[PATCH] Fix bug #9794 - opening/editing or copying MS files causes a core dump with invalid lock order

Jeremy Allison jra at samba.org
Thu Apr 25 15:42:21 MDT 2013 

Here is a modest fix to apply to master to fix
the bug in the subject line.

The real bug is that the function open_file_fchmod()
can be called inside of an open file request inside
of create_file_default(), but that requires a follow-up
patchset that will be 4.1.x (i.e. master-only).

Please review and push if you approve.

Jeremy.
-------------- next part --------------
From 52150de2b088f0bddb76e59caab31d674f02516c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 25 Apr 2013 13:59:22 -0700
Subject: [PATCH 1/4] Add early return in file_set_dosmode() on a read only
 share.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/smbd/dosmode.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c
index 19b7675..cd7a1fd 100644
--- a/source3/smbd/dosmode.c
+++ b/source3/smbd/dosmode.c
@@ -706,6 +706,11 @@ int file_set_dosmode(connection_struct *conn, struct smb_filename *smb_fname,
 	uint32_t old_mode;
 	struct timespec new_create_timespec;
 
+	if (!CAN_WRITE(conn)) {
+		errno = EROFS;
+		return -1;
+	}
+
 	/* We only allow READONLY|HIDDEN|SYSTEM|DIRECTORY|ARCHIVE here. */
 	dosmode &= (SAMBA_ATTRIBUTES_MASK | FILE_ATTRIBUTE_OFFLINE);
 
-- 
1.8.2.1


From 8230d700af114c5101b0c8b9b9bc32a441794769 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 25 Apr 2013 14:00:42 -0700
Subject: [PATCH 2/4] Remove indentation around code wrapped by unneeded
 CAN_WRITE.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/smbd/dosmode.c | 43 ++++++++++++++++++++-----------------------
 1 file changed, 20 insertions(+), 23 deletions(-)

diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c
index cd7a1fd..1fb0088 100644
--- a/source3/smbd/dosmode.c
+++ b/source3/smbd/dosmode.c
@@ -705,6 +705,7 @@ int file_set_dosmode(connection_struct *conn, struct smb_filename *smb_fname,
 	int ret = -1, lret = -1;
 	uint32_t old_mode;
 	struct timespec new_create_timespec;
+	files_struct *fsp = NULL;
 
 	if (!CAN_WRITE(conn)) {
 		errno = EROFS;
@@ -855,29 +856,25 @@ int file_set_dosmode(connection_struct *conn, struct smb_filename *smb_fname,
 		bits on a file. Just like file_ntimes below.
 	*/
 
-	/* Check if we have write access. */
-	if (CAN_WRITE(conn)) {
-		/*
-		 * We need to open the file with write access whilst
-		 * still in our current user context. This ensures we
-		 * are not violating security in doing the fchmod.
-		 */
-		files_struct *fsp;
-		if (!NT_STATUS_IS_OK(open_file_fchmod(conn, smb_fname,
-				     &fsp)))
-			return -1;
-		become_root();
-		ret = SMB_VFS_FCHMOD(fsp, unixmode);
-		unbecome_root();
-		close_file(NULL, fsp, NORMAL_CLOSE);
-		if (!newfile) {
-			notify_fname(conn, NOTIFY_ACTION_MODIFIED,
-				     FILE_NOTIFY_CHANGE_ATTRIBUTES,
-				     smb_fname->base_name);
-		}
-		if (ret == 0) {
-			smb_fname->st.st_ex_mode = unixmode;
-		}
+	/*
+	 * We need to open the file with write access whilst
+	 * still in our current user context. This ensures we
+	 * are not violating security in doing the fchmod.
+	 */
+	if (!NT_STATUS_IS_OK(open_file_fchmod(conn, smb_fname,
+			     &fsp)))
+		return -1;
+	become_root();
+	ret = SMB_VFS_FCHMOD(fsp, unixmode);
+	unbecome_root();
+	close_file(NULL, fsp, NORMAL_CLOSE);
+	if (!newfile) {
+		notify_fname(conn, NOTIFY_ACTION_MODIFIED,
+			     FILE_NOTIFY_CHANGE_ATTRIBUTES,
+			     smb_fname->base_name);
+	}
+	if (ret == 0) {
+		smb_fname->st.st_ex_mode = unixmode;
 	}
 
 	return( ret );
-- 
1.8.2.1


From 2feabb734776499cd7ccff7d294fde42a4bf0d07 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 25 Apr 2013 14:02:24 -0700
Subject: [PATCH 3/4] Ensure we don't try the open_file_fchmod() if we can't
 write to the file.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/smbd/dosmode.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c
index 1fb0088..4a34947 100644
--- a/source3/smbd/dosmode.c
+++ b/source3/smbd/dosmode.c
@@ -856,6 +856,11 @@ int file_set_dosmode(connection_struct *conn, struct smb_filename *smb_fname,
 		bits on a file. Just like file_ntimes below.
 	*/
 
+	if (!can_write_to_file(conn, smb_fname)) {
+		errno = EACCES;
+		return -1;
+	}
+
 	/*
 	 * We need to open the file with write access whilst
 	 * still in our current user context. This ensures we
-- 
1.8.2.1


From 51d9b33d96034940280d0fc11a511c863e8203a6 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 25 Apr 2013 14:06:03 -0700
Subject: [PATCH 4/4] Check for WRITE_ACCESS on the file before overriding an
 EACCESS.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/smbd/dosmode.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c
index 4a34947..b534626 100644
--- a/source3/smbd/dosmode.c
+++ b/source3/smbd/dosmode.c
@@ -417,6 +417,10 @@ static bool set_ea_dos_attribute(connection_struct *conn,
 		if(!CAN_WRITE(conn) || !lp_dos_filemode(SNUM(conn)))
 			return false;
 
+		if (!can_write_to_file(conn, smb_fname)) {
+			return false;
+		}
+
 		/*
 		 * We need to open the file with write access whilst
 		 * still in our current user context. This ensures we
-- 
1.8.2.1

More information about the samba-technical mailing list