1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
From 8b26f634372f11edcbea33dfd68a3d57889dfcc5 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 1 Aug 2023 13:04:36 +0200
Subject: [PATCH] CVE-2023-4091: smbd: use open_access_mask for access check in
open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
CVE: CVE-2023-4091
Upstream-Status: Backport [https://github.com/samba-team/samba/commit/8b26f634372f11edcbea33dfd68a3d57889dfcc5]
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
selftest/knownfail.d/samba3.smb2.acls | 1 -
source3/smbd/open.c | 4 ++--
2 files changed, 2 insertions(+), 3 deletions(-)
delete mode 100644 selftest/knownfail.d/samba3.smb2.acls
diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
deleted file mode 100644
index 18df260..0000000
--- a/selftest/knownfail.d/samba3.smb2.acls
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 2c3bf9e..4bec5cb 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1402,7 +1402,7 @@ static NTSTATUS open_file(files_struct *fsp,
conn->cwd_fsp,
smb_fname,
false,
- access_mask);
+ open_access_mask);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("open_file: "
@@ -1585,7 +1585,7 @@ static NTSTATUS open_file(files_struct *fsp,
conn->cwd_fsp,
smb_fname,
false,
- access_mask);
+ open_access_mask);
if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) &&
(fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) &&
--
2.40.0
|