From: Namjae Jeon <linkinjeon@kernel.org>
To: gregkh@linuxfoundation.org, sashal@kernel.org
Cc: stable@vger.kernel.org, Namjae Jeon <linkinjeon@kernel.org>,
Steve French <stfrench@microsoft.com>
Subject: [PATCH 5.15.y 05/11] ksmbd: don't allow O_TRUNC open on read-only share
Date: Sun, 21 Jan 2024 23:30:32 +0900 [thread overview]
Message-ID: <20240121143038.10589-6-linkinjeon@kernel.org> (raw)
In-Reply-To: <20240121143038.10589-1-linkinjeon@kernel.org>
[ Upstream commit d592a9158a112d419f341f035d18d02f8d232def ]
When file is changed using notepad on read-only share(read_only = yes in
ksmbd.conf), There is a problem where existing data is truncated.
notepad in windows try to O_TRUNC open(FILE_OVERWRITE_IF) and all data
in file is truncated. This patch don't allow O_TRUNC open on read-only
share and add KSMBD_TREE_CONN_FLAG_WRITABLE check in smb2_set_info().
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
fs/ksmbd/smb2pdu.c | 23 +++++++++--------------
1 file changed, 9 insertions(+), 14 deletions(-)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 5975a2bc471f..4d6663ab3d03 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -2969,7 +2969,7 @@ int smb2_open(struct ksmbd_work *work)
&may_flags);
if (!test_tree_conn_flag(tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) {
- if (open_flags & O_CREAT) {
+ if (open_flags & (O_CREAT | O_TRUNC)) {
ksmbd_debug(SMB,
"User does not have write permission\n");
rc = -EACCES;
@@ -5946,12 +5946,6 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp,
}
case FILE_RENAME_INFORMATION:
{
- if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) {
- ksmbd_debug(SMB,
- "User does not have write permission\n");
- return -EACCES;
- }
-
if (buf_len < sizeof(struct smb2_file_rename_info))
return -EINVAL;
@@ -5971,12 +5965,6 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp,
}
case FILE_DISPOSITION_INFORMATION:
{
- if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) {
- ksmbd_debug(SMB,
- "User does not have write permission\n");
- return -EACCES;
- }
-
if (buf_len < sizeof(struct smb2_file_disposition_info))
return -EINVAL;
@@ -6038,7 +6026,7 @@ int smb2_set_info(struct ksmbd_work *work)
{
struct smb2_set_info_req *req;
struct smb2_set_info_rsp *rsp;
- struct ksmbd_file *fp;
+ struct ksmbd_file *fp = NULL;
int rc = 0;
unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID;
@@ -6058,6 +6046,13 @@ int smb2_set_info(struct ksmbd_work *work)
rsp = smb2_get_msg(work->response_buf);
}
+ if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) {
+ ksmbd_debug(SMB, "User does not have write permission\n");
+ pr_err("User does not have write permission\n");
+ rc = -EACCES;
+ goto err_out;
+ }
+
if (!has_file_id(id)) {
id = req->VolatileFileId;
pid = req->PersistentFileId;
--
2.25.1
next prev parent reply other threads:[~2024-01-21 14:31 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-21 14:30 [PATCH 5.15.y 00/11] ksmbd: backport patches from 6.8-rc1 Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 01/11] ksmbd: validate the zero field of packet header Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 02/11] ksmbd: set v2 lease version on lease upgrade Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 03/11] ksmbd: fix potential circular locking issue in smb2_set_ea() Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 04/11] ksmbd: don't increment epoch if current state and request state are same Namjae Jeon
2024-01-21 14:30 ` Namjae Jeon [this message]
2024-01-21 14:30 ` [PATCH 5.15.y 06/11] ksmbd: send lease break notification on FILE_RENAME_INFORMATION Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 07/11] ksmbd: free ppace array on error in parse_dacl Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 08/11] ksmbd: Add missing set_freezable() for freezable kthread Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 09/11] ksmbd: validate mech token in session setup Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 10/11] ksmbd: fix UAF issue in ksmbd_tcp_new_connection() Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 11/11] ksmbd: only v2 leases handle the directory Namjae Jeon
2024-01-22 15:03 ` [PATCH 5.15.y 00/11] ksmbd: backport patches from 6.8-rc1 Greg KH
2024-01-22 23:28 ` Namjae Jeon
2024-01-26 1:25 ` Namjae Jeon
2024-01-26 1:36 ` Greg KH
2024-01-26 1:59 ` Namjae Jeon
2024-01-27 0:43 ` Greg KH
2024-01-27 0:48 ` Namjae Jeon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240121143038.10589-6-linkinjeon@kernel.org \
--to=linkinjeon@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox