APPLIED: [SRU][O/N/J/F][PATCH 0/1] CVE-2025-2312
Stefan Bader
stefan.bader at canonical.com
Thu May 8 15:36:38 UTC 2025
On 30.04.25 18:54, Vinicius Peixoto wrote:
> BugLink: https://bugs.launchpad.net/bugs/2099914
>
> [Impact]
>
> This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to
> disclosing sensitive data from the host or container Kerberos credentials cache
> by accessing the wrong credential cache that doesn't belong to the current user.
>
> Consider the following scenario:
>
> A CIFS/SMB file share is mounted on a host node using Kerberos authentication.
>
> During the session setup phase, the Linux kernel's cifs.ko module makes an
> upcall to user space to retrieve the Kerberos service ticket from the credential
> cache.
>
> In typical (non-container) environments, this process works correctly, but in
> containerized environments, the upcall may be directed to a different namespace
> than intended, leading to issues. For example:
>
> a) The file share is mounted on the host node at /mnt/testshare1, meaning the
> Kerberos credential cache is stored in the host's namespace.
> b) A Docker container is created, and the file share path /mnt/testshare1 is
> exported to the container at /sharedpath.
> c) When the service ticket expires and the SMB connection is lost, before the
> ticket is refreshed in the credential cache, an application inside the container
> performs a file operation. This triggers the kernel to attempt a session
> reconnect.
> d) During the session setup, a Kerberos ticket is needed, so the kernel invokes
> the cifs.upcall binary using the request_key function. However, cifs.upcall
> switches to the namespace of the caller (i.e., the container), causing it to
> attempt to read the credential cache from the container's namespace. But since
> the original mount happened in the host namespace, the credential cache is
> located on the host, not in the container. This results in the upcall failing
> to access the correct credential cache or accessinng credential cache which
> doesn't belong to correct user.
>
> [Fix]
>
> The fix adds a "upcall_target" mount parameter that needs to be present in both
> the kernel and cifs-utils. "upcall_target" specifies what namespace to find the
> kerberos credential cache, and takes options "mount" being the host namespace,
> or "app", being the container namespace. The language is intended to suit
> Kubernetes based usecases.
>
> The kernel requires the following commit:
>
> commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
> Author: Ritvik Budhiraja <rbudhiraja at microsoft.com>
> Date: Mon Nov 11 11:43:51 2024 +0000
> Subject: CIFS: New mount option for cifs.upcall namespace resolution
> Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
>
> This landed in 6.13 mainline, and is already in plucky. Oracular is a clean
> cherry pick, noble and jammy requires a context adjustment backport and focal
> needed a heavy backport.
>
> Test packages are available in the following ppa:
>
> https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport
>
> In addition, a userspace fix is also needed in cifs-utils, with the following
> commits:
>
> commit 89b679228cc1be9739d54203d28289b03352c174
> From: Ritvik Budhiraja <rbudhiraja at microsoft.com>
> Date: Tue, 19 Nov 2024 06:07:58 +0000
> Subject: CIFS.upcall to accomodate new namespace mount opt
> Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174
>
> commit cf63240489431e98033e599a7c9437b59494a2e4
> From: Ritvik Budhiraja <rbudhiraja at microsoft.com>
> Date: Thu, 30 Jan 2025 14:13:10 +0000
> Subject: cifs-utils: add documentation for upcall_target
> Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4
>
> These were a part of 7.2 upstream. Plucky already has this release, so we just
> need to fix oracular, noble, jammy and focal.
>
> Test packages are available in the following ppa:
>
> https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test
>
> If you install the test packages, you can now use the upcall_target argument
> with either "mount" or "app" options.
>
> [Testcase]
>
> Some knowledge of kerberos will go a long way to help you make this all work.
>
> We should be able to do all testing on the same VM.
>
> 1) Create a fresh VM
> 2) sudo apt update
> 3) sudo apt upgrade
> 4) sudo hostnamectl set-hostname samba-dc
> 5) sudo vim /etc/hosts
> Add an entry with its IP address, e.g.:
> 192.168.122.124 samba-dc samba-dc.example.com
> 6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils
> Focal:
> sudo apt install keyutils
> Oracular:
> sudo apt install samba-ad-dc
> Note: skip config of kerberos KDC.
