From bff3a637d9b261c8e04114fbd32060ac822f94d0 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 1 Aug 2023 13:04:36 +0200
Subject: [PATCH 1/2] CVE-2023-4091: smbd: use open_access_mask for access
 check in open_file()

If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow@samba.org>
---
 selftest/knownfail.d/samba3.smb2.acls | 1 -
 source3/smbd/open.c                   | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)
 delete mode 100644 selftest/knownfail.d/samba3.smb2.acls

diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
deleted file mode 100644
index 18df260c0e50..000000000000
--- a/selftest/knownfail.d/samba3.smb2.acls
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 87719eec06e6..93c12e00eb0d 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1442,7 +1442,7 @@ static NTSTATUS open_file(struct smb_request *req,
 						dirfsp,
 						fsp,
 						false,
-						access_mask);
+						open_access_mask);
 
 				if (!NT_STATUS_IS_OK(status)) {
 					DBG_DEBUG("smbd_check_access_rights_fsp"
@@ -1633,7 +1633,7 @@ static NTSTATUS open_file(struct smb_request *req,
 			status = smbd_check_access_rights_fsp(dirfsp,
 							      fsp,
 							      false,
-							      access_mask);
+							      open_access_mask);
 
 			if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) &&
 			    posix_open &&
-- 
2.41.0


From fa3ac41c89c6a327a62c7365ff5189b835c9d451 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Wed, 2 Aug 2023 14:14:31 +0200
Subject: [PATCH 2/2] advisory-CVE-2023-4091.txt

---
 advisory-CVE-2023-4091.txt | 89 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100644 advisory-CVE-2023-4091.txt

diff --git a/advisory-CVE-2023-4091.txt b/advisory-CVE-2023-4091.txt
new file mode 100644
index 000000000000..6b6f94d1d5ca
--- /dev/null
+++ b/advisory-CVE-2023-4091.txt
@@ -0,0 +1,89 @@
+===========================================================
+== Subject:     SMB clients can truncate files with
+==              read-only permissions
+==
+== CVE ID#:     CVE-2023-4091
+==
+== Versions:    All Samba versions
+==
+== Summary:     SMB client can truncate files to 0 bytes
+==              by opening files with OVERWRITE disposition
+==              when using the acl_xattr Samba VFS module
+==              with the smb.conf setting
+==              "acl_xattr:ignore system acls = yes"
+===========================================================
+
+===========
+Description
+===========
+
+The SMB protocol allows opening files where the client
+requests read-only access, but then implicitly truncating
+the opened file if the client specifies a separate OVERWRITE
+create disposition.
+
+This operation requires write access to the file, and in the
+default Samba configuration the operating system kernel will
+deny access to open a read-only file for read/write (which
+the truncate operation requires).
+
+However, when Samba has been configured to ignore kernel
+file system permissions, Samba will truncate a file when the
+underlying operating system kernel would deny the operation.
+
+Affected Samba configurations are the ones where kernel
+file-system permission checks are bypassed, relying on
+Samba's own permission enforcement.  The error is that this
+check is done against the client request for read-only
+access, and not the implicitly requested read-write (for
+truncate) one.
+
+The widely used Samba VFS module "acl_xattr" when configured
+with the module configuration parameter "acl_xattr:ignore
+system acls = yes" is the only upstream Samba module that
+allows this behavior and is the only known method of
+reproducing this security flaw.
+
+If (as is the default) the module configuration parameter
+"acl_xattr:ignore system acls=no", then the Samba server is
+not vulnerable to this attack.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+    https://www.samba.org/samba/security/
+
+Additionally, Samba versions 4.19.1, 4.18.8 and 4.17.12 have
+been issued as security releases to correct the defect.
+Samba administrators are advised to upgrade to these
+releases or apply the patch as soon as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5)
+
+==========
+Workaround
+==========
+
+None.
+
+=======
+Credits
+=======
+
+Originally reported by Sri Nagasubramanian <snagasubramanian@nasuni.com>
+from Nasuni.
+
+Patches provided by Ralph Böhme of SerNet and the Samba team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
-- 
2.41.0