From: Norbert Szetei <norbert@doyensec.com> mainline inclusion from mainline-v6.15-rc1 commit bf21e29d78cd2c2371023953d9c82dfef82ebb36 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC1QOW CVE: CVE-2025-22038 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Access psid->sub_auth[psid->num_subauth - 1] without checking if num_subauth is non-zero leads to an out-of-bounds read. This patch adds a validation step to ensure num_subauth != 0 before sub_auth is accessed. Cc: stable@vger.kernel.org Signed-off-by: Norbert Szetei <norbert@doyensec.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Yifan Qiao <qiaoyifan4@huawei.com> --- fs/smb/server/smbacl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c index be76e642ca70..4870348f0dd9 100644 --- a/fs/smb/server/smbacl.c +++ b/fs/smb/server/smbacl.c @@ -270,6 +270,11 @@ static int sid_to_id(struct mnt_idmap *idmap, return -EIO; } + if (psid->num_subauth == 0) { + pr_err("%s: zero subauthorities!\n", __func__); + return -EIO; + } + if (sidtype == SIDOWNER) { kuid_t uid; uid_t id; -- 2.39.2