cifs-utils: patch CVE-2025-2312

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2312 Pick the patch that is referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-14 05:49:57 +00:00 · 2025-12-29 15:51:44 +01:00
parent 1a7e2ac776
commit 6a2e51e989
2 changed files with 138 additions and 1 deletions
@@ -0,0 +1,135 @@
+From 44312bbc9aaae39a88541abe7ab7700314d34047 Mon Sep 17 00:00:00 2001
+From: Ritvik Budhiraja <rbudhiraja@microsoft.com>
+Date: Tue, 19 Nov 2024 06:07:58 +0000
+Subject: [PATCH] CIFS.upcall to accomodate new namespace mount opt
+
+NOTE: This patch is dependent on one of the previously sent patches:
+[PATCH] CIFS: New mount option for cifs.upcall namespace resolution
+which introduces a new mount option called upcall_target, to
+customise the upcall behaviour.
+
+Building upon the above patch, the following patch adds functionality
+to handle upcall_target as a mount option in cifs.upcall. It can have 2 values -
+mount, app.
+Having this new mount option allows the mount command to specify where the
+upcall should happen: 'mount' for resolving the upcall to the host
+namespace, and 'app' for resolving the upcall to the ns of the calling
+thread. This will enable both the scenarios where the Kerberos credentials
+can be found on the application namespace or the host namespace to which
+just the mount operation is "delegated".
+This aids use cases like Kubernetes where the mount
+happens on behalf of the application in another container altogether.
+
+Signed-off-by: Ritvik Budhiraja <rbudhiraja@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+
+CVE: CVE-2025-2312
+Upstream-Status: Backport [https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ cifs.upcall.c | 55 +++++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 47 insertions(+), 8 deletions(-)
+
+diff --git a/cifs.upcall.c b/cifs.upcall.c
+index 52c0328..0883afa 100644
+--- a/cifs.upcall.c
+++ b/cifs.upcall.c
+@@ -953,6 +953,13 @@ struct decoded_args {
+ #define MAX_USERNAME_SIZE 256
+ 	char username[MAX_USERNAME_SIZE + 1];
+ 
+#define MAX_UPCALL_STRING_LEN 6 /* "mount\0" */
+	enum upcall_target_enum {
+		UPTARGET_UNSPECIFIED, /* not specified, defaults to app */
+		UPTARGET_MOUNT, /* upcall to the mount namespace */
+		UPTARGET_APP, /* upcall to the application namespace which did the mount */
+	} upcall_target;
+
+ 	uid_t uid;
+ 	uid_t creduid;
+ 	pid_t pid;
+@@ -969,6 +976,7 @@ struct decoded_args {
+ #define DKD_HAVE_PID		0x20
+ #define DKD_HAVE_CREDUID	0x40
+ #define DKD_HAVE_USERNAME	0x80
+#define DKD_HAVE_UPCALL_TARGET	0x100
+ #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC)
+ 	int have;
+ };
+@@ -979,6 +987,7 @@ __decode_key_description(const char *desc, struct decoded_args *arg)
+ 	size_t len;
+ 	char *pos;
+ 	const char *tkn = desc;
+	arg->upcall_target = UPTARGET_UNSPECIFIED;
+ 
+ 	do {
+ 		pos = index(tkn, ';');
+@@ -1077,6 +1086,31 @@ __decode_key_description(const char *desc, struct decoded_args *arg)
+ 			}
+ 			arg->have |= DKD_HAVE_VERSION;
+ 			syslog(LOG_DEBUG, "ver=%d", arg->ver);
+		} else if (strncmp(tkn, "upcall_target=", 14) == 0) {
+			if (pos == NULL)
+				len = strlen(tkn);
+			else
+				len = pos - tkn;
+
+			len -= 14;
+			if (len > MAX_UPCALL_STRING_LEN) {
+				syslog(LOG_ERR, "upcall_target= value too long for buffer");
+				return 1;
+			}
+			if (strncmp(tkn + 14, "mount", 5) == 0) {
+				arg->upcall_target = UPTARGET_MOUNT;
+				syslog(LOG_DEBUG, "upcall_target=mount");
+			} else if (strncmp(tkn + 14, "app", 3) == 0) {
+				arg->upcall_target = UPTARGET_APP;
+				syslog(LOG_DEBUG, "upcall_target=app");
+			} else {
+				// Should never happen
+				syslog(LOG_ERR, "Invalid upcall_target value: %s, defaulting to app",
+				       tkn + 14);
+				arg->upcall_target = UPTARGET_APP;
+				syslog(LOG_DEBUG, "upcall_target=app");
+			}
+			arg->have |= DKD_HAVE_UPCALL_TARGET;
+ 		}
+ 		if (pos == NULL)
+ 			break;
+@@ -1440,15 +1474,20 @@ int main(const int argc, char *const argv[])
+ 	 * acceptably in containers, because we'll be looking at the correct
+ 	 * filesystem and have the correct network configuration.
+ 	 */
+-	rc = switch_to_process_ns(arg->pid);
+-	if (rc == -1) {
+-		syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno));
+-		rc = 1;
+-		goto out;
+	if (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED) {
+		syslog(LOG_INFO, "upcall_target=app, switching namespaces to application thread");
+		rc = switch_to_process_ns(arg->pid);
+		if (rc == -1) {
+			syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno));
+			rc = 1;
+			goto out;
+		}
+		if (trim_capabilities(env_probe))
+			goto out;
+	} else {
+		syslog(LOG_INFO, "upcall_target=mount, not switching namespaces to application thread");
+ 	}
+ 
+-	if (trim_capabilities(env_probe))
+-		goto out;
+ 
+ 	/*
+ 	 * The kernel doesn't pass down the gid, so we resort here to scraping
+@@ -1495,7 +1534,7 @@ int main(const int argc, char *const argv[])
+ 	 * look at the environ file.
+ 	 */
+ 	env_cachename =
+-		get_cachename_from_process_env(env_probe ? arg->pid : 0);
+		get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);
+ 
+ 	rc = setuid(uid);
+ 	if (rc == -1) {
@@ -5,7 +5,9 @@ LICENSE = "GPL-3.0-only & LGPL-3.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"

 SRCREV = "316522036133d44ed02cd39ed2748e2b59c85b30"
-SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master"
+SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master \
+           file://CVE-2025-2312.patch \
+           "

 DEPENDS += "libtalloc"