)]}'
{
  "commit": "b82d4fb79da9ccb0fb216da3a51f977397f3193d",
  "tree": "ddfb433257ac659ce3fc370cf3eb71a547f63075",
  "parents": [
    "074cdee0716ae379826b2ff2a0c281c927d45a75"
  ],
  "author": {
    "name": "Michael Bommarito",
    "email": "michael.bommarito@gmail.com",
    "time": "Fri Apr 24 10:46:09 2026 -0400"
  },
  "committer": {
    "name": "Miri Amarilio",
    "email": "mirilio@google.com",
    "time": "Thu May 21 11:00:32 2026 -0700"
  },
  "message": "smb: client: validate the whole DACL before rewriting it in cifsacl\n\n[ Upstream commit 0a8cf165566ba55a39fd0f4de172119dd646d39a ]\n\nbuild_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a\nserver-supplied dacloffset and then use the incoming ACL to rebuild the\nchmod/chown security descriptor.\n\nThe original fix only checked that the struct smb_acl header fits before\nreading dacl_ptr-\u003esize or dacl_ptr-\u003enum_aces.  That avoids the immediate\nheader-field OOB read, but the rewrite helpers still walk ACEs based on\npdacl-\u003enum_aces with no structural validation of the incoming DACL body.\n\nA malicious server can return a truncated DACL that still contains a\nheader, claims one or more ACEs, and then drive\nreplace_sids_and_copy_aces() or set_chmod_dacl() past the validated\nextent while they compare or copy attacker-controlled ACEs.\n\nFactor the DACL structural checks into validate_dacl(), extend them to\nvalidate each ACE against the DACL bounds, and use the shared validator\nbefore the chmod/chown rebuild paths.  parse_dacl() reuses the same\nvalidator so the read-side parser and write-side rewrite paths agree on\nwhat constitutes a well-formed incoming DACL.\n\nBUG\u003db/508877931\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2026-31709 in the Linux kernel.\n\ncos-patch: security-moderate\nFixes: bc3e9dd9d104 (\"cifs: Change SIDs in ACEs while transferring file ownership.\")\nCc: stable@vger.kernel.org\nAssisted-by: Claude:claude-opus-4-6\nAssisted-by: Codex:gpt-5-4\nChange-Id: Icd0cd29494a5d3fbc686ebde98e8f0d4591b8ea7\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nSigned-off-by: Steve French \u003cstfrench@microsoft.com\u003e\n[ no kmalloc_objs ]\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/153043\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Dom Huh \u003cdomhuh@google.com\u003e\nReviewed-by: Miri Amarilio \u003cmirilio@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "3c709b213b924e8a838fc58ebca52e653ee9f915",
      "old_mode": 33188,
      "old_path": "fs/smb/client/cifsacl.c",
      "new_id": "871fba0762eeb81c36187e3d439e48596fa89481",
      "new_mode": 33188,
      "new_path": "fs/smb/client/cifsacl.c"
    }
  ]
}