diff options
| author | Namjae Jeon <linkinjeon@kernel.org> | 2026-06-07 14:15:51 +0300 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2026-06-17 02:57:21 +0300 |
| commit | 54bab9ba5a9f156ffa9324fcbe5a356fd0242f95 (patch) | |
| tree | c56c15c6be04a596a6c6370c988b4bc9b794967b /include/linux/timerqueue.h | |
| parent | d20d1c8ba5765d1d12eefc0aee6385ab3f240e1e (diff) | |
| download | linux-54bab9ba5a9f156ffa9324fcbe5a356fd0242f95.tar.xz | |
ksmbd: prevent path traversal bypass by restricting caseless retry
ksmbd_vfs_path_lookup() enforces LOOKUP_BENEATH to restrict path
resolution within the share root. When a crafted path attempts to
escape the share boundary using parent-directory components ('..'),
vfs_path_parent_lookup() detects this and immediately fails,
returning -EXDEV.
However, a bug exists in __ksmbd_vfs_kern_path() under caseless mode.
The function fails to intercept the -EXDEV error and erroneously
falls through to the caseless retry logic, which is intended only
for genuinely missing files. During this retry process, the path
is reconstructed, leading to an unintended LOOKUP_BENEATH bypass
that allows write-capable users to create zero-length files or
directories outside the exported share.
Fix this by ensuring that the execution only proceeds to the caseless
lookup retry when the error is specifically -ENOENT. Any other errors,
such as -EXDEV from a path traversal attempt, must be returned immediately.
Cc: stable@vger.kernel.org
Reported-by: Y s65 <yu4ys@outlook.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'include/linux/timerqueue.h')
0 files changed, 0 insertions, 0 deletions