> 7) sudo rm /etc/krb5.conf
> 8) sudo rm /etc/samba/smb.conf
> 9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1
> 10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
> 11) sudo systemctl mask smbd nmbd winbind
> 12) sudo systemctl disable smbd nmbd winbind
> 13) sudo systemctl stop smbd nmbd winbind
> 14) sudo systemctl unmask samba-ad-dc
> 15) sudo systemctl start samba-ad-dc
> 16) sudo systemctl enable samba-ad-dc
> 17) sudo reboot
> 18) sudo systemctl stop systemd-resolved
> 19) sudo systemctl disable systemd-resolved
> 20) cat << EOF >> /etc/resolv.conf
> nameserver 192.168.122.124
> search SAMBA
> EOF
> sudo vim /etc/samba/smb.conf
> Change forwarder to 8.8.8.8
> 21) sudo reboot
> 22) host -t SRV _ldap._tcp.samba-dc.example.com
> _ldap._tcp.samba-dc.example.com has SRV record 0 100 389 samba-dc.samba-dc.example.com.
> 23) $ smbclient -L localhost -N
> Anonymous login successful
>
> Sharename Type Comment
> --------- ---- -------
> sysvol Disk
> netlogon Disk
> IPC$ IPC IPC Service (Samba 4.13.17-Ubuntu)
> SMB1 disabled -- no workgroup available
> 24) $ smbclient //localhost/netlogon -UAdministrator -c 'ls'
> Enter SAMBA\Administrator's password:
> . D 0 Mon Feb 28 04:23:22 2022
> .. D 0 Mon Feb 28 04:23:27 2022
>
> 9983232 blocks of size 1024. 7995324 blocks available
> 25) kinit administrator
> Password for administrator at SAMBA-DC.EXAMPLE.COM:
> Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
> 26) klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: administrator at SAMBA-DC.EXAMPLE.COM
>
> Valid starting Expires Service principal
> 04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/SAMBA-DC.EXAMPLE.COM at SAMBA-DC.EXAMPLE.COM
> renew until 04/10/25 02:53:22
> 27) Create a share:
> 28) sudo mkdir -p /srv/samba/Demo/
> 29) sudo vim /etc/samba/smb.conf
> [Demo]
> path = /srv/samba/Demo/
> read only = no
> 30) sudo chmod 0770 /srv/samba/Demo/
> 31) smbclient -U Administrator //samba-dc.example.com/demo
> Password for [SAMBA\Administrator]:
> Try "help" to get a list of possible commands.
> smb: \>
> 32) smbclient -U Administrator --use-krb5-ccache=/tmp/krb5cc_1000 //samba-dc.example.com/demo
> Try "help" to get a list of possible commands.
> smb: \>
> 33) klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: administrator at SAMBA-DC.EXAMPLE.COM
>
> Valid starting Expires Service principal
> 04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/SAMBA-DC.EXAMPLE.COM at SAMBA-DC.EXAMPLE.COM
> renew until 04/10/25 02:53:22
> 04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example.com at EXAMPLE.COM
> renew until 04/10/25 02:53:22
> Ticket server: cifs/samba-dc.example.com at SAMBA-DC.EXAMPLE.COM
> 04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example.com at SAMBA-DC.EXAMPLE.COM
> renew until 04/10/25 02:53:22
> 34) sudo -s
> 35) # kinit Administrator at SAMBA-DC.EXAMPLE.COM
> Password for Administrator at SAMBA-DC.EXAMPLE.COM:
> Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at SAMBA-DC.EXAMPLE.COM
>
> Valid starting Expires Service principal
> 04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/SAMBA-DC.EXAMPLE.COM at SAMBA-DC.EXAMPLE.COM
> renew until 04/10/25 03:26:06
> 36) # mkdir /mnt/testshare1
> # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
> 37) # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at SAMBA-DC.EXAMPLE.COM
>
> Valid starting Expires Service principal
> 04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/SAMBA-DC.EXAMPLE.COM at SAMBA-DC.EXAMPLE.COM
> renew until 04/10/25 03:26:06
> 04/09/25 03:30:26 04/09/25 13:26:10 cifs/samba-dc.example.com@
> renew until 04/10/25 03:26:06
> Ticket server: cifs/samba-dc.example.com at SAMBA-DC.EXAMPLE.COM
> 38) journalctl
> kernel: netfs: FS-Cache loaded
> kernel: Key type cifs.spnego registered
