git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Sean Shen <grayhat@foxmail.com>
	Tue, 26 May 2026 13:07:16 +0000 (22:07 +0900)
committer	Steve French <stfrench@microsoft.com>
	Wed, 27 May 2026 01:36:36 +0000 (20:36 -0500)
commit	cc57232cae23c0df91b4a59d0f519141ce9b5b02
tree	5bf2a31165811a5698036cfea0af74c711ccc5f4	tree \| snapshot
parent	2f15dcd0d4b502c704a52f5c7de128b163677978	commit \| diff

ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE

FSCTL_SET_SPARSE in fsctl_set_sparse() modifies the file's sparse
attribute and saves it through xattr without any permission checks.

This exposes two issues:

1) A client on a read-only share can change the sparse attribute
   on files it opened, even though the share is read-only.
   Other FSCTL write operations already check
   test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE),
   but FSCTL_SET_SPARSE does not.

2) Even on writable shares, clients without FILE_WRITE_DATA or
   FILE_WRITE_ATTRIBUTES access should not modify the sparse
   attribute. Similar handle-level checks exist in other functions
   but are missing here.

Add both share-level writable check and per-handle access check.
Use goto out on error to avoid leaking file references.

Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Steve French <smfrench@gmail.com>
Signed-off-by: Sean Shen <grayhat@foxmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>