ksmbd: add per-handle permission check to FILE_LINK_INFORMATION

The FILE_LINK_INFORMATION arm of smb2_set_info_file() calls
smb2_create_link() with no per-handle fp->daccess check. On the
ReplaceIfExists path smb2_create_link() unlinks an existing file at the
target name (ksmbd_vfs_remove_file) and creates a hardlink
(ksmbd_vfs_link); neither helper checks daccess. A handle opened with
FILE_READ_DATA only (no FILE_DELETE, no FILE_WRITE_DATA) can therefore
delete an arbitrary file in the share and plant a hardlink over its name.

The sibling delete/move arms in the same switch already gate:
FILE_RENAME_INFORMATION and FILE_DISPOSITION_INFORMATION both require
FILE_DELETE_LE; FILE_FULL_EA_INFORMATION requires FILE_WRITE_EA_LE. Gate
the link arm the same way as its closest analogue (rename), since it
mutates the namespace and, on replace, deletes an existing entry.

This is a sibling of commit cc57232cae23 ("ksmbd: fix FSCTL permission
bypass by adding a permission check for FSCTL_SET_SPARSE").

Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 42669402637d96879259bbb34becd9adb7b8877f..f9106b35e63cf2a0b5173d1e569456874ebd15e8 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -6575,6 +6575,11 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp,
        }
        case FILE_LINK_INFORMATION:
        {
+               if (!(fp->daccess & FILE_DELETE_LE)) {
+                       pr_err("no right to delete : 0x%x\n", fp->daccess);
+                       return -EACCES;
+               }
+
                if (buf_len < sizeof(struct smb2_file_link_info))
                        return -EMSGSIZE;