ksmbd: add permission checks for FSCTL_DUPLICATE_EXTENTS_TO_FILE

The FSCTL_DUPLICATE_EXTENTS_TO_FILE arm of smb2_ioctl() overwrites the
destination file's data via vfs_clone_file_range() with neither the
share-level KSMBD_TREE_CONN_FLAG_WRITABLE check nor a per-handle
fp->daccess check that the other write-bearing arms carry. A client can
overwrite destination data on a read-only share, or from a handle opened
with only FILE_WRITE_ATTRIBUTES (which still yields an FMODE_WRITE filp).
FILE_WRITE_ATTRIBUTES-only destination handle overwrote the file's data via
the clone. Add both checks, matching the FSCTL_SET_SPARSE permission fix;
require FILE_WRITE_DATA since this writes data.

Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 4e008793179597e7884abd5dce47ef2051562cfe..32f568cea16a9a75bfc512b745b5709b5f97f652 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -8766,6 +8766,17 @@ int smb2_ioctl(struct ksmbd_work *work)
                        goto dup_ext_out;
                }
 
+               if (!test_tree_conn_flag(work->tcon,
+                                        KSMBD_TREE_CONN_FLAG_WRITABLE)) {
+                       ret = -EACCES;
+                       goto dup_ext_out;
+               }
+
+               if (!(fp_out->daccess & FILE_WRITE_DATA_LE)) {
+                       ret = -EACCES;
+                       goto dup_ext_out;
+               }
+
                src_off = le64_to_cpu(dup_ext->SourceFileOffset);
                dst_off = le64_to_cpu(dup_ext->TargetFileOffset);
                length = le64_to_cpu(dup_ext->ByteCount);