From patchwork Wed Oct 19 08:23:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 5541 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp348459wrs; Wed, 19 Oct 2022 07:10:09 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6wuaN1jRrHGR6+Fup/ARERGmU6sKuXu2reuNlqqkp0CMB0np44PdRohOCVk5KgSNM/cI28 X-Received: by 2002:a17:90b:2705:b0:20a:b25d:5d93 with SMTP id px5-20020a17090b270500b0020ab25d5d93mr45703087pjb.218.1666188609222; Wed, 19 Oct 2022 07:10:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666188609; cv=none; d=google.com; s=arc-20160816; b=yrtERNEIByosYVxHiJ6iYe934EqpD6JbcrmXLSnyAtphW17UKg1XANUJ9N54lhkvw/ 9pLFLRd0g5qAkb55OrYLkgGz5TExJA5YvHE1OrI/XjB1zbj9NFI5WymAggo6pxAO9UWi UhmesT1gY9Ki5YdEQt5jYGKxL8yKadyXzuKqEtuxC+SNCcvkNCtoxW4+ueB0J1zFXSmB icltR02JTUMxEVVvHsvlXXU7hF9DESaCR6PrO/SuHQQgALxXBMk7hY3vu7KWcx4wYhLx ltAW+G6aZQW596NR2ur2JtLslTVCgFJsQ+gehL5vBYsivor0eXxuotIhQQ63PNaXz41y zNCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=YQY9nhnTBw4kViPNm7NRI6QgE4+DWnEhqy0h21WYqik=; b=RIRAPL/bJztun3+OJ/Ex/sRwoAqSeNPvrrqJKJ92Y8XxfS+QSwHeVK15RWBwFhIMQH xEPKllD5yyBIa+/zUlEzDH/3MejW+Z+Q2KhLlSR1OcPAaqtcbmWS3aRe7OHWzpmyvRBC E0+AkbLpHCXzFUpCb5YdhZieE7dTbg8FMsJ2+oEIvAPEddSho6OO6BJEfqADowLj+Zlh 3NomUnxJNmpXiw4qOS6WeVfNsIUEIv/Z1sU7v6dE8g2M/fU4EUDBCjyZTCfqifUS6Cjg U64R2J9jBtgMSjRKCTIG3sUT+5OQ1qqQYvDqJRPtZNTvntTC0JDTyD/3W6yB99lYldnP qZhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nQhVd5fn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g8-20020a1709026b4800b001784c98bfddsi17159767plt.24.2022.10.19.07.09.44; Wed, 19 Oct 2022 07:10:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nQhVd5fn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231559AbiJSNwk (ORCPT + 99 others); Wed, 19 Oct 2022 09:52:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36468 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233180AbiJSNwG (ORCPT ); Wed, 19 Oct 2022 09:52:06 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1D10106A75; Wed, 19 Oct 2022 06:35:51 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 523E1CE20EF; Wed, 19 Oct 2022 08:44:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 499DEC433D7; Wed, 19 Oct 2022 08:44:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666169087; bh=zRbI9r4T8ATwG60e0stmIJjCAwfIsLK3ZdgJqhNquO4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nQhVd5fnzuNumD7Ikg/PmTRpQkUqsLbwreGVl03cA/CScDGMcysinwkcD4bimUZWE A1J370Y0HH0HTQDyFThxC5piP9arJDvmiwW08BPVQZf16nDMN0xTBdvfXtUQUlcAlv FkAFLDQBS/K3f0ErGqWBx5ji6PFxhJMGbKkrkQs0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hyunchul Lee , Steve French , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , "Christian Brauner (Microsoft)" , Namjae Jeon , Steve French Subject: [PATCH 6.0 116/862] ksmbd: Fix user namespace mapping Date: Wed, 19 Oct 2022 10:23:23 +0200 Message-Id: <20221019083255.053626341@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221019083249.951566199@linuxfoundation.org> References: <20221019083249.951566199@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747125387306227257?= X-GMAIL-MSGID: =?utf-8?q?1747125387306227257?= From: Mickaël Salaün commit 7c88c1e0ab1704bacb751341ee6431c3be34b834 upstream. A kernel daemon should not rely on the current thread, which is unknown and might be malicious. Before this security fix, ksmbd_override_fsids() didn't correctly override FS UID/GID which means that arbitrary user space threads could trick the kernel to impersonate arbitrary users or groups for file system access checks, leading to file system access bypass. This was found while investigating truncate support for Landlock: https://lore.kernel.org/r/CAKYAXd8fpMJ7guizOjHgxEyyjoUwPsx3jLOPZP=wPYcbhkVXqA@mail.gmail.com Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: Hyunchul Lee Cc: Steve French Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20220929100447.108468-1-mic@digikod.net Acked-by: Christian Brauner (Microsoft) Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/ksmbd/smb_common.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -4,6 +4,8 @@ * Copyright (C) 2018 Namjae Jeon */ +#include + #include "smb_common.h" #include "server.h" #include "misc.h" @@ -625,8 +627,8 @@ int ksmbd_override_fsids(struct ksmbd_wo if (!cred) return -ENOMEM; - cred->fsuid = make_kuid(current_user_ns(), uid); - cred->fsgid = make_kgid(current_user_ns(), gid); + cred->fsuid = make_kuid(&init_user_ns, uid); + cred->fsgid = make_kgid(&init_user_ns, gid); gi = groups_alloc(0); if (!gi) {