diff options
| author | Gil Portnoy <dddhkts1@gmail.com> | 2026-06-12 01:15:38 +0300 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2026-06-17 02:57:22 +0300 |
| commit | 388e4139db27a9e3612c9d356b826f5b1ff6a9e3 (patch) | |
| tree | 8835005e6052669faf7c865109f290b936b221af /include/linux/timerqueue.h | |
| parent | 20c8442dc1003f9f7bb522d3dcd81d09ea59a79e (diff) | |
| download | linux-388e4139db27a9e3612c9d356b826f5b1ff6a9e3.tar.xz | |
ksmbd: add permission checks for FSCTL_DUPLICATE_EXTENTS_TO_FILE
The FSCTL_DUPLICATE_EXTENTS_TO_FILE arm of smb2_ioctl() overwrites the
destination file's data via vfs_clone_file_range() with neither the
share-level KSMBD_TREE_CONN_FLAG_WRITABLE check nor a per-handle
fp->daccess check that the other write-bearing arms carry. A client can
overwrite destination data on a read-only share, or from a handle opened
with only FILE_WRITE_ATTRIBUTES (which still yields an FMODE_WRITE filp).
FILE_WRITE_ATTRIBUTES-only destination handle overwrote the file's data via
the clone. Add both checks, matching the FSCTL_SET_SPARSE permission fix;
require FILE_WRITE_DATA since this writes data.
Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'include/linux/timerqueue.h')
0 files changed, 0 insertions, 0 deletions