From fc16f4d88719fc552cad48ee6146cb132cf03fee Mon Sep 17 00:00:00 2001 From: maoyanping Date: Fri, 18 Apr 2025 10:07:31 +0800 Subject: [PATCH] fix CVE-2025-2312 Reference:https://git.samba.org/?p=cifs-utils.git;a=commitdiff;h=89b679228cc1be9739d54203d28289b03352c174 Signed-off-by: maoyanping --- backport-CVE-2025-2312.patch | 115 +++++++++++++++++++++++++++++++++++ cifs-utils.spec | 6 +- 2 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-2312.patch diff --git a/backport-CVE-2025-2312.patch b/backport-CVE-2025-2312.patch new file mode 100644 index 0000000..698388a --- /dev/null +++ b/backport-CVE-2025-2312.patch @@ -0,0 +1,115 @@ +From c2d21a313568b003ce7813546c7fc4275df59b49 Mon Sep 17 00:00:00 2001 +From: maoyanping +Date: Fri, 18 Apr 2025 10:01:47 +0800 +Subject: [PATCH] backport-CVE-2025-2312 + +--- + cifs.upcall.c | 55 +++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 47 insertions(+), 8 deletions(-) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index ff6f2bd..8b0208d 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -954,6 +954,13 @@ struct decoded_args { + #define MAX_USERNAME_SIZE 256 + char username[MAX_USERNAME_SIZE + 1]; + ++#define MAX_UPCALL_STRING_LEN 6 /* "mount\0" */ ++ enum upcall_target_enum { ++ UPTARGET_UNSPECIFIED, /* not specified, defaults to app */ ++ UPTARGET_MOUNT, /* upcall to the mount namespace */ ++ UPTARGET_APP, /* upcall to the application namespace which did the mount */ ++ } upcall_target; ++ + uid_t uid; + uid_t creduid; + pid_t pid; +@@ -970,6 +977,7 @@ struct decoded_args { + #define DKD_HAVE_PID 0x20 + #define DKD_HAVE_CREDUID 0x40 + #define DKD_HAVE_USERNAME 0x80 ++#define DKD_HAVE_UPCALL_TARGET 0x100 + #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC) + int have; + }; +@@ -980,6 +988,7 @@ __decode_key_description(const char *desc, struct decoded_args *arg) + size_t len; + char *pos; + const char *tkn = desc; ++ arg->upcall_target = UPTARGET_UNSPECIFIED; + + do { + pos = index(tkn, ';'); +@@ -1078,6 +1087,31 @@ __decode_key_description(const char *desc, struct decoded_args *arg) + } + arg->have |= DKD_HAVE_VERSION; + syslog(LOG_DEBUG, "ver=%d", arg->ver); ++ } else if (strncmp(tkn, "upcall_target=", 14) == 0) { ++ if (pos == NULL) ++ len = strlen(tkn); ++ else ++ len = pos - tkn; ++ ++ len -= 14; ++ if (len > MAX_UPCALL_STRING_LEN) { ++ syslog(LOG_ERR, "upcall_target= value too long for buffer"); ++ return 1; ++ } ++ if (strncmp(tkn + 14, "mount", 5) == 0) { ++ arg->upcall_target = UPTARGET_MOUNT; ++ syslog(LOG_DEBUG, "upcall_target=mount"); ++ } else if (strncmp(tkn + 14, "app", 3) == 0) { ++ arg->upcall_target = UPTARGET_APP; ++ syslog(LOG_DEBUG, "upcall_target=app"); ++ } else { ++ // Should never happen ++ syslog(LOG_ERR, "Invalid upcall_target value: %s, defaulting to app", ++ tkn + 14); ++ arg->upcall_target = UPTARGET_APP; ++ syslog(LOG_DEBUG, "upcall_target=app"); ++ } ++ arg->have |= DKD_HAVE_UPCALL_TARGET; + } + if (pos == NULL) + break; +@@ -1441,15 +1475,20 @@ int main(const int argc, char *const argv[]) + * acceptably in containers, because we'll be looking at the correct + * filesystem and have the correct network configuration. + */ +- rc = switch_to_process_ns(arg->pid); +- if (rc == -1) { +- syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno)); +- rc = 1; +- goto out; ++ if (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED) { ++ syslog(LOG_INFO, "upcall_target=app, switching namespaces to application thread"); ++ rc = switch_to_process_ns(arg->pid); ++ if (rc == -1) { ++ syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno)); ++ rc = 1; ++ goto out; ++ } ++ if (trim_capabilities(env_probe)) ++ goto out; ++ } else { ++ syslog(LOG_INFO, "upcall_target=mount, not switching namespaces to application thread"); + } + +- if (trim_capabilities(env_probe)) +- goto out; + + /* + * The kernel doesn't pass down the gid, so we resort here to scraping +@@ -1496,7 +1535,7 @@ int main(const int argc, char *const argv[]) + * look at the environ file. + */ + env_cachename = +- get_cachename_from_process_env(env_probe ? arg->pid : 0); ++ get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0); + + rc = setuid(uid); + if (rc == -1) { +-- +2.33.0 + diff --git a/cifs-utils.spec b/cifs-utils.spec index 037138c..15049ae 100644 --- a/cifs-utils.spec +++ b/cifs-utils.spec @@ -1,6 +1,6 @@ Name: cifs-utils Version: 7.0 -Release: 3 +Release: 4 Summary: Utilities for doing and managing mounts of the Linux CIFS filesystem License: GPLv3+ URL: http://linux-cifs.samba.org/cifs-utils/ @@ -14,6 +14,7 @@ Requires: keyutils Patch0: 0001-cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch Patch1: 0002-cifs-utils-Make-automake-treat-sbin-as-exec-not-data.patch +Patch2: backport-CVE-2025-2312.patch %description The in-kernel CIFS filesystem is generally the preferred method for mounting @@ -78,6 +79,9 @@ install -m 644 contrib/request-key.d/cifs.spnego.conf %{buildroot}%{_sysconfdir} %{_mandir}/man8/* %changelog +* Fri Apr 18 2025 maoyanping - 7.0-4 +- Fix CVE-2025-2312 + * Fri Jun 21 2024 liuh - 7.0-3 - sync patch from community -- Gitee