Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: require 3 sub-authorities before reading sub_auth[2] parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is the prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares only min(num_subauth, 2) sub-authorities so a client SID with num_subauth = 2 and sub_auth = {88, 3} will match. If num_subauth = 2 and the ACE is placed at the very end of the security descriptor, sub_auth[2] will be 4 bytes past end_of_acl. The out-of-band bytes will then be masked to the low 9 bits and applied as the file's POSIX mode, probably not something that is good to have happen. Fix this up by forcing the SID to actually carry a third sub-authority before reading it at all.
Product status
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 (git) before b5b5d5936a50497fb151c0b122899a6894721c2b
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 (git) before 08f9e6d899b5c834bbcc239eae1bed58d9b15d2c
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 (git) before d2454f4a002d08560a60f214f392e6491cf11560
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 (git) before 46bbcd3ebfb3549c8da1838fc4493e79bd3241e7
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 (git) before 9401f86a224f37b50e6a3ccf1d46a70d5ef8af0a
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 (git) before 53370cf9090777774e07fd9a8ebce67c6cc333ab
5.15
Any version before 5.15
6.6.136 (semver)
6.12.83 (semver)
6.18.24 (semver)
6.19.14 (semver)
7.0.1 (semver)
7.1-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/b5b5d5936a50497fb151c0b122899a6894721c2b
git.kernel.org/...c/08f9e6d899b5c834bbcc239eae1bed58d9b15d2c
git.kernel.org/...c/d2454f4a002d08560a60f214f392e6491cf11560
git.kernel.org/...c/46bbcd3ebfb3549c8da1838fc4493e79bd3241e7
git.kernel.org/...c/9401f86a224f37b50e6a3ccf1d46a70d5ef8af0a
git.kernel.org/...c/53370cf9090777774e07fd9a8ebce67c6cc333ab