ksmbd: add a permission check for FSCTL_SET_ZERO_DATA

dhkts1 · namjaejeon · commit 52da69c009a9 · 2026-06-10T19:30:30.000+09:00
FSCTL_SET_ZERO_DATA in smb2_ioctl() destroys file data via
ksmbd_vfs_zero_data() -&gt; vfs_fallocate(PUNCH_HOLE/ZERO_RANGE) after checking
only the share-level KSMBD_TREE_CONN_FLAG_WRITABLE, with no per-handle access
check. A handle opened with only FILE_WRITE_ATTRIBUTES still yields an
FMODE_WRITE filp (FILE_WRITE_ATTRIBUTES is part of FILE_WRITE_DESIRE_ACCESS_LE,
so smb2_create_open_flags() opens it O_WRONLY), so the vfs_fallocate
FMODE_WRITE check does not stop it; only the missing fp-&gt;daccess gate would.
Reproduced on mainline 7.1-rc7 with KASAN by an authenticated SMB client: a
FILE_WRITE_ATTRIBUTES-only handle zeroed 4096 bytes of file data it had no
FILE_WRITE_DATA right to (6/6; a FILE_READ_DATA-only handle was correctly
denied).

This is the unfixed sibling of cc57232cae23 ("ksmbd: fix FSCTL permission
bypass by adding a permission check for FSCTL_SET_SPARSE"). Because
SET_ZERO_DATA writes data (not an attribute), require FILE_WRITE_DATA.

Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy &lt;dddhkts1@gmail.com&gt;
Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
diff --git a/smb2pdu.c b/smb2pdu.c
@@ -9035,6 +9035,12 @@ int smb2_ioctl(struct ksmbd_work *work)
 				goto out;
 			}
 
+			if (!(fp->daccess & FILE_WRITE_DATA_LE)) {
+				ksmbd_fd_put(work, fp);
+				ret = -EACCES;
+				goto out;
+			}
+
 			ret = ksmbd_vfs_zero_data(work, fp, off, len);
 			ksmbd_fd_put(work, fp);
 			if (ret < 0)
