CVE-2023-4091: smbd: use open_access_mask for access check in open_file()

If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow@samba.org>

diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
deleted file mode 100644 (file)
index 18df260..0000000
--- a/selftest/knownfail.d/samba3.smb2.acls
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 52c23ba93eae6f69abdfe9bb6e94959f4316c21f..0b27f8493c84b8a3a22e027be63b5ab9f87876c5 100644 (file)
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1440,7 +1440,7 @@ static NTSTATUS open_file(
                                                dirfsp,
                                                fsp,
                                                false,
-                                               access_mask);
+                                               open_access_mask);
 
                                if (!NT_STATUS_IS_OK(status)) {
                                        DBG_DEBUG("smbd_check_access_rights_fsp"
@@ -1634,7 +1634,7 @@ static NTSTATUS open_file(
                        status = smbd_check_access_rights_fsp(dirfsp,
                                                              fsp,
                                                              false,
-                                                             access_mask);
+                                                             open_access_mask);
 
                        if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) &&
                            posix_open &&