[rocky8_10] History Rebuild through kernel-4.18.0-553.126.1.el8_10

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 10
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 553.125.1
+RHEL_RELEASE = 553.126.1
 
 #
 # ZSTREAM

ciq/ciq_backports/kernel-4.18.0-553.126.1.el8_10/0a8cf165.failed

@@ -0,0 +1,278 @@
+smb: client: validate the whole DACL before rewriting it in cifsacl
+
+jira KERNEL-1078
+cve CVE-2026-31709
+Rebuild_History Non-Buildable kernel-4.18.0-553.126.1.el8_10
+commit-author Michael Bommarito <michael.bommarito@gmail.com>
+commit 0a8cf165566ba55a39fd0f4de172119dd646d39a
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.126.1.el8_10/0a8cf165.failed
+
+build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a
+server-supplied dacloffset and then use the incoming ACL to rebuild the
+chmod/chown security descriptor.
+
+The original fix only checked that the struct smb_acl header fits before
+reading dacl_ptr->size or dacl_ptr->num_aces.  That avoids the immediate
+header-field OOB read, but the rewrite helpers still walk ACEs based on
+pdacl->num_aces with no structural validation of the incoming DACL body.
+
+A malicious server can return a truncated DACL that still contains a
+header, claims one or more ACEs, and then drive
+replace_sids_and_copy_aces() or set_chmod_dacl() past the validated
+extent while they compare or copy attacker-controlled ACEs.
+
+Factor the DACL structural checks into validate_dacl(), extend them to
+validate each ACE against the DACL bounds, and use the shared validator
+before the chmod/chown rebuild paths.  parse_dacl() reuses the same
+validator so the read-side parser and write-side rewrite paths agree on
+what constitutes a well-formed incoming DACL.
+
+Fixes: bc3e9dd9d104 ("cifs: Change SIDs in ACEs while transferring file ownership.")
+	Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-6
+Assisted-by: Codex:gpt-5-4
+	Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+	Signed-off-by: Steve French <stfrench@microsoft.com>
+(cherry picked from commit 0a8cf165566ba55a39fd0f4de172119dd646d39a)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	fs/cifs/cifsacl.c
+diff --cc fs/cifs/cifsacl.c
+index d3f01f636f10,cb4060ba5e31..000000000000
+--- a/fs/cifs/cifsacl.c
++++ b/fs/cifs/cifsacl.c
+@@@ -752,15 -758,86 +752,96 @@@ static void dump_ace(struct cifs_ace *p
+  }
+  #endif
+
+++<<<<<<< HEAD:fs/cifs/cifsacl.c
+ +static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
+ +		       struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
+++=======
++ static int validate_dacl(struct smb_acl *pdacl, char *end_of_acl)
++ {
++ 	int i, ace_hdr_size, ace_size, min_ace_size;
++ 	u16 dacl_size, num_aces;
++ 	char *acl_base, *end_of_dacl;
++ 	struct smb_ace *pace;
++ 
++ 	if (!pdacl)
++ 		return 0;
++ 
++ 	if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl)) {
++ 		cifs_dbg(VFS, "ACL too small to parse DACL\n");
++ 		return -EINVAL;
++ 	}
++ 
++ 	dacl_size = le16_to_cpu(pdacl->size);
++ 	if (dacl_size < sizeof(struct smb_acl) ||
++ 	    end_of_acl < (char *)pdacl + dacl_size) {
++ 		cifs_dbg(VFS, "ACL too small to parse DACL\n");
++ 		return -EINVAL;
++ 	}
++ 
++ 	num_aces = le16_to_cpu(pdacl->num_aces);
++ 	if (!num_aces)
++ 		return 0;
++ 
++ 	ace_hdr_size = offsetof(struct smb_ace, sid) +
++ 		offsetof(struct smb_sid, sub_auth);
++ 	min_ace_size = ace_hdr_size + sizeof(__le32);
++ 	if (num_aces > (dacl_size - sizeof(struct smb_acl)) / min_ace_size) {
