three ksmbd server fixes

-----BEGIN PGP SIGNATURE----- iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAmoZxw8ACgkQiiy9cAdy T1HhnwwAvivw/s84qQhbkgQllNMdb4SPl+Ph+DRMiwyrZjXr36kv8jtiPIRIlplB Uk+jXpswQXNk6qVKriUzbM1xGTyBin4iFhDzXfLoMmtZtETAmnbHWX9cVFblOibb o+kMYMRXo+TGvQE5d47VKMioL7W5AUFoXfrIfOvWMhnRBaPwgb/aTblUxLFtHYLw rhDm24p5JKxHv9YsR5+XWofGP2STstMDgkKBYjqYolmrEaq1ho3qBVQtcGY/DJFT 5heZ/b+Tv8N0s9ccMOAipAW509Qjn3Tml5SvgRCTZ56nEuZHeZBYCoXLhdV1tPG9 iuCPxTKrgFkDOZNSdweZscR5OD3MlbDC103K6W/mDEZk3IIv3ZGYe4atBwiz8kMl 09xvct3UJviHuOWjVgI7TBDV+Y0Gpf7zTeOLfixhn2RrVjU2IwrKUjZBjKGkZAFI r5YcTK1FOe3a7WwXNYkVXVvTfwqvpIclQCs+qnQqAiEjvBNWvmTtgGg2eOlxEnBo j4AE8Ryh =0uMS -----END PGP SIGNATURE----- Merge tag 'v7.1-rc6-ksmbd-server-fixes' of git://git.samba.org/ksmbd Pull smb server fixes from Steve French: - security fix for FSCTL_SET_SPARSE - fix leak in ksmbd_query_inode_status() - fix OOB read in smb_check_perm_dacl() * tag 'v7.1-rc6-ksmbd-server-fixes' of git://git.samba.org/ksmbd: ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE ksmbd: release ksmbd_inode ref via ksmbd_inode_put on lookup paths ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
2026-06-03 03:53:37 +02:00 · 2026-05-29 21:50:56 -07:00 · 2026-05-29 21:50:56 -07:00 · 1246c246d9
commit 1246c246d9
parent 2765233a48 cc57232cae
3 changed files with 18 additions and 7 deletions
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@ -8202,9 +8202,20 @@ static inline int fsctl_set_sparse(struct ksmbd_work *work, u64 id,
 	int ret = 0;
 	__le32 old_fattr;

+	if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) {
+		ksmbd_debug(SMB, "User does not have write permission\n");
+		return -EACCES;
+	}
+
 	fp = ksmbd_lookup_fd_fast(work, id);
 	if (!fp)
 		return -ENOENT;
+
+	if (!(fp->daccess & (FILE_WRITE_DATA_LE | FILE_WRITE_ATTRIBUTES_LE))) {
+		ret = -EACCES;
+		goto out;
+	}
+
 	idmap = file_mnt_idmap(fp->filp);

 	old_fattr = fp->f_ci->m_fattr;
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@ -1446,8 +1446,8 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, const struct path *path,
 		ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
 		aces_size = acl_size - sizeof(struct smb_acl);
 		for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) {
-			if (offsetof(struct smb_ace, sid) +
-			    aces_size < CIFS_SID_BASE_SIZE)
+			if (aces_size < offsetof(struct smb_ace, sid) +
+			    CIFS_SID_BASE_SIZE)
 				break;
 			ace_size = le16_to_cpu(ace->size);
 			if (ace_size > aces_size ||
@ -1467,8 +1467,8 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, const struct path *path,
 	ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
 	aces_size = acl_size - sizeof(struct smb_acl);
 	for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) {
-		if (offsetof(struct smb_ace, sid) +
-		    aces_size < CIFS_SID_BASE_SIZE)
+		if (aces_size < offsetof(struct smb_ace, sid) +
+		    CIFS_SID_BASE_SIZE)
 			break;
 		ace_size = le16_to_cpu(ace->size);
 		if (ace_size > aces_size ||
--- a/fs/smb/server/vfs_cache.c
+++ b/fs/smb/server/vfs_cache.c
@ -217,7 +217,7 @@ int ksmbd_query_inode_status(struct dentry *dentry)
 		ret = KSMBD_INODE_STATUS_OK;
 	up_read(&ci->m_lock);

-	atomic_dec(&ci->m_count);
+	ksmbd_inode_put(ci);
 	return ret;
 }

@ -719,14 +719,14 @@ struct ksmbd_file *ksmbd_lookup_fd_inode(struct dentry *dentry)
 	down_read(&ci->m_lock);
 	list_for_each_entry(lfp, &ci->m_fp_list, node) {
 		if (inode == file_inode(lfp->filp)) {
-			atomic_dec(&ci->m_count);
 			lfp = ksmbd_fp_get(lfp);
 			up_read(&ci->m_lock);
+			ksmbd_inode_put(ci);
 			return lfp;
 		}
 	}
-	atomic_dec(&ci->m_count);
 	up_read(&ci->m_lock);
+	ksmbd_inode_put(ci);
 	return NULL;
 }