server/smbacl.h index 24ce576fc292..355adaee39b8 100644 --- a/fs/smb/server/smbacl.h +++ b/fs/smb/server/smbacl.h @@ -86,7 +86,7 @@ int parse_sec_desc(struct mnt_idmap *idmap, struct smb_ntsd *pntsd, int build_sec_desc(struct mnt_idmap *idmap, struct smb_ntsd *pntsd, struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info, __u32 *secdesclen, struct smb_fattr *fattr); -int init_acl_state(struct posix_acl_state *state, int cnt); +int init_acl_state(struct posix_acl_state *state, u16 cnt); void free_acl_state(struct posix_acl_state *state); void posix_state_to_acl(struct posix_acl_state *state, struct posix_acl_entry *pace); From patchwork Wed Feb 12 12:43:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Namjae Jeon X-Patchwork-Id: 13971893 Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A97F120CCD0 for ; Wed, 12 Feb 2025 12:44:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739364297; cv=none; b=jSXEmfWa5Dd7Ndc5ZS1RKrQV2bdjAitmJtamGUmXUZP2EXf37UkP+TkgONNq5xf1IS37U69u8Gd0O6dk6o/ZD5VCuCbwlq/OkvOfG840/OljPiWSLbmfMsnsprripsZGEomgjEdTjntFjiAmM/DqFovwUU6u49JTrkJk5UktLy0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739364297; c=relaxed/simple; bh=WKFp6PHwXN5lK8ik0lamRW1lZF4+3X2dcEbpxKLKtSU=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=cFEj3p4mIG0/ajc1/B6YRJ12rvn2pLnnvyCdNwmgR58HMDXdePUtaKv1TJAbIh0dN/v/VHV+VyTGWk/b5NLWjJDbz2SnXAy9b0YSttpQzYaq7o1Q3eDJ9B+pA+95pbl9NSAvd2fThHXGnRzkKlIFjIZQ96TUEX1ZgFd/NNPb/GM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.214.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-220c4159f87so5804695ad.0 for ; Wed, 12 Feb 2025 04:44:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739364295; x=1739969095; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eCiXAibI5ZdLpXE92mh0AhStNa2PNZ4fNwcxW7+eEFg=; b=Xv6YWTBZn0aapDF+ONAO7OR/MdPX5QB3pCdF94Fe3ti8i+kwpi+5gsv4y1CsjM7ITs iF3THxBQ6LQFfOSYHTaed60o47kJfk8DfbhtaubKmRQ2Zp+GRjTHbYt+pDZpQMWfghve GOcelH9G73aChl57ShnZFTyNY9SIc2qnGbbokKryCnanYQAZcd4Qqozyi9PKyw1cQWND 0xzhTQxEkyuj/WX4NCGmBDtT5jvfMfCT2uMjpUzhbqAPh8GUMp98lR6KunMnvs/65GIT vbsE7UhNlAnyuYOIRt7ZYSM1ekbIRUrfsTrS6ADFVvioYgBbhu2onPcofmVhtTgvz5BP tZ4A== X-Gm-Message-State: AOJu0Yx7gaUIu0vkOK7N1zPnEnJQSx+gLlhVeZvzNzEZssvICjmflbJd fhpIP3oCFzbcksywYZKyfvHzmmWJ2VwmVrnOKkqAUmrcS43W4vL9L70MlQ== X-Gm-Gg: ASbGnctUhqj0rr3wm6hWKb8li13mByqXhiFXq6Bxzd0lRj0nmIgy9YRUnL5rmNjBvxn Xlu5wCMLGUl+h2/InWTTRUHyPnId+aG03ZZhrtemSs4b91FGf8//YdUVSZwsb0xNE/rBwbhVJVr JDCDzLTCx3OsGhhtQJm6JUB9iA/17R2qYRDR2iIsjGPNDWRd3lik/2GwbsPn5/AFCykbNe4bqDW mvODZGrWfOM8/auvjUr9UCnaudx4w/BP92AXMiI1JGcPk7hpxmgwl9AvjDXFCBpuTUOjmqQ3/Qw mrr/bHRBfWPoqDWhPxAThk2M89pFmQ== X-Google-Smtp-Source: AGHT+IGPrZywvriVlqVtOrL0ihID1dKUqFDsDBpt3zcdljqojHJtp1K6AbUx0jJFTfcQwFtRXmgimQ== X-Received: by 2002:a17:902:e946:b0:21d:ccec:b321 with SMTP id d9443c01a7336-220bbcae546mr55715115ad.34.1739364294713; Wed, 12 Feb 2025 04:44:54 -0800 (PST) Received: from localhost.localdomain ([1.227.206.162]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-ad51af7b744sm11248738a12.77.2025.02.12.04.44.