ksmbd: require source read access for duplicate extents

FSCTL_DUPLICATE_EXTENTS_TO_FILE passes the source file directly to
vfs_clone_file_range() or vfs_copy_file_range() without checking the SMB
access mask granted to the source handle. A handle opened with attribute
access can consequently be used to copy file contents into an
attacker-readable destination.

Require FILE_READ_DATA on the source handle before either VFS operation,
matching other ksmbd data-copy paths.

Cc: stable@vger.kernel.org
Reported-by: Musaab Khan <musaab.khan@protonmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 6d3f975d582f4bfbbe060e4af93163e95da4b6fe..fcb1bcd5de95d2eb04f65276e3ad13efe003d3e7 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -8778,6 +8778,10 @@ int smb2_ioctl(struct ksmbd_work *work)
                        ret = -EACCES;
                        goto dup_ext_out;
                }
+               if (!(fp_in->daccess & FILE_READ_DATA_LE)) {
+                       ret = -EACCES;
+                       goto dup_ext_out;
+               }
 
                src_off = le64_to_cpu(dup_ext->SourceFileOffset);
                dst_off = le64_to_cpu(dup_ext->TargetFileOffset);