[Pkg-samba-maint] Bug#1106242: cifs-utils: CVE-2025-2312

Wed May 21 23:23:19 BST 2025

Source: cifs-utils
Version: 2:7.0-2
Severity: normal

Dear Maintainer,

The attached patches were backported from cifs-utils 7.2 as
noted by scurty-tracker.debian.org/tracker/CVE-2025-2312.

The package was built and installed but not tested except to
confirm the man page shows the new option and 'mount.cifs -v'
prints a message.

-- System Information:
Debian Release: 12.10
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.8.0-52-generic (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
-------------- next part --------------
>From 89b679228cc1be9739d54203d28289b03352c174 Mon Sep 17 00:00:00 2001
From: Ritvik Budhiraja <rbudhiraja at microsoft.com>
Date: Tue, 19 Nov 2024 06:07:58 +0000
Subject: [PATCH] CIFS.upcall to accomodate new namespace mount opt

NOTE: This patch is dependent on one of the previously sent patches:
[PATCH] CIFS: New mount option for cifs.upcall namespace resolution
which introduces a new mount option called upcall_target, to
customise the upcall behaviour.

Building upon the above patch, the following patch adds functionality
to handle upcall_target as a mount option in cifs.upcall. It can have 2 values -
mount, app.
Having this new mount option allows the mount command to specify where the
upcall should happen: 'mount' for resolving the upcall to the host
namespace, and 'app' for resolving the upcall to the ns of the calling
thread. This will enable both the scenarios where the Kerberos credentials
can be found on the application namespace or the host namespace to which
just the mount operation is "delegated".
This aids use cases like Kubernetes where the mount
happens on behalf of the application in another container altogether.

Signed-off-by: Ritvik Budhiraja <rbudhiraja at microsoft.com>
Signed-off-by: Steve French <stfrench at microsoft.com>
---

Patch source:
  https://git.samba.org/cifs-utils.git
  commit 89b679228cc1be9739d54203d28289b03352c174
 
Applied unmodified and defuzzed with quilt.

Function depends on:
  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
  commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf (added in 6.13-RC1)

Signed-off-by: Joe Slater <joe.slater at windriver.com>
---
 cifs.upcall.c | 55 +++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 47 insertions(+), 8 deletions(-)

Index: b/cifs.upcall.c
===================================================================

--- a/cifs.upcall.c	2025-05-20 22:07:28.428101404 +0000
+++ b/cifs.upcall.c	2025-05-20 22:07:28.421101404 +0000
@@ -953,6 +953,13 @@
 #define MAX_USERNAME_SIZE 256
 	char username[MAX_USERNAME_SIZE + 1];
 
+#define MAX_UPCALL_STRING_LEN 6 /* "mount\0" */
+	enum upcall_target_enum {
+		UPTARGET_UNSPECIFIED, /* not specified, defaults to app */
+		UPTARGET_MOUNT, /* upcall to the mount namespace */
+		UPTARGET_APP, /* upcall to the application namespace which did the mount */
+	} upcall_target;
+
 	uid_t uid;
 	uid_t creduid;
 	pid_t pid;
@@ -969,6 +976,7 @@
 #define DKD_HAVE_PID		0x20
 #define DKD_HAVE_CREDUID	0x40
 #define DKD_HAVE_USERNAME	0x80
+#define DKD_HAVE_UPCALL_TARGET	0x100
 #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC)
 	int have;
 };
@@ -979,6 +987,7 @@
 	size_t len;
 	char *pos;
 	const char *tkn = desc;
+	arg->upcall_target = UPTARGET_UNSPECIFIED;
 
