From patchwork Sat Oct 22 07:19:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 7223 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4242:0:0:0:0:0 with SMTP id s2csp1090453wrr; Sat, 22 Oct 2022 00:47:10 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5ST9VQoujwWUU0Hy7QfXYIomq9w919hIEutMKp0VyAI/Kq6PPcSHPpnLVyfdUs6tqHBlhZ X-Received: by 2002:a17:903:2307:b0:181:e618:b4c5 with SMTP id d7-20020a170903230700b00181e618b4c5mr22291641plh.172.1666424830434; Sat, 22 Oct 2022 00:47:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666424830; cv=none; d=google.com; s=arc-20160816; b=0x4nyc5cRik0W5i4ctemlrYZTyWNZeanL2aORwWspRcnNwO6+3M9A2GEU+gSj8R3K1 PJmhuHBqmmCqmVIQXrGtNUlKyLijHZhdw7ux4FES3ILykbZhBrlX2QLiqowWFiaEnH3V 4NnnbqqGExIldBcvgnfXkfg1DKigzXPkfpPiVeKtXVFNkLsA6MqlSff6oxF920NrYyUX p48aGTZn7T9TiPaig4U7TpwAjRSktkFOvoFmkKAwDenuIvt4xupliOF0GesbdKP1XUiq XYmb73GxbEql6w6XHDaGvSdpu92lMQGsfjotAvctjY/CJqoPmLoe6Vl8GcS0Oz/q7xQS DCrQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=YQY9nhnTBw4kViPNm7NRI6QgE4+DWnEhqy0h21WYqik=; b=HFDp5Ud5RRipgtoyeDMZTy4aIoUA2TcfMKRf4AUQ0LrBFRSBpkVHB0Zj4EPlEFjx14 hGXDjvmLEU91hyv4Zr9bhZgG9BTr0w1a6cui08432M2NohOUlOlE3h967bsaigTQA48a OOwGwvhDXLuJMK9ASmT1c8P6kgp9aPMBrg/KQvpyxQgWy6jiaRSABs9MShzxg+g0/vNP Mn5ruHwBssjLVAVKG3WEA6DDemYRnpI3uhNguIl8psz8CxrGQ90n85c/JlgZCGvm4jGi F0KfQE3JoLFpRIzTX+dTm93YZIh2dj8C/sZTlk4LUIXTEw8uCMZHlWZzZ7oN0zjsENZ9 /nyA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ii4l+zDW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b1-20020a170902b60100b0017ebdf9ca1bsi24795715pls.464.2022.10.22.00.46.57; Sat, 22 Oct 2022 00:47:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ii4l+zDW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231496AbiJVHqi (ORCPT + 99 others); Sat, 22 Oct 2022 03:46:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45480 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231583AbiJVHoc (ORCPT ); Sat, 22 Oct 2022 03:44:32 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A414924A545; Sat, 22 Oct 2022 00:43:07 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 44E3860B0A; Sat, 22 Oct 2022 07:38:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5B2BAC433C1; Sat, 22 Oct 2022 07:38:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666424326; bh=zRbI9r4T8ATwG60e0stmIJjCAwfIsLK3ZdgJqhNquO4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ii4l+zDWMPIpPYV7+e0fNwt7RNV/69ajgBee83m7BMbuPScZOK8qIyya/BQ/1amMK cSOsD63Cqpoz1RhhTcSkIn8A8ghTogioiyKph8qMgnwxjFAVC0rMGcCkcbkXP/FQWj BrW3pc1sEPfkSqW+/+4mSjDJWUymL6s69mVUQkmI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hyunchul Lee , Steve French , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , "Christian Brauner (Microsoft)" , Namjae Jeon , Steve French Subject: [PATCH 5.19 105/717] ksmbd: Fix user namespace mapping Date: Sat, 22 Oct 2022 09:19:44 +0200 Message-Id: <20221022072433.991111363@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221022072415.034382448@linuxfoundation.org> References: <20221022072415.034382448@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747373082955453947?= X-GMAIL-MSGID: =?utf-8?q?1747373082955453947?= From: Mickaël Salaün commit 7c88c1e0ab1704bacb751341ee6431c3be34b834 upstream. A kernel daemon should not rely on the current thread, which is unknown and might be malicious. Before this security fix, ksmbd_override_fsids() didn't correctly override FS UID/GID which means that arbitrary user space threads could trick the kernel to impersonate arbitrary users or groups for file system access checks, leading to file system access bypass. This was found while investigating truncate support for Landlock: https://lore.kernel.org/r/CAKYAXd8fpMJ7guizOjHgxEyyjoUwPsx3jLOPZP=wPYcbhkVXqA@mail.gmail.com Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: Hyunchul Lee Cc: Steve French Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20220929100447.108468-1-mic@digikod.net Acked-by: Christian Brauner (Microsoft) Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/ksmbd/smb_common.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -4,6 +4,8 @@ * Copyright (C) 2018 Namjae Jeon */ +#include + #include "smb_common.h" #include "server.h" #include "misc.h" @@ -625,8 +627,8 @@ int ksmbd_override_fsids(struct ksmbd_wo if (!cred) return -ENOMEM; - cred->fsuid = make_kuid(current_user_ns(), uid); - cred->fsgid = make_kgid(current_user_ns(), gid); + cred->fsuid = make_kuid(&init_user_ns, uid); + cred->fsgid = make_kgid(&init_user_ns, gid); gi = groups_alloc(0); if (!gi) {