FSCTL_READ_FILE_USN_DATA on "SmartScreen" alternate data stream

Andrew Walker awalker at ixsystems.com
Wed Nov 9 17:58:07 UTC 2022 

Hey all,

I just saw an smbd crash where we asserted here:
```
static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle,
                              struct files_struct *fsp,
                              TALLOC_CTX *ctx,
                              uint32_t function,
                              uint16_t req_flags, /* Needed for UNICODE ...
*/
                              const uint8_t *_in_data,
                              uint32_t in_len,
                              uint8_t **_out_data,
                              uint32_t max_out_len,
                              uint32_t *out_len)
{
        const char *in_data = (const char *)_in_data;
        char **out_data = (char **)_out_data;
        NTSTATUS status;

        SMB_ASSERT(!fsp_is_alternate_stream(fsp));
```

Due to what appears to be a client sending FSCTL_READ_FILE_USN_DATA ioctl
to a SmartScreen alternate data stream.

```
#6  0x00000008016d13be in vfswrap_fsctl (handle=0x816c73280,
fsp=0x816c3d260, ctx=0x810398670, function=590059, req_flags=49217,
_in_data=0x0, in_len=0, _out_data=0x7fffffffdfa0, max_out_len=320,
    out_len=0x7fffffffe070)

(gdb) p *fsp.fsp_name
$3 = {base_name = 0x816c3e5c0 "System/Drivers/Peripherals/SoundBlaster
X3/Drivers version 3.4.98.00/USBCMDMasterInstaller_3.4.98.00.exe",
stream_name = 0x816c3e690 ":SmartScreen", flags = 0, st = {
    st_ex_dev = 17440526963365876026, st_ex_ino = 13799128922567319488,
st_ex_gen = 27211941, st_ex_file_id = 33830, st_ex_mode = 33272,
st_ex_nlink = 1, st_ex_uid = 1000, st_ex_gid = 0,
    st_ex_rdev = 18446744073709551615, st_ex_size = 7, st_ex_atime =
{tv_sec = 1667955800, tv_nsec = 250523235}, st_ex_mtime = {tv_sec =
1667955806, tv_nsec = 707597100}, st_ex_ctime = {
      tv_sec = 1667955806, tv_nsec = 707691237}, st_ex_btime = {tv_sec =
1667955801, tv_nsec = 825131076}, st_ex_itime = {tv_sec = 1667955801,
tv_nsec = 825131076}, st_ex_blksize = 131072,
    st_ex_blocks = 1, st_ex_flags = 2048, st_ex_iflags = 6}, twrp = 0, fsp
= 0x816c3d260, fsp_link = 0x810237480}
```

Of course, it's a soundblaster driver file :))) has anyone else seen this
behavior before from client? Perhaps we need to add fsctl hook to
streams_xattr since this I think asserting here is probably a bit excessive
(maybe pass along base fsp in this case)?

More information about the samba-technical mailing list