ksmbd: validate owner of durable handle on reconnect

Currently, ksmbd does not verify if the user attempting to reconnect
to a durable handle is the same user who originally opened the file.
This allows any authenticated user to hijack an orphaned durable handle
by predicting or brute-forcing the persistent ID.

According to MS-SMB2, the server MUST verify that the SecurityContext
of the reconnect request matches the SecurityContext associated with
the existing open.
Add a durable_owner structure to ksmbd_file to store the original opener's
UID, GID, and account name. and catpure the owner information when a file
handle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner()
to validate the identity of the requester during SMB2_CREATE (DHnC).

Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2")
Reported-by: Davide Ornaghi <d.ornaghi97@gmail.com>
Reported-by: Navaneeth K <knavaneeth786@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c
index 39be2d2be86c3a03c6e1303dcd1e165a0655201a..a86589408835bcb7b9ff7f3e11dd14d2b129f4c8 100644 (file)
--- a/fs/smb/server/mgmt/user_session.c
+++ b/fs/smb/server/mgmt/user_session.c
@@ -382,12 +382,10 @@ void ksmbd_session_destroy(struct ksmbd_session *sess)
                return;
 
        delete_proc_session(sess);
-
+       ksmbd_tree_conn_session_logoff(sess);
+       ksmbd_destroy_file_table(sess);
        if (sess->user)
                ksmbd_free_user(sess->user);
-
-       ksmbd_tree_conn_session_logoff(sess);
-       ksmbd_destroy_file_table(&sess->file_table);
        ksmbd_launch_ksmbd_durable_scavenger();
        ksmbd_session_rpc_clear_list(sess);
        free_channel_list(sess);
@@ -618,7 +616,7 @@ void destroy_previous_session(struct ksmbd_conn *conn,
                goto out;
        }
 
-       ksmbd_destroy_file_table(&prev_sess->file_table);
+       ksmbd_destroy_file_table(prev_sess);
        prev_sess->state = SMB2_SESSION_EXPIRED;
        ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_SETUP);
        ksmbd_launch_ksmbd_durable_scavenger();

diff --git a/fs/smb/server/oplock.c b/fs/smb/server/oplock.c
index 9b2bb8764a805ba8edfac7b52c1653ab2d0506f5..cd3f28b0e7cb24923e737c017b41d00569d784fd 100644 (file)
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -1841,6 +1841,7 @@ int smb2_check_durable_oplock(struct ksmbd_conn *conn,
                              struct ksmbd_share_config *share,
                              struct ksmbd_file *fp,
                              struct lease_ctx_info *lctx,
+                             struct ksmbd_user *user,
                              char *name)
 {
        struct oplock_info *opinfo = opinfo_get(fp);
@@ -1849,6 +1850,12 @@ int smb2_check_durable_oplock(struct ksmbd_conn *conn,
        if (!opinfo)
                return 0;
 
+       if (ksmbd_vfs_compare_durable_owner(fp, user) == false) {
+               ksmbd_debug(SMB, "Durable handle reconnect failed: owner mismatch\n");
+               ret = -EBADF;
+               goto out;
+       }
+
        if (opinfo->is_lease == false) {
                if (lctx) {
                        pr_err("create context include lease\n");

diff --git a/fs/smb/server/oplock.h b/fs/smb/server/oplock.h
index 921e3199e4df4355d9e6154ca96181dd899b070a..d91a8266e065ef340a357a773c48670e2ce276a6 100644 (file)
--- a/fs/smb/server/oplock.h
+++ b/fs/smb/server/oplock.h
@@ -126,5 +126,6 @@ int smb2_check_durable_oplock(struct ksmbd_conn *conn,
                              struct ksmbd_share_config *share,
                              struct ksmbd_file *fp,
                              struct lease_ctx_info *lctx,
+                             struct ksmbd_user *user,
                              char *name);
 #endif /* __KSMBD_OPLOCK_H */

