]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 683aa63) | patch
cifs: fix rename() by ensuring source handle opened with DELETE bit
authorAurelien Aptel <aaptel@suse.com>
Fri, 21 Feb 2020 10:19:06 +0000 (11:19 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 12 Mar 2020 12:00:18 +0000 (13:00 +0100)
commit3b7a18c66b46bf7d6c414732c62f86104c1d8375
tree7dc112b764eec17606e05fb091ccb5f76893dabbtree | snapshot
parent683aa6325be6f697ef8256f36b07d8c4da612c5ecommit | diff
cifs: fix rename() by ensuring source handle opened with DELETE bit

commit caa0cf3c2b8473f5d7908b27232db52a73aefee6 upstream.

To rename a file in SMB2 we open it with the DELETE access and do a
special SetInfo on it. If the handle is missing the DELETE bit the
server will fail the SetInfo with STATUS_ACCESS_DENIED.

We currently try to reuse any existing opened handle we have with
cifs_get_writable_path(). That function looks for handles with WRITE
access but doesn't check for DELETE, making rename() fail if it finds
a handle to reuse. Simple reproducer below.

To select handles with the DELETE bit, this patch adds a flag argument
to cifs_get_writable_path() and find_writable_file() and the existing
'bool fsuid_only' argument is converted to a flag.

The cifsFileInfo struct only stores the UNIX open mode but not the
original SMB access flags. Since the DELETE bit is not mapped in that
mode, this patch stores the access mask in cifs_fid on file open,
which is accessible from cifsFileInfo.

Simple reproducer:

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#define E(s) perror(s), exit(1)

int main(int argc, char *argv[])
{
int fd, ret;
if (argc != 3) {
fprintf(stderr, "Usage: %s A B\n"
"create&open A in write mode, "
"rename A to B, close A\n", argv[0]);
return 0;
}

fd = openat(AT_FDCWD, argv[1], O_WRONLY|O_CREAT|O_SYNC, 0666);
if (fd == -1) E("openat()");

ret = rename(argv[1], argv[2]);
if (ret) E("rename()");

ret = close(fd);
if (ret) E("close()");

return ret;
}

$ gcc -o bugrename bugrename.c
$ ./bugrename /mnt/a /mnt/b
rename(): Permission denied

Fixes: 921a4b29fa17 ("cifs: create a helper to find a writeable handle by path name")
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs/cifs/cifsglob.h diff | blob | history
fs/cifs/cifsproto.h diff | blob | history
fs/cifs/cifssmb.c diff | blob | history
fs/cifs/file.c diff | blob | history
fs/cifs/inode.c diff | blob | history
fs/cifs/smb1ops.c diff | blob | history
fs/cifs/smb2inode.c diff | blob | history
fs/cifs/smb2ops.c diff | blob | history
fs/cifs/smb2pdu.c diff | blob | history
Linux Kernel Source Tree.