++ 		cifs_dbg(VFS, "ACL too small to parse DACL\n");
++ 		return -EINVAL;
++ 	}
++ 
++ 	end_of_dacl = (char *)pdacl + dacl_size;
++ 	acl_base = (char *)pdacl;
++ 	ace_size = sizeof(struct smb_acl);
++ 
++ 	for (i = 0; i < num_aces; ++i) {
++ 		if (end_of_dacl - acl_base < ace_size) {
++ 			cifs_dbg(VFS, "ACL too small to parse ACE\n");
++ 			return -EINVAL;
++ 		}
++ 
++ 		pace = (struct smb_ace *)(acl_base + ace_size);
++ 		acl_base = (char *)pace;
++ 
++ 		if (end_of_dacl - acl_base < ace_hdr_size ||
++ 		    pace->sid.num_subauth == 0 ||
++ 		    pace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES) {
++ 			cifs_dbg(VFS, "ACL too small to parse ACE\n");
++ 			return -EINVAL;
++ 		}
++ 
++ 		ace_size = ace_hdr_size + sizeof(__le32) * pace->sid.num_subauth;
++ 		if (end_of_dacl - acl_base < ace_size ||
++ 		    le16_to_cpu(pace->size) < ace_size) {
++ 			cifs_dbg(VFS, "ACL too small to parse ACE\n");
++ 			return -EINVAL;
++ 		}
++ 
++ 		ace_size = le16_to_cpu(pace->size);
++ 		if (end_of_dacl - acl_base < ace_size) {
++ 			cifs_dbg(VFS, "ACL too small to parse ACE\n");
++ 			return -EINVAL;
++ 		}
++ 	}
++ 
++ 	return 0;
++ }
++ 
++ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
++ 		       struct smb_sid *pownersid, struct smb_sid *pgrpsid,
+++>>>>>>> 0a8cf165566b (smb: client: validate the whole DACL before rewriting it in cifsacl):fs/smb/client/cifsacl.c
+  		       struct cifs_fattr *fattr, bool mode_from_special_sid)
+  {
+  	int i;
+ -	u16 num_aces = 0;
+ +	int num_aces = 0;
+  	int acl_size;
+++<<<<<<< HEAD:fs/cifs/cifsacl.c
+ +	char *acl_base;
+ +	struct cifs_ace **ppace;
+++=======
++ 	char *acl_base, *end_of_dacl;
++ 	struct smb_ace **ppace;
+++>>>>>>> 0a8cf165566b (smb: client: validate the whole DACL before rewriting it in cifsacl):fs/smb/client/cifsacl.c
+
+  	/* BB need to add parm so we can store the SID BB */
+
+@@@ -771,11 -848,8 +852,14 @@@
+  		return;
+  	}
+
+++<<<<<<< HEAD:fs/cifs/cifsacl.c
+ +	/* validate that we do not go past end of acl */
+ +	if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
+ +		cifs_dbg(VFS, "ACL too small to parse DACL\n");
+++=======
++ 	if (validate_dacl(pdacl, end_of_acl))
+++>>>>>>> 0a8cf165566b (smb: client: validate the whole DACL before rewriting it in cifsacl):fs/smb/client/cifsacl.c
+  		return;
+- 	}
+
+  	cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n",
+  		 le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
+@@@ -786,24 -860,23 +870,34 @@@
+  	   user/group/other have no permissions */
+  	fattr->cf_mode &= ~(0777);
+
++ 	end_of_dacl = (char *)pdacl + le16_to_cpu(pdacl->size);
+  	acl_base = (char *)pdacl;
+ -	acl_size = sizeof(struct smb_acl);
+ +	acl_size = sizeof(struct cifs_acl);
+
+ -	num_aces = le16_to_cpu(pdacl->num_aces);
+ +	num_aces = le32_to_cpu(pdacl->num_aces);
+  	if (num_aces > 0) {
+  		umode_t denied_mode = 0;
+
+++<<<<<<< HEAD:fs/cifs/cifsacl.c
+ +		if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
+ +			return;
+ +		ppace = kmalloc_array(num_aces, sizeof(struct cifs_ace *),
+ +				      GFP_KERNEL);
+++=======
++ 		ppace = kmalloc_objs(struct smb_ace *, num_aces);
+++>>>>>>> 0a8cf165566b (smb: client: validate the whole DACL before rewriting it in cifsacl):fs/smb/client/cifsacl.c
+  		if (!ppace)
+  			return;
+
+  		for (i = 0; i < num_aces; ++i) {
+++<<<<<<< HEAD:fs/cifs/cifsacl.c
+ +			ppace[i] = (struct cifs_ace *) (acl_base + acl_size);
+++=======
++ 			ppace[i] = (struct smb_ace *) (acl_base + acl_size);