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 764a78dec46aedbba5693d489c5b9fd98e3909ea..d0b05878757eb8eeb5eccbdbd59fc4ab2558fe6a 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -3013,7 +3013,8 @@ int smb2_open(struct ksmbd_work *work)
                }
 
                if (dh_info.reconnected == true) {
-                       rc = smb2_check_durable_oplock(conn, share, dh_info.fp, lc, name);
+                       rc = smb2_check_durable_oplock(conn, share, dh_info.fp,
+                                       lc, sess->user, name);
                        if (rc) {
                                ksmbd_put_durable_fd(dh_info.fp);
                                goto err_out2;

diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c
index 87f63525062b1163ab887dc9e442159ff6c0b9da..3551f01a3fa0351d9fd801ccee87c23f3a7db198 100644 (file)
--- a/fs/smb/server/vfs_cache.c
+++ b/fs/smb/server/vfs_cache.c
@@ -19,6 +19,7 @@
 #include "misc.h"
 #include "mgmt/tree_connect.h"
 #include "mgmt/user_session.h"
+#include "mgmt/user_config.h"
 #include "smb_common.h"
 #include "server.h"
 #include "smb2pdu.h"
@@ -476,6 +477,8 @@ static void __ksmbd_close_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp)
 
        if (ksmbd_stream_fd(fp))
                kfree(fp->stream.name);
+       kfree(fp->owner.name);
+
        kmem_cache_free(filp_cache, fp);
 }
 
@@ -787,11 +790,13 @@ void ksmbd_update_fstate(struct ksmbd_file_table *ft, struct ksmbd_file *fp,
 }
 
 static int
-__close_file_table_ids(struct ksmbd_file_table *ft,
+__close_file_table_ids(struct ksmbd_session *sess,
                       struct ksmbd_tree_connect *tcon,
                       bool (*skip)(struct ksmbd_tree_connect *tcon,
-                                   struct ksmbd_file *fp))
+                                   struct ksmbd_file *fp,
+                                   struct ksmbd_user *user))
 {
+       struct ksmbd_file_table *ft = &sess->file_table;
        struct ksmbd_file *fp;
        unsigned int id = 0;
        int num = 0;
@@ -804,7 +809,7 @@ __close_file_table_ids(struct ksmbd_file_table *ft,
                        break;
                }
 
-               if (skip(tcon, fp) ||
+               if (skip(tcon, fp, sess->user) ||
                    !atomic_dec_and_test(&fp->refcount)) {
                        id++;
                        write_unlock(&ft->lock);
@@ -856,7 +861,8 @@ static inline bool is_reconnectable(struct ksmbd_file *fp)
 }
 
 static bool tree_conn_fd_check(struct ksmbd_tree_connect *tcon,
-                              struct ksmbd_file *fp)
+                              struct ksmbd_file *fp,
+                              struct ksmbd_user *user)
 {
        return fp->tcon != tcon;
 }
@@ -991,8 +997,62 @@ void ksmbd_stop_durable_scavenger(void)
        kthread_stop(server_conf.dh_task);
 }
 
+/*
+ * ksmbd_vfs_copy_durable_owner - Copy owner info for durable reconnect
+ * @fp: ksmbd file pointer to store owner info
+ * @user: user pointer to copy from
+ *
+ * This function binds the current user's identity to the file handle
+ * to satisfy MS-SMB2 Step 8 (SecurityContext matching) during reconnect.
+ *
+ * Return: 0 on success, or negative error code on failure
+ */
+static int ksmbd_vfs_copy_durable_owner(struct ksmbd_file *fp,
+               struct ksmbd_user *user)
+{
+       if (!user)
+               return -EINVAL;
+
+       /* Duplicate the user name to ensure identity persistence */
+       fp->owner.name = kstrdup(user->name, GFP_KERNEL);
+       if (!fp->owner.name)
+               return -ENOMEM;
+
+       fp->owner.uid = user->uid;
+       fp->owner.gid = user->gid;
+
+       return 0;
+}
+
+/**
+ * ksmbd_vfs_compare_durable_owner - Verify if the requester is original owner
+ * @fp: existing ksmbd file pointer
+ * @user: user pointer of the reconnect requester
+ *
+ * Compares the UID, GID, and name of the current requester against the
+ * original owner stored in the file handle.
+ *
+ * Return: true if the user matches, false otherwise
+ */
+bool ksmbd_vfs_compare_durable_owner(struct ksmbd_file *fp,
+               struct ksmbd_user *user)
+{
+       if (!user || !fp->owner.name)
+               return false;
+
+       /* Check if the UID and GID match first (fast path) */
+       if (fp->owner.uid != user->uid || fp->owner.gid != user->gid)
+               return false;
+
+       /* Validate the account name to ensure the same SecurityContext */
+       if (strcmp(fp->owner.name, user->name))
+               return false;
+
+       return true;
+}
+
 static bool session_fd_check(struct ksmbd_tree_connect *tcon,
-                            struct ksmbd_file *fp)
+                            struct ksmbd_file *fp, struct ksmbd_user *user)
 {
        struct ksmbd_inode *ci;
        struct oplock_info *op;
@@ -1002,6 +1062,9 @@ static bool session_fd_check(struct ksmbd_tree_connect *tcon,
        if (!is_reconnectable(fp))
                return false;
 
