diff options
| author | Sean Shen <grayhat@foxmail.com> | 2026-05-26 22:07:16 +0900 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2026-05-26 20:36:36 -0500 |
| commit | cc57232cae23c0df91b4a59d0f519141ce9b5b02 (patch) | |
| tree | 5bf2a31165811a5698036cfea0af74c711ccc5f4 /kernel/bpf | |
| parent | 2f15dcd0d4b502c704a52f5c7de128b163677978 (diff) | |
ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE
FSCTL_SET_SPARSE in fsctl_set_sparse() modifies the file's sparse
attribute and saves it through xattr without any permission checks.
This exposes two issues:
1) A client on a read-only share can change the sparse attribute
on files it opened, even though the share is read-only.
Other FSCTL write operations already check
test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE),
but FSCTL_SET_SPARSE does not.
2) Even on writable shares, clients without FILE_WRITE_DATA or
FILE_WRITE_ATTRIBUTES access should not modify the sparse
attribute. Similar handle-level checks exist in other functions
but are missing here.
Add both share-level writable check and per-handle access check.
Use goto out on error to avoid leaking file references.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Steve French <smfrench@gmail.com>
Signed-off-by: Sean Shen <grayhat@foxmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'kernel/bpf')
0 files changed, 0 insertions, 0 deletions