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 Feb 2025 04:44:54 -0800 (PST) From: Namjae Jeon To: linux-cifs@vger.kernel.org Cc: smfrench@gmail.com, senozhatsky@chromium.org, tom@talpey.com, atteh.mailbox@gmail.com, pc@manguebit.com, ronniesahlberg@gmail.com, sprasad@microsoft.com, bharathsm@microsoft.com, Namjae Jeon , Igor Leite Ladessa Subject: [PATCH 2/4] ksmbd: fix incorrect validation for num_aces field of smb_acl Date: Wed, 12 Feb 2025 21:43:38 +0900 Message-Id: <20250212124340.8034-2-linkinjeon@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250212124340.8034-1-linkinjeon@kernel.org> References: <20250212124340.8034-1-linkinjeon@kernel.org> Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 parse_dcal() validate num_aces to allocate posix_ace_state_array. if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) It is an incorrect validation that we can create an array of size ULONG_MAX. smb_acl has ->size field to calculate actual number of aces in request buffer size. Use this to check invalid num_aces. Reported-by: Igor Leite Ladessa Signed-off-by: Namjae Jeon --- fs/smb/server/smbacl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c index f820d0759c3c..410a4b10c91d 100644 --- a/fs/smb/server/smbacl.c +++ b/fs/smb/server/smbacl.c @@ -398,7 +398,9 @@ static void parse_dacl(struct mnt_idmap *idmap, if (num_aces <= 0) return; - if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) + if (num_aces > (pdacl->size - sizeof(struct smb_acl)) / + (offsetof(struct smb_ace, sid) + + offsetof(struct smb_sid, sub_auth) + sizeof(__le16))) return; ret = init_acl_state(&acl_state, num_aces); @@ -432,6 +434,7 @@ static void parse_dacl(struct mnt_idmap *idmap, offsetof(struct smb_sid, sub_auth); if (end_of_acl - acl_base < acl_size || + ppace[i]->sid.num_subauth == 0 || ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES || (end_of_acl - acl_base < acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) || From patchwork Wed Feb 12 12:43:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Namjae Jeon X-Patchwork-Id: 13971894 Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6764620C487 for ; Wed, 12 Feb 2025 12:45:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739364301; cv=none; b=q5ktTvUCiBaNcTkPIsuCqairv3xv8M5EiVp7PeZcpQIbclktM2A5ARVGmijTCI6K6MLKex6T3ep6TCpGqviGAR1Lr5Dab95hcXle+mpdfsVq1MRTa4P2bZwSzSy62e9ycOb1kV50F5FMYs4kBTbynBgDtqLRzruzo6G3z91QYj4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739364301; c=relaxed/simple; bh=BJ0ZERBX/bjNROk/YBMzYh9pkHe5L7DVl89gGAtHXy4=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ZbsOhSizs4hheaIkuNNw/BTA6eyj16+Us+/z6yWzoacuNfERWIOu6rk3rCQjEAyzEAkLbCV9kZk65QMwgTKFA8AD80R0vcUlQz3H6rQ/Z1kri4X6JzY9auu9BWd8Qpr+cLxVuOFz+W2Ux4+Gam/MCoSgI4y5erJ7h7Ye5QVZcmY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.214.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-21f49bd087cso92043625ad.0 for ; Wed, 12 Feb 2025 04:45:00 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739364299; x=1739969099; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8cCHTH4uYzSKc+HskhqO8fql8hHbjyp7xXtxTB1g+FA=; b=DPoELxxiALexQmY2TSUw57VItJ77QlHIo5P9YOWrQrq821m1quGbGdt7WAwvT+2t6p 09fcS9rpazmeso+vplAGUsQei2tvgxIXCKktbQCOZfTStGgIuGBYHLdok/26j5aOiKEr cRVtACEZDmxd43/cYr9PakujYKqg4D2LKyoFMPmkbkatr9agbs0VvQz099l3IXJ1rmww aKowY+KN1qiBoIrqvtNdVqeXHwKctVgHv30oqxoqBBQuHbESiBAvylt5mZMvIDH/s8lV AkMytqgLrmRiSu4rPlhJFtAJ45WFEyf/woI22aIuLs7ASE8kEDsdC/rzhtqRsnDwVouv eKuQ== X-Gm-Message-State: AOJu0Yx7sN6RozDQzU5f+6NmnpNeWSz4oNOMm8m9qIzK4q4DDoPpb5YE p0LnyKaL3Pa9Zda9HfBhieIgFcJJ9GnAO0+WR/e8mGaq6tg6mqltnh3khQ== X-Gm-Gg: ASbGncsAQlHlTG7eDyrpVzqfclyUNE6zQSllkgdh7pIyiNeQid7kEhFjAvWN9ngQMvM jUK+Z8M1UrX6cObDs/Xy1gH6ydLYii2N6g03YC0MsfqgjFXSn2yoNUxtrxBkJ7k56Alr3z1QJLj DqIRi7Z7udlovp0yTx/dz1rcwRUTnQvh1SD/S/wlz7nsvQVTFeZbpOagXg9sXOSA+3zfT74UlIQ XplDauXQRLV3oKXhZF0d2lRollAcv4Lkb4E1DJltO4P63tWs09+HDxYBv7WxiSFZW1w4NlTUs77 Z48sOKjd2OrFJxhqi9UAH6JbiOov7A== X-Google-Smtp-Source: AGHT+IHbyEXyLswpR5Ejd5qGU4FhITE4+ogKyVzssHPODJIIqweMGg60DZJMeLhic0NVn772AC1+uA== X-Received: by 2002:a05:6300:8a06:b0:1ee:615c:6c8e with SMTP id adf61e73a8af0-1ee615c7caamr2566471637.9.1739364299535; Wed, 12 Feb 2025 04:44:59 -0800 (PST) Received: from localhost.localdomain ([1.227.206.162]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-ad51af7b744sm11248738a12.77.2025.02.12.04.44.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 Feb 2025 04:44:59 -0800 (PST) From: Namjae Jeon To: linux-cifs@vger.kernel.org Cc: smfrench@gmail.com, senozhatsky@chromium.org, tom@talpey.com, atteh.mailbox@gmail.com, pc@manguebit.com, ronniesahlberg@gmail.com, sprasad@microsoft.com, bharathsm@microsoft.com, Namjae Jeon Subject: [PATCH 3/4] cifs: fix incorrect validation for num_aces field of smb_acl Date: Wed, 12 Feb 2025 21:43:39 +0900 Message-Id: <20250212124340.8034-3-linkinjeon@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250212124340.8034-1-linkinjeon@kernel.org> References: <20250212124340.8034-1-linkinjeon@kernel.org> Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 parse_dcal() validate num_aces to allocate ace array. f (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) It is an incorrect validation that we can create an array of size ULONG_MAX. smb_acl has ->size field to calculate actual number of aces in response buffer size. Use this to check invalid num_aces. Signed-off-by: Namjae Jeon --- fs/smb/client/cifsacl.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index 7d953208046a..6b29a01a6e56 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -778,7 +778,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, } /* validate that we do not go past end of acl */ - if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) { + if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl) || + end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) { cifs_dbg(VFS, "ACL too small to parse DACL\n"); return; } @@ -799,8 +800,11 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, if (num_aces > 0) { umode_t denied_mode = 0; - if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) + if (num_aces > (pdacl->size - sizeof(struct smb_acl)) / + (offsetof(struct smb_ace, sid) + + offsetof(struct smb_sid, sub_auth) + sizeof(__le16))) return; + ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), GFP_KERNEL); if (!ppace) From patchwork Wed Feb 12 12:43:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Namjae Jeon X-Patchwork-Id: 13971895 Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C2BC20D51A for ; Wed, 12 Feb 2025 12:45:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739364307; cv=none; b=LqcqwZX8uRbyuaqc88Othb/NCn3xkVFCoOZ2R3ZdeE3ckJhYNkxx1XlANqenIBs0xFbYK9mMRRn1ytw7D15rhji3mqzY+fNwrHf5o4Ti4nAOi7xTpxDPjgZi+SppWYBw5qs2FCjgnX0Hwy2IA2ci88cvtCF0PX1P0hJvB4Xb+7U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739364307; c=relaxed/simple; bh=TGvHXZz8joM3IGZAP7s0F5y4ZCmtrdhcQxiIL6Yu7qM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=KGBAzJl+DaoD1VviYWBJ47ZigmUEbJIoTD7t3N03f+Fl1qzesKaIAhnShWNz4heV6kVbMXI9LIYaSdZgWNxamAGksaxRYadaXcbfzCEatmkH2Dwcm3KSXsQDGTpruanlIjdolbAYkgu+RFzdwOLhqCVeimiGcXsO6j90QRCIbik= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.214.