From: Michael Bommarito <michael.bommarito@gmail.com> mainline inclusion from mainline-v7.0 commit 2757ad3e4b6f9e0fed4c7739594e702abc5cab21 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14908 CVE: CVE-2026-43350 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits. That assumes the ACE carries three subauthorities, but compare_sids() only compares min(a, b) subauthorities. A malicious server can return an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still matches sid_unix_NFS_mode and then drives the sub_auth[2] read four bytes past the end of the ACE. Require num_subauth >= 3 before treating the ACE as an NFS mode SID. This keeps the fix local to the special-SID mode path without changing compare_sids() semantics for the rest of cifsacl. Fixes: e2f8fbfb8d09 ("cifs: get mode bits from special sid on stat") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Signed-off-by: Steve French <stfrench@microsoft.com> Conflicts: fs/cifs/cifsacl.c fs/smb/client/cifsacl.c [context conflicts] Signed-off-by: Long Li <leo.lilong@huawei.com> --- fs/cifs/cifsacl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c index ef4784e72b1d..472a110158ec 100644 --- a/fs/cifs/cifsacl.c +++ b/fs/cifs/cifsacl.c @@ -757,6 +757,7 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl, dump_ace(ppace[i], end_of_acl); #endif if (mode_from_special_sid && + ppace[i]->sid.num_subauth >= 3 && (compare_sids(&(ppace[i]->sid), &sid_unix_NFS_mode) == 0)) { /* -- 2.52.0