From nobody Sun Jun 14 21:17:26 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 44F8035893; Mon, 6 Apr 2026 13:46:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775483218; cv=none; b=Psnaj/DXoVg5lT6j0EYPWKmw3z0iworPo9FREepkSo3suFWcup4sLzv4sOeTAE5w2Va9m+4Ypjcqmm1+C67e+z7E+MmtavcQBIKsM+UcfcYPtdaqO3eVc5BHVHRgJjAcQLv/nxBQA0sSv+iJYVJ0uFpJZ5cemH3RoSBj6uaxjyQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775483218; c=relaxed/simple; bh=3aTYSApV0Q+/AB73UF0VuMJRhyBvMMPWQbyZsbikUzE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=QPpMDT/14L/vYNbYVqcVHngJClKZOCgd+CLm8AYLiLCBiGbfDsDmfSkMzZVhwUjelqbNC2AvNmkurXjF6o8Vn2qv/byz3uTb20LBvRtR1YvJbjTVZVQlhl+8JJeVwTpf1GXUztdpBI/efg8SHzke4k3oEJWquRsgfH4l7Sg6SD4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=aRFdxqj1; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="aRFdxqj1" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5F090C4CEF7; Mon, 6 Apr 2026 13:46:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1775483217; bh=3aTYSApV0Q+/AB73UF0VuMJRhyBvMMPWQbyZsbikUzE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aRFdxqj1jsl4oMpIbGzwJXEa82SyXNtzPHLXhQ5ms9bE72fW66xJBYXcuHVqEUPN+ H7Rz0Oe9n7tBigLBWUNykYHVN1V3NkflHPGP5ofSEsBWNV8NLFMYDH7EzVMe9NBCBB ugYjeaFcKS4MB9ovtvAOjlhLRuOl/dlO8keCptuA= From: Greg Kroah-Hartman To: linux-cifs@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Greg Kroah-Hartman , Namjae Jeon , Steve French , Sergey Senozhatsky , Tom Talpey , stable Subject: [PATCH 1/3] ksmbd: validate EaNameLength in smb2_get_ea() Date: Mon, 6 Apr 2026 15:46:46 +0200 Message-ID: <2026040646-backlit-overlord-2d46@gregkh> X-Mailer: git-send-email 2.53.0 In-Reply-To: <2026040644-brussels-dab-6f99@gregkh> References: <2026040644-brussels-dab-6f99@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1594; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=3aTYSApV0Q+/AB73UF0VuMJRhyBvMMPWQbyZsbikUzE=; b=owGbwMvMwCRo6H6F97bub03G02pJDJmXd7odeK/KvMc7v+LY2r/NG3mu/U/xqtC9pVnwe+fMX ma5rvspHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCR7j6GeTrf1oo8s76+37ns W7SFx1pX1qnGcxgWzNiblFL4eJVpjDxrbVaBjOS549GbAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" smb2_get_ea() reads ea_req->EaNameLength from the client request and passes it directly to strncmp() as the comparison length without verifying that the length of the name really is the size of the input buffer recieved. Fix this up by properly checking the size of the name based on the value recieved and the overall size of the request, to prevent a later strncmp() call to use the length as a "trusted" size of the buffer. Without this check, uninitialized heap values might be slowly leaked to the client. Cc: Namjae Jeon Cc: Steve French Cc: Sergey Senozhatsky Cc: Tom Talpey Cc: linux-cifs@vger.kernel.org Cc: stable Assisted-by: gregkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman --- fs/smb/server/smb2pdu.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 8e4cfdc0ba02..6f658dc20758 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -4716,6 +4716,11 @@ static int smb2_get_ea(struct ksmbd_work *work, stru= ct ksmbd_file *fp, =20 ea_req =3D (struct smb2_ea_info_req *)((char *)req + le16_to_cpu(req->InputBufferOffset)); + + if (le32_to_cpu(req->InputBufferLength) < + offsetof(struct smb2_ea_info_req, name) + + ea_req->EaNameLength) + return -EINVAL; } else { /* need to send all EAs, if no specific EA is requested*/ if (le32_to_cpu(req->Flags) & SL_RETURN_SINGLE_ENTRY) --=20 2.53.0 From nobody Sun Jun 14 21:17:26 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 110F0224B15; Mon, 6 Apr 2026 