 	do {
 		pos = index(tkn, ';');
@@ -1077,6 +1086,31 @@
 			}
 			arg->have |= DKD_HAVE_VERSION;
 			syslog(LOG_DEBUG, "ver=%d", arg->ver);
+		} else if (strncmp(tkn, "upcall_target=", 14) == 0) {
+			if (pos == NULL)
+				len = strlen(tkn);
+			else
+				len = pos - tkn;
+
+			len -= 14;
+			if (len > MAX_UPCALL_STRING_LEN) {
+				syslog(LOG_ERR, "upcall_target= value too long for buffer");
+				return 1;
+			}
+			if (strncmp(tkn + 14, "mount", 5) == 0) {
+				arg->upcall_target = UPTARGET_MOUNT;
+				syslog(LOG_DEBUG, "upcall_target=mount");
+			} else if (strncmp(tkn + 14, "app", 3) == 0) {
+				arg->upcall_target = UPTARGET_APP;
+				syslog(LOG_DEBUG, "upcall_target=app");
+			} else {
+				// Should never happen
+				syslog(LOG_ERR, "Invalid upcall_target value: %s, defaulting to app",
+				       tkn + 14);
+				arg->upcall_target = UPTARGET_APP;
+				syslog(LOG_DEBUG, "upcall_target=app");
+			}
+			arg->have |= DKD_HAVE_UPCALL_TARGET;
 		}
 		if (pos == NULL)
 			break;
@@ -1440,15 +1474,20 @@
 	 * acceptably in containers, because we'll be looking at the correct
 	 * filesystem and have the correct network configuration.
 	 */
-	rc = switch_to_process_ns(arg->pid);
-	if (rc == -1) {
-		syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno));
-		rc = 1;
-		goto out;
+	if (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED) {
+		syslog(LOG_INFO, "upcall_target=app, switching namespaces to application thread");
+		rc = switch_to_process_ns(arg->pid);
+		if (rc == -1) {
+			syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno));
+			rc = 1;
+			goto out;
+		}
+		if (trim_capabilities(env_probe))
+			goto out;
+	} else {
+		syslog(LOG_INFO, "upcall_target=mount, not switching namespaces to application thread");
 	}
 
-	if (trim_capabilities(env_probe))
-		goto out;
 
 	/*
 	 * The kernel doesn't pass down the gid, so we resort here to scraping
@@ -1495,7 +1534,7 @@
 	 * look at the environ file.
 	 */
 	env_cachename =
-		get_cachename_from_process_env(env_probe ? arg->pid : 0);
+		get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);
 
 	rc = setuid(uid);
 	if (rc == -1) {
-------------- next part --------------
>From cf63240489431e98033e599a7c9437b59494a2e4 Mon Sep 17 00:00:00 2001
From: Ritvik Budhiraja <rbudhiraja at microsoft.com>
Date: Thu, 30 Jan 2025 14:13:10 +0000
Subject: [PATCH] cifs-utils: add documentation for upcall_target

Update man page with documentation for upcal_target
mount parameter.

Signed-off-by: Ritvik Budhiraja <rbudhiraja at microsoft.com>
Signed-off-by: Steve French <stfrench at microsoft.com>
---

Patch source:
  https://git.samba.org/cifs-utils.git
  commit cf63240489431e98033e599a7c9437b59494a2e4 
 
Context adjusted in order to apply.
 
Signed-off-by: Joe Slater <joe.slater at windriver.com>
---
 mount.cifs.rst | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

Index: b/mount.cifs.rst
===================================================================
--- a/mount.cifs.rst	2025-05-21 15:51:07.154953643 +0000
+++ b/mount.cifs.rst	2025-05-21 15:52:01.010948455 +0000
@@ -588,6 +588,21 @@
   integer that can hold values between 0 and a maximum value of 2^30 \*
   HZ (frequency of timer interrupt) setting.
 
+upcall_target=arg
+  Determines the namespace in which upcalls from the SMB filesystem should be handled.
+  Allowed values are:
+  - ``mount`` - Resolve upcalls to the host namespace.
+  - ``app`` - Resolve upcalls in the namespace of the calling thread (application).
+  Default value is ``app``.
+  This option is useful in environments like Kubernetes, where the mount
+  may be performed by a driver pod on behalf of an application running
+  in a separate container. It ensures that Kerberos credentials and other
+  user-specific data are accessed in the correct namespace.
+  By specifying ``app``, upcalls can be resolved in the application's namespace,
+  ensuring the correct credentials are used. ``mount`` allows resolution in the
+  host namespace, which may be necessary when credentials or configurations
+  are managed outside the container.
+
 noposixpaths
   If unix extensions are enabled on a share, then the client will
   typically allow filenames to include any character besides '/' in a
