Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE FSCTL_SET_SPARSE in fsctl_set_sparse() modifies the file's sparse attribute and saves it through xattr without any permission checks. This exposes two issues: 1) A client on a read-only share can change the sparse attribute on files it opened, even though the share is read-only. Other FSCTL write operations already check test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE), but FSCTL_SET_SPARSE does not. 2) Even on writable shares, clients without FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES access should not modify the sparse attribute. Similar handle-level checks exist in other functions but are missing here. Add both share-level writable check and per-handle access check. Use goto out on error to avoid leaking file references.
Product status
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 (git) before 3127a884525dc8ca4def73254bfcd3ccef0bf812
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 (git) before de9eb0b44fa9123170e6245b49638e0e453c10f8
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 (git) before aef151bcfa494bfe983669de2726734b534adb73
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 (git) before cc57232cae23c0df91b4a59d0f519141ce9b5b02
5.15
Any version before 5.15
6.6.143 (semver)
6.18.35 (semver)
7.0.12 (semver)
7.1 (original_commit_for_fix)
References
git.kernel.org/...c/3127a884525dc8ca4def73254bfcd3ccef0bf812
git.kernel.org/...c/de9eb0b44fa9123170e6245b49638e0e453c10f8
git.kernel.org/...c/aef151bcfa494bfe983669de2726734b534adb73
git.kernel.org/...c/cc57232cae23c0df91b4a59d0f519141ce9b5b02