Re: [PATCH] ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow

Next message: Noah Techoueyres: "[PATCH v2] staging: rtl8723bs: fix line length checks in rtw_cmd.c"
Previous message: Kumar Kartikeya Dwivedi: "Re: [RFC PATCH 2/9] bpf/arena: Add BPF_F_ARENA_MAP_ALWAYS for direct kernel access"
In reply to: Ferry Meng: "[PATCH] ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Namjae Jeon

Date: Mon May 11 2026 - 20:33:23 EST

On Mon, May 11, 2026 at 10:18 PM Ferry Meng <mengferry@xxxxxxxxxxxxxxxxx> wrote:
>
> Commit 299f962c0b02 ("ksmbd: use check_add_overflow() to prevent u16
> DACL size overflow") added check_add_overflow() guards that break out
> of the ACE-building loops in set_posix_acl_entries_dacl() when the
> accumulated DACL size would wrap past 65535.
>
> However, each iteration allocates a struct smb_sid via kmalloc_obj()
> at the top of the loop and relies on the kfree(sid) call at the end
> of the loop body (the 'pass_same_sid' label in the first loop, and
> the explicit kfree at the tail of the second loop) to release it.
> The newly introduced 'break' statements bypass those kfree() calls,
> leaking the sid buffer every time an overflow is detected.
>
> A malicious or malformed file with enough POSIX ACL entries to trip
> the overflow check will leak one or more struct smb_sid allocations
> on every request that touches the file's DACL, providing a trivial
> kernel memory exhaustion vector.
>
> Free sid before breaking out of the loops to plug the leak.
>
> Fixes: 299f962c0b02 ("ksmbd: use check_add_overflow() to prevent u16 DACL size overflow")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Ferry Meng <mengferry@xxxxxxxxxxxxxxxxx>
Applied it to #ksmbd-for-next-next.
Thanks!