ksmbd: require source read access for duplicate extents

FSCTL_DUPLICATE_EXTENTS_TO_FILE passes the source file directly to vfs_clone_file_range() or vfs_copy_file_range() without checking the SMB access mask granted to the source handle. A handle opened with attribute access can consequently be used to copy file contents into an attacker-readable destination. Require FILE_READ_DATA on the source handle before either VFS operation, matching other ksmbd data-copy paths. Cc: stable@vger.kernel.org Reported-by: Musaab Khan <musaab.khan@protonmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
author: Namjae Jeon <linkinjeon@kernel.org> 2026-06-13 22:00:02 +0900
committer: Steve French <stfrench@microsoft.com> 2026-06-16 18:57:22 -0500
commit: cedff600f1642aa982178503552f0d007bc829c8 (patch)
tree: fa7becae55fc78a387f2f81d263c1865c75588e2
parent: b383bcad3d2fe634b26efbce53e22bbb5753a520 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 6d3f975d582f..fcb1bcd5de95 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -8778,6 +8778,10 @@ int smb2_ioctl(struct ksmbd_work *work)
 			ret = -EACCES;
 			goto dup_ext_out;
 		}
+		if (!(fp_in->daccess & FILE_READ_DATA_LE)) {
+			ret = -EACCES;
+			goto dup_ext_out;
+		}
 
 		src_off = le64_to_cpu(dup_ext->SourceFileOffset);
 		dst_off = le64_to_cpu(dup_ext->TargetFileOffset);
author	Namjae Jeon <linkinjeon@kernel.org>	2026-06-13 22:00:02 +0900
committer	Steve French <stfrench@microsoft.com>	2026-06-16 18:57:22 -0500
commit	cedff600f1642aa982178503552f0d007bc829c8 (patch)
tree	fa7becae55fc78a387f2f81d263c1865c75588e2
parent	b383bcad3d2fe634b26efbce53e22bbb5753a520 (diff)