diff options
| author | Gil Portnoy <dddhkts1@gmail.com> | 2026-06-10 14:13:51 +0300 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2026-06-17 02:57:21 +0300 |
| commit | 13f3942f2bf45856bb751faed2f0c4618f41ca20 (patch) | |
| tree | c069c0a2a8dccf4c01e32663f0320dfd5d69b98a /include/linux/debugobjects.h | |
| parent | 3320ba068198adc144c89d6661b805acce01735b (diff) | |
| download | linux-13f3942f2bf45856bb751faed2f0c4618f41ca20.tar.xz | |
ksmbd: add per-handle permission check to FILE_LINK_INFORMATION
The FILE_LINK_INFORMATION arm of smb2_set_info_file() calls
smb2_create_link() with no per-handle fp->daccess check. On the
ReplaceIfExists path smb2_create_link() unlinks an existing file at the
target name (ksmbd_vfs_remove_file) and creates a hardlink
(ksmbd_vfs_link); neither helper checks daccess. A handle opened with
FILE_READ_DATA only (no FILE_DELETE, no FILE_WRITE_DATA) can therefore
delete an arbitrary file in the share and plant a hardlink over its name.
The sibling delete/move arms in the same switch already gate:
FILE_RENAME_INFORMATION and FILE_DISPOSITION_INFORMATION both require
FILE_DELETE_LE; FILE_FULL_EA_INFORMATION requires FILE_WRITE_EA_LE. Gate
the link arm the same way as its closest analogue (rename), since it
mutates the namespace and, on replace, deletes an existing entry.
This is a sibling of commit cc57232cae23 ("ksmbd: fix FSCTL permission
bypass by adding a permission check for FSCTL_SET_SPARSE").
Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'include/linux/debugobjects.h')
0 files changed, 0 insertions, 0 deletions