[SRU][J][PATCH 1/1] smb: client: set correct id, uid and cruid for multiuser automounts

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Tue Nov 12 14:33:20 UTC 2024 

From: Paulo Alcantara <pc at manguebit.com>

commit 4508ec17357094e2075f334948393ddedbb75157 upstream.

When uid, gid and cruid are not specified, we need to dynamically
set them into the filesystem context used for automounting otherwise
they'll end up reusing the values from the parent mount.

Fixes: 9fd29a5bae6e ("cifs: use fs_context for automounts")
Reported-by: Shane Nehring <snehring at iastate.edu>
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2259257
Cc: stable at vger.kernel.org # 6.2+
Signed-off-by: Paulo Alcantara (Red Hat) <pc at manguebit.com>
Signed-off-by: Steve French <stfrench at microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
(backported from commit c2aa2718cda2d56b4a551cb40043e9abc9684626 linux-6.6.y)
[mpellizzer: backported considering that the function affected by the
bug, in Jammy, is inside the file fs/cifs/cifs_dfs_ref.c, instead of
fs/smb/client/namespace.c]
CVE-2024-26822
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer at canonical.com>
---
 fs/cifs/cifs_dfs_ref.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
index 020e71fe1454..43fc2d95a4b9 100644
--- a/fs/cifs/cifs_dfs_ref.c
+++ b/fs/cifs/cifs_dfs_ref.c
@@ -258,6 +258,21 @@ char *cifs_compose_mount_options(const char *sb_mountdata,
 	goto compose_mount_options_out;
 }
 
+static void fs_context_set_ids(struct smb3_fs_context *ctx)
+{
+	kuid_t uid = current_fsuid();
+	kgid_t gid = current_fsgid();
+
+	if (ctx->multiuser) {
+		if (!ctx->uid_specified)
+			ctx->linux_uid = uid;
+		if (!ctx->gid_specified)
+			ctx->linux_gid = gid;
+	}
+	if (!ctx->cruid_specified)
+		ctx->cred_uid = uid;
+}
+
 /*
  * Create a vfsmount that we can automount
  */
@@ -308,6 +323,7 @@ static struct vfsmount *cifs_dfs_do_automount(struct path *path)
 	tmp = *cur_ctx;
 	tmp.source = full_path;
 	tmp.UNC = tmp.prepath = NULL;
+	fs_context_set_ids(&tmp);
 
 	rc = smb3_fs_context_dup(ctx, &tmp);
 	if (rc) {
-- 
2.43.0

More information about the kernel-team mailing list