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-21f55fbb72bso88500805ad.2 for ; Wed, 12 Feb 2025 04:45:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739364305; x=1739969105; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=osOQ3qPxeMscLY+ItsA4f5Olbq/57j78Y+wOABavW5g=; b=G2FuqGzCH9MFLkEHOGDq44rzk3GswCCl5gSE1BhwotLd2IirXatf7974N7GpaU3jfL xlGonj8X7rS4aGY1T8sWK3Gix0GC3K1Nd1SejuoxFK6QiCFHbBoBIwYxHmx2hVUzOshd 7YMl185k4urN9H9o/yoRa+UaEgUaDb3mOFaf0mvdUoleNYd9nFP7Cie5y2LWtZ1zCjyf fmcepxTQ3DhERTgw26PUmuOzJ0BvfCeXi9EIdvwVs5RQwuNR0B0aeRSTnx9fT5zqFBol ohEGWI7FvBeuibflz/2vl97aYS5Pivb+9WzvGd/0okoSyUV6QnKRkCToy3aK8T7dnT1D ZdCg== X-Gm-Message-State: AOJu0Yw+3GIrpMVyzJJvrti1ioQhG2skjdGD36qQ+VW4mu3iopg0Iohn UVJMXFOY1moJpqycxqWdRpZvMpWzJ39EYQ1cJP0uy08hgTPoa2t9+eX9bw== X-Gm-Gg: ASbGncsMaRWqGcLcfsoSEmcKJZZ03dwKUizF4mbQYru7LF6z3QGklsy5VVrKlPzxeA9 6z38M5cctloX3KVBiYitw2umQl+gDNLB+yLz0307EVc4+vnI73JS4FNRBB3US50+q6DzeFBLs5n wjRFwcrJc2TCsFskNCDu9zsAFW12oTd10rbd/s5SQK8M8FohiNxG0nhEM+6nczorfydEcgVpSfF AfaTx7fQEy6Dp3hTlSYCKOktAiZ0REoFDqJi0+joym+DgHs48cLGRQNWi7qTwZkdC+HUXFBfHZC x/ElacEb6pxvk2pqSHTYnvk9lQ8jhw== X-Google-Smtp-Source: AGHT+IEZN9seU8if90plTa1W9I1ekJDfbOotYzn2VWNhg218wyjoOD9dmp0jCpe0ntjG6USDycOSfQ== X-Received: by 2002:a05:6a20:244b:b0:1e8:a374:ced7 with SMTP id adf61e73a8af0-1ee5c7909d5mr5293239637.23.1739364304782; Wed, 12 Feb 2025 04:45:04 -0800 (PST) Received: from localhost.localdomain ([1.227.206.162]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-ad51af7b744sm11248738a12.77.2025.02.12.04.45.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 Feb 2025 04:45:04 -0800 (PST) From: Namjae Jeon To: linux-cifs@vger.kernel.org Cc: smfrench@gmail.com, senozhatsky@chromium.org, tom@talpey.com, atteh.mailbox@gmail.com, pc@manguebit.com, ronniesahlberg@gmail.com, sprasad@microsoft.com, bharathsm@microsoft.com, Namjae Jeon Subject: [PATCH 4/4] cifs: add validation check for the fields in smb_aces Date: Wed, 12 Feb 2025 21:43:40 +0900 Message-Id: <20250212124340.8034-4-linkinjeon@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250212124340.8034-1-linkinjeon@kernel.org> References: <20250212124340.8034-1-linkinjeon@kernel.org> Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 cifs.ko is missing validation check when accessing smb_aces. This patch add validation check for the fields in smb_aces. Signed-off-by: Namjae Jeon --- fs/smb/client/cifsacl.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index 6b29a01a6e56..5c511b28dd77 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -811,7 +811,23 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, return; for (i = 0; i < num_aces; ++i) { + if (end_of_acl - acl_base < acl_size) + break; + ppace[i] = (struct smb_ace *) (acl_base + acl_size); + acl_base = (char *)ppace[i]; + acl_size = offsetof(struct smb_ace, sid) + + offsetof(struct smb_sid, sub_auth); + + if (end_of_acl - acl_base < acl_size || + ppace[i]->sid.num_subauth == 0 || + ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES || + (end_of_acl - acl_base < + acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) || + (le16_to_cpu(ppace[i]->size) < + acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth)) + break; + #ifdef CONFIG_CIFS_DEBUG2 dump_ace(ppace[i], end_of_acl); #endif @@ -855,7 +871,6 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, (void *)ppace[i], sizeof(struct smb_ace)); */ - acl_base = (char *)ppace[i]; acl_size = le16_to_cpu(ppace[i]->size); }