+       if (ksmbd_vfs_copy_durable_owner(fp, user))
+               return false;
+
        conn = fp->conn;
        ci = fp->f_ci;
        down_write(&ci->m_lock);
@@ -1033,7 +1096,7 @@ static bool session_fd_check(struct ksmbd_tree_connect *tcon,
 
 void ksmbd_close_tree_conn_fds(struct ksmbd_work *work)
 {
-       int num = __close_file_table_ids(&work->sess->file_table,
+       int num = __close_file_table_ids(work->sess,
                                         work->tcon,
                                         tree_conn_fd_check);
 
@@ -1042,7 +1105,7 @@ void ksmbd_close_tree_conn_fds(struct ksmbd_work *work)
 
 void ksmbd_close_session_fds(struct ksmbd_work *work)
 {
-       int num = __close_file_table_ids(&work->sess->file_table,
+       int num = __close_file_table_ids(work->sess,
                                         work->tcon,
                                         session_fd_check);
 
@@ -1140,6 +1203,10 @@ int ksmbd_reopen_durable_fd(struct ksmbd_work *work, struct ksmbd_file *fp)
        }
        up_write(&ci->m_lock);
 
+       fp->owner.uid = fp->owner.gid = 0;
+       kfree(fp->owner.name);
+       fp->owner.name = NULL;
+
        return 0;
 }
 
@@ -1154,12 +1221,14 @@ int ksmbd_init_file_table(struct ksmbd_file_table *ft)
        return 0;
 }
 
-void ksmbd_destroy_file_table(struct ksmbd_file_table *ft)
+void ksmbd_destroy_file_table(struct ksmbd_session *sess)
 {
+       struct ksmbd_file_table *ft = &sess->file_table;
+
        if (!ft->idr)
                return;
 
-       __close_file_table_ids(ft, NULL, session_fd_check);
+       __close_file_table_ids(sess, NULL, session_fd_check);
        idr_destroy(ft->idr);
        kfree(ft->idr);
        ft->idr = NULL;

diff --git a/fs/smb/server/vfs_cache.h b/fs/smb/server/vfs_cache.h
index 78b506c5ef03b766a5347489484b2e6668ccf349..866f32c10d4dda508ef3f7ec2f177ff7274346c4 100644 (file)
--- a/fs/smb/server/vfs_cache.h
+++ b/fs/smb/server/vfs_cache.h
@@ -68,6 +68,13 @@ enum {
        FP_CLOSED
 };
 
+/* Owner information for durable handle reconnect */
+struct durable_owner {
+       unsigned int uid;
+       unsigned int gid;
+       char *name;
+};
+
 struct ksmbd_file {
        struct file                     *filp;
        u64                             persistent_id;
@@ -114,6 +121,7 @@ struct ksmbd_file {
        bool                            is_resilient;
 
        bool                            is_posix_ctxt;
+       struct durable_owner            owner;
 };
 
 static inline void set_ctx_actor(struct dir_context *ctx,
@@ -140,7 +148,7 @@ static inline bool ksmbd_stream_fd(struct ksmbd_file *fp)
 }
 
 int ksmbd_init_file_table(struct ksmbd_file_table *ft);
-void ksmbd_destroy_file_table(struct ksmbd_file_table *ft);
+void ksmbd_destroy_file_table(struct ksmbd_session *sess);
 int ksmbd_close_fd(struct ksmbd_work *work, u64 id);
 struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, u64 id);
 struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, u64 id);
@@ -166,6 +174,8 @@ void ksmbd_free_global_file_table(void);
 void ksmbd_set_fd_limit(unsigned long limit);
 void ksmbd_update_fstate(struct ksmbd_file_table *ft, struct ksmbd_file *fp,
                         unsigned int state);
+bool ksmbd_vfs_compare_durable_owner(struct ksmbd_file *fp,
+               struct ksmbd_user *user);
 
 /*
  * INODE hash