> kernel: Key type cifs.idmap registered
> kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). T>
> kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
> kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
> kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
> cifs.upcall[1805]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6ee
> cifs.upcall[1806]: ver=2
> cifs.upcall[1806]: host=samba-dc.example.com
> cifs.upcall[1806]: ip=192.168.122.124
> cifs.upcall[1806]: sec=1
> cifs.upcall[1806]: uid=0
> cifs.upcall[1806]: creduid=0
> cifs.upcall[1806]: user=root
> cifs.upcall[1806]: pid=1774
> cifs.upcall[1805]: get_cachename_from_process_env: pid == 0
> cifs.upcall[1805]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
> cifs.upcall[1805]: handle_krb5_mech: getting service ticket for samba-dc.example.com
> cifs.upcall[1805]: handle_krb5_mech: using native krb5
> cifs.upcall[1805]: handle_krb5_mech: obtained service ticket
> cifs.upcall[1805]: Exit status 0
>
> Take note of the line:
> get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
>
> 39) # stat /mnt/testshare1
> File: /mnt/testshare1
> Size: 0 Blocks: 0 IO Block: 1048576 directory
> Device: 0,41 Inode: 297860 Links: 2
> Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
> Access: 2025-04-09 02:54:45.264000000 +0000
> Modify: 2025-04-09 02:54:45.264000000 +0000
> Change: 2025-04-09 02:54:45.264000000 +0000
> Birth: 2025-04-09 02:54:45.264000000 +0000
> 40) sudo apt install docker.io
> 41) docker pull ubuntu:24.04
> 42) docker run -it -v /mnt/testshare1:/mnt/shared --name cifstest ubuntu:24.04 /bin/bash
> 43) root at 685c7e420afc:/# stat /mnt/shared
> File: /mnt/shared
> Size: 0 Blocks: 0 IO Block: 1048576 directory
> Device: 0,41 Inode: 297860 Links: 2
> Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
> Access: 2025-04-09 02:54:45.264000000 +0000
> Modify: 2025-04-09 02:54:45.264000000 +0000
> Change: 2025-04-09 02:54:45.264000000 +0000
> Birth: 2025-04-09 02:54:45.264000000 +0000
> root at 685c7e420afc:/# ls /mnt/shared
> 44) root at 685c7e420afc:/# apt install krb5-user vim
> 45) root at 685c7e420afc:/# vim /etc/krb5.conf
> Under libdefaults, add default_ccache_name = /tmp/krb5cc_00%{uid} save and exit.
> 46) Back on the host in root, clear initial kerberos crediental cache and disconnect cifs connections.
> # kdestroy -c /tmp/krb5cc_0
> # ss -K dport 445
> 47) Back in the container:
> root at 685c7e420afc:/# stat /mnt/shared
> 48) Back on the host in root:
> # journalctl
> kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
> kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
> cifs.upcall[2804]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0xaf3
> cifs.upcall[2805]: ver=2
> cifs.upcall[2805]: host=samba-dc.example.com
> cifs.upcall[2805]: ip=192.168.122.124
> cifs.upcall[2805]: sec=1
> cifs.upcall[2805]: uid=0
> cifs.upcall[2805]: creduid=0
> cifs.upcall[2805]: user=root
> cifs.upcall[2805]: pid=2803
> cifs.upcall[2804]: get_cachename_from_process_env: pid == 0
> cifs.upcall[2804]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000
> cifs.upcall[2804]: get_tgt_time: unable to get principal
> cifs.upcall[2804]: krb5_get_init_creds_keytab: -1765328378
> cifs.upcall[2804]: handle_krb5_mech: getting service ticket for samba-dc.example.com
> cifs.upcall[2804]: handle_krb5_mech: using GSS-API
> cifs.upcall[2804]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
> cifs.upcall[2804]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: /tmp/krb5cc_000)
> cifs.upcall[2804]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
> cifs.upcall[2804]: Unable to obtain service ticket
> cifs.upcall[2804]: Exit status 458752
>
> Note that it now tries to read /tmp/krb5cc_000 from container namespace instead
> of /tmp/krb5cc_0 from host namespace.
>
> If you install the test packages from the following ppas:
>
> https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport
> https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test
>
> When you initially mount the cifs filesystem, use the new mount option
> upcall_target=mount.
>
> # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=mount //samba-dc.example.com/demo /mnt/testshare1
>
> Repeat the testcase. When we disconnect the cifs connection and try stat inside
> the container, the kerberos crediental cache should be /tmp/krb5cc_0 in the
> host namespace.
>
> get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
>
> A successful run with upcall_target=mount and fixed cifs-utils should look like:
>
> cifs.upcall[2122]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x849;upcall_target=mount
> cifs.upcall[2123]: ver=2
> cifs.upcall[2123]: host=samba-dc.example.com
> cifs.upcall[2123]: ip=192.168.122.124
> cifs.upcall[2123]: sec=1
> cifs.upcall[2123]: uid=0
> cifs.upcall[2123]: creduid=0
> cifs.upcall[2123]: user=root
> cifs.upcall[2123]: pid=2121
> cifs.upcall[2123]: upcall_target=mount
> cifs.upcall[2122]: upcall_target=mount, not switching namespaces to application thread
> cifs.upcall[2122]: get_cachename_from_process_env: pid == 0
> cifs.upcall[2122]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
> cifs.upcall[2122]: handle_krb5_mech: getting service ticket for samba-dc.example.com
> cifs.upcall[2122]: handle_krb5_mech: using native krb5
> cifs.upcall[2122]: handle_krb5_mech: obtained service ticket
> cifs.upcall[2122]: Exit status 0
>
> Specific Testcases Of Existing / Patched Packages:
>
> patched kernel, existing cifs-utils
> -----------------------------------
>
> When specifying "upcall_target" on mount command line, e.g.:
>
> # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1
> # journalctl -f
> kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
> cifs.upcall[1540]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x600;upcall_target=app
> cifs.upcall[1541]: ver=2
> cifs.upcall[1541]: host=samba-dc.example.com
> cifs.upcall[1541]: ip=192.168.122.124
> cifs.upcall[1541]: sec=1
> cifs.upcall[1541]: uid=0
> cifs.upcall[1541]: creduid=0
> cifs.upcall[1541]: user=root
> cifs.upcall[1541]: pid=1536
> cifs.upcall[1540]: get_cachename_from_process_env: pid == 0
> cifs.upcall[1540]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
> cifs.upcall[1540]: handle_krb5_mech: getting service ticket for samba-dc.example.com
> cifs.upcall[1540]: handle_krb5_mech: using native krb5
> cifs.upcall[1540]: handle_krb5_mech: obtained service ticket
> cifs.upcall[1540]: Exit status 0
>
> Test with no "upcall_target". e.g.:
>
> # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
> # journalctl -f
> Apr 30 04:23:35 samba-dc kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
> Apr 30 04:23:35 samba-dc cifs.upcall[1560]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x614;upcall_target=app
> Apr 30 04:23:35 samba-dc cifs.upcall[1561]: ver=2
> Apr 30 04:23:35 samba-dc cifs.upcall[1561]: host=samba-dc.example.com
> Apr 30 04:23:35 samba-dc cifs.upcall[1561]: ip=192.168.122.124
> Apr 30 04:23:35 samba-dc cifs.upcall[1561]: sec=1
> Apr 30 04:23:35 samba-dc cifs.upcall[1561]: uid=0
> Apr 30 04:23:35 samba-dc cifs.upcall[1561]: creduid=0
> Apr 30 04:23:35 samba-dc cifs.upcall[1561]: user=root
> Apr 30 04:23:35 samba-dc cifs.upcall[1561]: pid=1556
> Apr 30 04:23:35 samba-dc cifs.upcall[1560]: get_cachename_from_process_env: pid == 0
> Apr 30 04:23:35 samba-dc cifs.upcall[1560]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
> Apr 30 04:23:35 samba-dc cifs.upcall[1560]: handle_krb5_mech: getting service ticket for samba-dc.example.com
> Apr 30 04:23:35 samba-dc cifs.upcall[1560]: handle_krb5_mech: using native krb5
> Apr 30 04:23:35 samba-dc cifs.upcall[1560]: handle_krb5_mech: obtained service ticket