++ 
+++>>>>>>> 0a8cf165566b (smb: client: validate the whole DACL before rewriting it in cifsacl):fs/smb/client/cifsacl.c
+  #ifdef CONFIG_CIFS_DEBUG2
+- 			dump_ace(ppace[i], end_of_acl);
++ 			dump_ace(ppace[i], end_of_dacl);
+  #endif
+  			if (mode_from_special_sid &&
+  			    (compare_sids(&(ppace[i]->sid),
+@@@ -1262,16 -1341,15 +1356,23 @@@ static int build_sec_desc(struct cifs_n
+
+  	dacloffset = le32_to_cpu(pntsd->dacloffset);
+  	if (dacloffset) {
+++<<<<<<< HEAD:fs/cifs/cifsacl.c
+ +		dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
+ +		if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) {
+ +			cifs_dbg(VFS, "Server returned illegal ACL size\n");
+ +			return -EINVAL;
+ +		}
+++=======
++ 		dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
++ 		rc = validate_dacl(dacl_ptr, end_of_acl);
++ 		if (rc)
++ 			return rc;
+++>>>>>>> 0a8cf165566b (smb: client: validate the whole DACL before rewriting it in cifsacl):fs/smb/client/cifsacl.c
+  	}
+
+ -	owner_sid_ptr = (struct smb_sid *)((char *)pntsd +
+ +	owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
+  			le32_to_cpu(pntsd->osidoffset));
+ -	group_sid_ptr = (struct smb_sid *)((char *)pntsd +
+ +	group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
+  			le32_to_cpu(pntsd->gsidoffset));
+
+  	if (pnmode && *pnmode != NO_CHANGE_64) { /* chmod */
+@@@ -1605,32 -1692,33 +1706,42 @@@ id_mode_to_cifs_acl(struct inode *inode
+  		return rc;
+  	}
+
+ -	sbflags = cifs_sb_flags(cifs_sb);
+ -	mode_from_sid = sbflags & CIFS_MOUNT_MODE_FROM_SID;
+ -	id_from_sid = sbflags & CIFS_MOUNT_UID_FROM_ACL;
+ +	if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MODE_FROM_SID)
+ +		mode_from_sid = true;
+ +	else
+ +		mode_from_sid = false;
+ +
+ +	if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UID_FROM_ACL)
+ +		id_from_sid = true;
+ +	else
+ +		id_from_sid = false;
+
+  	/* Potentially, five new ACEs can be added to the ACL for U,G,O mapping */
+ +	nsecdesclen = secdesclen;
+  	if (pnmode && *pnmode != NO_CHANGE_64) { /* chmod */
+ -		if (posix)
+ -			nsecdesclen = 1 * sizeof(struct smb_ace);
+ -		else if (mode_from_sid)
+ -			nsecdesclen = secdesclen + (2 * sizeof(struct smb_ace));
+ +		if (mode_from_sid)
+ +			nsecdesclen += 2 * sizeof(struct cifs_ace);
+  		else /* cifsacl */
+ -			nsecdesclen = secdesclen + (5 * sizeof(struct smb_ace));
+ +			nsecdesclen += 5 * sizeof(struct cifs_ace);
+  	} else { /* chown */
+  		/* When ownership changes, changes new owner sid length could be different */
+ -		nsecdesclen = sizeof(struct smb_ntsd) + (sizeof(struct smb_sid) * 2);
+ +		nsecdesclen = sizeof(struct cifs_ntsd) + (sizeof(struct cifs_sid) * 2);
+  		dacloffset = le32_to_cpu(pntsd->dacloffset);
+  		if (dacloffset) {
+++<<<<<<< HEAD:fs/cifs/cifsacl.c
+ +			dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
+++=======
++ 			dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
++ 			rc = validate_dacl(dacl_ptr, (char *)pntsd + secdesclen);
++ 			if (rc) {
++ 				kfree(pntsd);
++ 				cifs_put_tlink(tlink);
++ 				return rc;
++ 			}
+++>>>>>>> 0a8cf165566b (smb: client: validate the whole DACL before rewriting it in cifsacl):fs/smb/client/cifsacl.c
+  			if (mode_from_sid)
+  				nsecdesclen +=
+ -					le16_to_cpu(dacl_ptr->num_aces) * sizeof(struct smb_ace);
+ +					le32_to_cpu(dacl_ptr->num_aces) * sizeof(struct cifs_ace);
+  			else /* cifsacl */
+  				nsecdesclen += le16_to_cpu(dacl_ptr->size);
+  		}
+* Unmerged path fs/cifs/cifsacl.c