Google Git
Sign in
cos/third_party/kernel/6cd389d7730d16d15e008a822b46e2f5d450d562
commit
6cd389d7730d16d15e008a822b46e2f5d450d562
[log]
author
Michael Bommarito <michael.bommarito@gmail.com>
Fri Apr 24 10:55:13 2026 -0400
committer
Miri Amarilio <mirilio@google.com>
Thu May 21 11:01:37 2026 -0700
tree
50d19f24fbd787ecaddd83bb66427cf73cab41dd
parent
4cbf27fce0dea6b268c6cde2a036c99c3c8195ea [diff]
smb: client: validate the whole DACL before rewriting it in cifsacl

[ Upstream commit 0a8cf165566ba55a39fd0f4de172119dd646d39a ]

build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a
server-supplied dacloffset and then use the incoming ACL to rebuild the
chmod/chown security descriptor.

The original fix only checked that the struct smb_acl header fits before
reading dacl_ptr->size or dacl_ptr->num_aces.  That avoids the immediate
header-field OOB read, but the rewrite helpers still walk ACEs based on
pdacl->num_aces with no structural validation of the incoming DACL body.

A malicious server can return a truncated DACL that still contains a
header, claims one or more ACEs, and then drive
replace_sids_and_copy_aces() or set_chmod_dacl() past the validated
extent while they compare or copy attacker-controlled ACEs.

Factor the DACL structural checks into validate_dacl(), extend them to
validate each ACE against the DACL bounds, and use the shared validator
before the chmod/chown rebuild paths.  parse_dacl() reuses the same
validator so the read-side parser and write-side rewrite paths agree on
what constitutes a well-formed incoming DACL.

BUG=b/508878344
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2026-31709 in the Linux kernel.

cos-patch: security-moderate
Fixes: bc3e9dd9d104 ("cifs: Change SIDs in ACEs while transferring file ownership.")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Change-Id: Ibb3cc6c0322abd4242b3299b9baf0963c95e9acb
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ no kmalloc_objs ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kernel CVE Triage Automation <cloud-image-kernel-cve-triage-automation@prod.google.com>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/152905
Reviewed-by: Miri Amarilio <mirilio@google.com>
Reviewed-by: Dom Huh <domhuh@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
1 file changed
tree: 50d19f24fbd787ecaddd83bb66427cf73cab41dd
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. google/
  9. include/
  10. init/
  11. io_uring/
  12. ipc/
  13. kernel/
  14. lib/
  15. LICENSES/
  16. mm/
  17. net/
  18. rust/
  19. samples/
  20. scripts/
  21. security/
  22. sound/
  23. tools/
  24. usr/
  25. virt/
  26. .clang-format
  27. .cocciconfig
  28. .get_maintainer.ignore
  29. .gitattributes
  30. .gitignore
  31. .mailmap
  32. .rustfmt.toml
  33. COPYING
  34. CREDITS
  35. Kbuild
  36. Kconfig
  37. MAINTAINERS
  38. Makefile
  39. PRESUBMIT.cfg
  40. README