13:47:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775483226; cv=none; b=JIS3CDo93lQmRBnaQzC1xYcTiHH1eD+iBX809cL4BsIlTAp5/pgTZuLsds2oWCblwA6Rf/8gqfr3AospiLLwChM1NI2LNi4DWX+9gybrs34NY44gw2SGc3pZ8urMODZKhIchzqFM/PN9AdjFjCr43iRkjVAaYbjq2Z6V8ZxDegs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775483226; c=relaxed/simple; bh=6quP6INyONpIyrEnc1WgDudBTHdciV3E8oow+ilwgE8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=l8n3Ma5SYJOhnJPXDa3C31Ou+qkDZZ7dRhkN8RyC1AFdDrUW3EHE3QLHDLY8TG4PIIs0Myow/woZAgjNITFrKRb2heTlw6x4xZWCf6JMneVFOqchSjShm4Wch1qQIzhXorwlY7kyM9kfJgq0DYOdyk1xXcz4alQzN7wouM93rIg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=19JfWLx9; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="19JfWLx9" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 43857C4CEF7; Mon, 6 Apr 2026 13:47:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1775483225; bh=6quP6INyONpIyrEnc1WgDudBTHdciV3E8oow+ilwgE8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=19JfWLx9V+n/p9bBkif3m0PzGMSyBIVyCDeEkkdaLTE9yg5N/IS7qFHcTf4eOjkp/ GjBgD8BDEFDF7K1QscjILfNxYJuWfm/6NJgj10N2tFNNYZXYpmoZmAuPgRPvdwqDJ7 sx636ATNio6YGWtJRZm81SMfD09RahbK0qUqlsvg= From: Greg Kroah-Hartman To: linux-cifs@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Greg Kroah-Hartman , Namjae Jeon , Steve French , Sergey Senozhatsky , Tom Talpey , stable Subject: [PATCH 2/3] ksmbd: require 3 sub-authorities before reading sub_auth[2] Date: Mon, 6 Apr 2026 15:46:47 +0200 Message-ID: <2026040646-helium-unedited-245a@gregkh> X-Mailer: git-send-email 2.53.0 In-Reply-To: <2026040644-brussels-dab-6f99@gregkh> References: <2026040644-brussels-dab-6f99@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1719; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=6quP6INyONpIyrEnc1WgDudBTHdciV3E8oow+ilwgE8=; b=owGbwMvMwCRo6H6F97bub03G02pJDJmXd7o1Sp17sDHlVOAuRY2HBxZd+LbpzZsfT1IUmPp+T 3k+pXNGdUcsC4MgE4OsmCLLl208R/dXHFL0MrQ9DTOHlQlkCAMXpwBM5NpdhgVn/6WGmbd8nBfj u/zZhJzmk89fTsxgmCupWbHT0W4Xo+qi50svnt2xy2Xu11wA X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is the prefix S-1-5-88-3 with num_subauth =3D 2 then compare_sids() compares only min(num_subauth, 2) sub-authorities so a client SID with num_subauth =3D 2 and sub_auth =3D {88, 3} will match. If num_subauth =3D 2 and the ACE is placed at the very end of the security descriptor, sub_auth[2] will be 4 bytes past end_of_acl. The out-of-band bytes will then be masked to the low 9 bits and applied as the file's POSIX mode, probably not something that is good to have happen. Fix this up by forcing the SID to actually carry a third sub-authority before reading it at all. Cc: Namjae Jeon Cc: Steve French Cc: Sergey Senozhatsky Cc: Tom Talpey Cc: linux-cifs@vger.kernel.org Cc: stable Assisted-by: gregkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman --- fs/smb/server/smbacl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c index c30d01877c41..061a305bf9c8 100644 --- a/fs/smb/server/smbacl.c +++ b/fs/smb/server/smbacl.c @@ -451,7 +451,8 @@ static void parse_dacl(struct mnt_idmap *idmap, ppace[i]->access_req =3D smb_map_generic_desired_access(ppace[i]->access_req); =20 - if (!(compare_sids(&ppace[i]->sid, &sid_unix_NFS_mode))) { + if (ppace[i]->sid.num_subauth >=3D 3 && + !(compare_sids(&ppace[i]->sid, &sid_unix_NFS_mode))) { fattr->cf_mode =3D le32_to_cpu(ppace[i]->sid.sub_auth[2]); break; --=20 2.53.0 From nobody Sun Jun 14 21:17:26 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B9ED14BF92; Mon, 6 Apr 2026 13:47:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775483229; cv=none; b=mOxEGU5O1B54MmWrGI8fLXwohQGAs7p2FeD45yydhKk8A4pefflqvyu8NvJg2DAkzgehpn2419ZAOz3bTV5Ao4WlRWFuWHLL+feYvbLCfo/xONm4iKHae4D4+s6KQyhBXmYVKnkXl4pwNE2+ASUKl7SMpUeGcJ+IujPZdQ/uWgg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775483229; c=relaxed/simple; bh=4ZQRFVzdUCijd8idg1rAWi6+HbzaURjFDDhmzLTKBPU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KXWKjz2ByVf4OCk0sKMPFK96xtRYLfsKpGt+POLtnshXpXs+E64biiz/SfxV9EAwwWpOMb/NrB0lvvUbgDt1IPZ7hG+u6RM+jwAAw6N/9w19l6dioPptXHGUFJoL+IQ9cdRLFjFHAU2c8xTDA0kq07jaOunF0YBNFQ6NLxcZkko= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=1eJ/mcVd; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="1eJ/mcVd" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 