From 3c728813e14f108566b7787dae86c63ac78c861c Mon Sep 17 00:00:00 2001 From: Paulo Alcantara Date: Mon, 11 May 2026 14:21:19 -0300 Subject: [PATCH] smb: client: require a full NFS mode SID before reading mode bits JIRA: https://issues.redhat.com/browse/RHEL-172822 commit 2757ad3e4b6f9e0fed4c7739594e702abc5cab21 Author: Michael Bommarito Date: Mon Apr 20 09:50:58 2026 -0400 smb: client: require a full NFS mode SID before reading mode bits parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits. That assumes the ACE carries three subauthorities, but compare_sids() only compares min(a, b) subauthorities. A malicious server can return an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still matches sid_unix_NFS_mode and then drives the sub_auth[2] read four bytes past the end of the ACE. Require num_subauth >= 3 before treating the ACE as an NFS mode SID. This keeps the fix local to the special-SID mode path without changing compare_sids() semantics for the rest of cifsacl. Fixes: e2f8fbfb8d09 ("cifs: get mode bits from special sid on stat") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Michael Bommarito Signed-off-by: Steve French Signed-off-by: Paulo Alcantara diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index 1b931e82f6aa..114545ee58b7 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -879,6 +879,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, dump_ace(ppace[i], end_of_dacl); #endif if (mode_from_special_sid && + ppace[i]->sid.num_subauth >= 3 && (compare_sids(&(ppace[i]->sid), &sid_unix_NFS_mode) == 0)) { /* -- 2.50.1 (Apple Git-155)