From 8b26f634372f11edcbea33dfd68a3d57889dfcc5 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 1 Aug 2023 13:04:36 +0200 Subject: [PATCH] CVE-2023-4091: smbd: use open_access_mask for access check in open_file() If the client requested FILE_OVERWRITE[_IF], we're implicitly adding FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the access check we're using access_mask which doesn't contain the additional right, which means we can end up truncating a file for which the user has only read-only access via an SD. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 Signed-off-by: Ralph Boehme CVE: CVE-2023-4091 Upstream-Status: Backport [https://github.com/samba-team/samba/commit/8b26f634372f11edcbea33dfd68a3d57889dfcc5] Signed-off-by: Archana Polampalli --- selftest/knownfail.d/samba3.smb2.acls | 1 - source3/smbd/open.c | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) delete mode 100644 selftest/knownfail.d/samba3.smb2.acls diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls deleted file mode 100644 index 18df260..0000000 --- a/selftest/knownfail.d/samba3.smb2.acls +++ /dev/null @@ -1 +0,0 @@ -^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 2c3bf9e..4bec5cb 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -1402,7 +1402,7 @@ static NTSTATUS open_file(files_struct *fsp, conn->cwd_fsp, smb_fname, false, - access_mask); + open_access_mask); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("open_file: " @@ -1585,7 +1585,7 @@ static NTSTATUS open_file(files_struct *fsp, conn->cwd_fsp, smb_fname, false, - access_mask); + open_access_mask); if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) && (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) && -- 2.40.0