86E06C2BC9E; Mon, 6 Apr 2026 13:47:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1775483229; bh=4ZQRFVzdUCijd8idg1rAWi6+HbzaURjFDDhmzLTKBPU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1eJ/mcVd3fMZ6m3/BWlT1UZwgIiCtE2SPxk9SaIE1naduA0M3HGVf0yJnWxVW4vr6 yorsihbLnZ8BPbK66ozekiC6J9gZzfwrFYcypmgpm5JcKo/9fjnrsbrODv8Spsszpt 8ziLXJLKo7bWfuwDEzitK92lufx+A8xvOX87e/e4= From: Greg Kroah-Hartman To: linux-cifs@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Greg Kroah-Hartman , Namjae Jeon , Steve French , Sergey Senozhatsky , Tom Talpey , stable Subject: [PATCH 3/3] ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc Date: Mon, 6 Apr 2026 15:46:48 +0200 Message-ID: <2026040647-reset-uninstall-1145@gregkh> X-Mailer: git-send-email 2.53.0 In-Reply-To: <2026040644-brussels-dab-6f99@gregkh> References: <2026040644-brussels-dab-6f99@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2611; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=4ZQRFVzdUCijd8idg1rAWi6+HbzaURjFDDhmzLTKBPU=; b=owGbwMvMwCRo6H6F97bub03G02pJDJmXd7r/q+V5ZHeAwbvDvqp/SfnK1mPVKXOYVNkEjO9sM GLf1LCyI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACby/inDggW+lQWPis6FrDjd 9qXZy/aMh1uLN8P8qJq4zVP3X2FRvaw0p+9s3ovlekfcAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The kernel ASN.1 BER decoder calls action callbacks incrementally as it walks the input. When ksmbd_decode_negTokenInit() reaches the mechToken [2] OCTET STRING element, ksmbd_neg_token_alloc() allocates conn->mechToken immediately via kmemdup_nul(). If a later element in the same blob is malformed, then the decoder will return nonzero after the allocation is already live. This could happen if mechListMIC [3] overrunse the enclosing SEQUENCE. decode_negotiation_token() then sets conn->use_spnego =3D false because both the negTokenInit and negTokenTarg grammars failed. The cleanup at the bottom of smb2_sess_setup() is gated on use_spnego: if (conn->use_spnego && conn->mechToken) { kfree(conn->mechToken); conn->mechToken =3D NULL; } so the kfree is skipped, causing the mechToken to never be freed. This codepath is reachable pre-authentication, so untrusted clients can cause slow memory leaks on a server without even being properly authenticated. Fix this up by not checking check for use_spnego, as it's not required, so the memory will always be properly freed. At the same time, always free the memory in ksmbd_conn_free() incase some other failure path forgot to free it. Cc: Namjae Jeon Cc: Steve French Cc: Sergey Senozhatsky Cc: Tom Talpey Cc: linux-cifs@vger.kernel.org Cc: stable Assisted-by: gregkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman --- fs/smb/server/connection.c | 1 + fs/smb/server/smb2pdu.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c index 1bb2081c492c..26cfce344861 100644 --- a/fs/smb/server/connection.c +++ b/fs/smb/server/connection.c @@ -96,6 +96,7 @@ void ksmbd_conn_free(struct ksmbd_conn *conn) xa_destroy(&conn->sessions); kvfree(conn->request_buf); kfree(conn->preauth_info); + kfree(conn->mechToken); if (atomic_dec_and_test(&conn->refcnt)) { conn->transport->ops->free_transport(conn->transport); kfree(conn); diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 6f658dc20758..a344937595f4 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -1915,7 +1915,7 @@ int smb2_sess_setup(struct ksmbd_work *work) else if (rc) rsp->hdr.Status =3D STATUS_LOGON_FAILURE; =20 - if (conn->use_spnego && conn->mechToken) { + if (conn->mechToken) { kfree(conn->mechToken); conn->mechToken =3D NULL; } --=20 2.53.0