> Apr 30 04:23:35 samba-dc cifs.upcall[1560]: Exit status 0
>
> existing kernel, patched cifs-utils
> -----------------------------------
>
> When specifying "upcall_target" on mount command line, e.g.:
>
> # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1
> mount error(22): Invalid argument
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
> # journalctl -f
> kernel: cifs: Unknown parameter 'upcall_target'
>
> Test with no "upcall_target". e.g.:
>
> # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
> # journalctl -f
> kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
> cifs.upcall[10899]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x2a8d
> cifs.upcall[10900]: ver=2
> cifs.upcall[10900]: host=samba-dc.example.com
> cifs.upcall[10900]: ip=192.168.122.124
> cifs.upcall[10900]: sec=1
> cifs.upcall[10900]: uid=0
> cifs.upcall[10900]: creduid=0
> cifs.upcall[10900]: user=root
> cifs.upcall[10900]: pid=10893
> cifs.upcall[10899]: upcall_target=app, switching namespaces to application thread
> cifs.upcall[10899]: get_cachename_from_process_env: pid == 0
> cifs.upcall[10899]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
> cifs.upcall[10899]: main: valid service ticket exists in credential cache
> cifs.upcall[10899]: handle_krb5_mech: getting service ticket for samba-dc.example.com
> cifs.upcall[10899]: handle_krb5_mech: using native krb5
> cifs.upcall[10899]: handle_krb5_mech: obtained service ticket
> cifs.upcall[10899]: Exit status 0
>
> Note the line:
> cifs.upcall[10899]: upcall_target=app, switching namespaces to application thread
>
> [Where problems can occur]
>
> We are adding a new mount option to cifs in both the kernel and in cifs-utils.
>
> Existing cifs-utils packages need to not break when making upcalls to kernels
> that have this new upcall_target option, and existing kernels need to not break
> when using new cifs-utils packages that set upcall_target without the necessary
> in kernel support.
>
> We need to be careful to test three scenarios:
> * patched kernel, patched cifs-utils
> * patched kernel, existing cifs-utils
> * existing kernel, patched cifs-utils
>
> The default option is "app" and "app" has the same behaviour of pre-patch, that is, to use the credential cache of the calling process namespace. This should not introduce any behaviour change to existing setups. Not specifying any option at mount time defaults to "app" automatically. Users must opt into using "mount" themselves.
>
> If a regression were to occur, it could affect mounting of cifs / smb shares and
> users would not be able to access their data.
>
> Additionally, if a regression were to occur, we could also further confuse what
> namespace is to be used for accessing the user's kerberos credentials cache,
> which could disclose data from the host or container namespace to the incorrect
> namespace.
>
> [Other info]
>
> CVE-2025-2312
> https://ubuntu.com/security/CVE-2025-2312
> https://nvd.nist.gov/vuln/detail/CVE-2025-2312
>
> Ritvik Budhiraja (1):
> CIFS: New mount option for cifs.upcall namespace resolution
>
> fs/cifs/cifs_spnego.c | 16 ++++++++++
> fs/cifs/cifsfs.c | 25 ++++++++++++++++
> fs/cifs/cifsglob.h | 8 +++++
> fs/cifs/connect.c | 70 +++++++++++++++++++++++++++++++++++++++++++
> 4 files changed, 119 insertions(+)
>
Applied to [with fuzz(1/2)]
oracular,noble,jammy,focal:linux/master-next. Not sure that is because
of the way I export and import or because the patchsets were prepared
using a different source than *:linux. Best double check thanks landed
correctly. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 47863 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250508/3dd9986d/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250508/3dd9986d/attachment-0001.sig>
More information about the kernel-team
mailing list