From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AB8JxZoWGUqgW3D4OrC7ZzLj6/+KsswjKKul7TB7JIoO6d0MPrntDkXhfakNT/K5pSxHg9n3EDdw ARC-Seal: i=1; a=rsa-sha256; t=1524837497; cv=none; d=google.com; s=arc-20160816; b=qWRqn/dnxJJzq1D3hxzD21fJCCQ6Uv+0+b9CtJXm34Ox1SuaR9L26TxRnMT1pv45Ce ek9ZuwAMi5y+08d1wKfmO/+yXcPYEdktJraTd8ir4efnFXFC6p5YaTJV/9SACjcfHfYS OiWzzqQDMj6HL+V4tAJo2lCxurf30ND8ece2zHas9QESpJa6Rgv9U91XX1GiLD8tZ8gf 76OoD3kk1aJoLR59zDkKMbhuUhDakp3C8A2OsLzzVh3S+5J0Y6kNVSYoLhQUyZt7JjBF KufmNmRz0gro02erNP0O0aAuStXeyNGpUEEGeFSwEtMYBQBh9Kjfy1MTNfFnAZq8YR6g gkng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:dmarc-filter:arc-authentication-results; bh=3uQIwbYk9MWOYNnkNoy23o3u16kFoH3qiw5C3Ibnp40=; b=p6GVgn/5miSkFTFav2N08hhok+UUH3IiS/p1CyKZl7gvU0GRFod29SK8xRMlUl9RJi rt8rG931bt4hwie8CKx/UWI5LhbkhE5Eyq8gyaWxTBTvl30yNaHibxEABSTvn2IjimM8 Xd36qlHxFrGDcBJioG8YTMwh5oejxDmdjuxKbOTZAS36/4HEwv3GyKDoDYrtIPKJky5d yiv6K3mQXLFKUHCl1lMz7wYcw0fFVhBN5YcrN4C7QrR+F/V9EQPKUF5SOLWCtbszqSnS CNe4Nyb+u/Ne4B0StwqeznALy7WYaozqfR5Oa4WKir3W7IC2bkgPw83FRxRE67vijABk C7uQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of srs0=4/0d=hq=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=SRS0=4/0d=HQ=linuxfoundation.org=gregkh@kernel.org Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of srs0=4/0d=hq=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=SRS0=4/0d=HQ=linuxfoundation.org=gregkh@kernel.org DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 87AC821894 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Gustavo A. R. Silva" , Colin Ian King , Pavel Shilovsky , Eryu Guan , Ronnie Sahlberg , Steve French Subject: [PATCH 3.18 01/24] cifs: do not allow creating sockets except with SMB1 posix exensions Date: Fri, 27 Apr 2018 15:57:36 +0200 Message-Id: <20180427135631.643688596@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180427135631.584839868@linuxfoundation.org> References: <20180427135631.584839868@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1598908003745859053?= X-GMAIL-MSGID: =?utf-8?q?1598908003745859053?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Steve French commit 1d0cffa674cfa7d185a302c8c6850fc50b893bed upstream. RHBZ: 1453123 Since at least the 3.10 kernel and likely a lot earlier we have not been able to create unix domain sockets in a cifs share when mounted using the SFU mount option (except when mounted with the cifs unix extensions to Samba e.g.) Trying to create a socket, for example using the af_unix command from xfstests will cause : BUG: unable to handle kernel NULL pointer dereference at 00000000 00000040 Since no one uses or depends on being able to create unix domains sockets on a cifs share the easiest fix to stop this vulnerability is to simply not allow creation of any other special files than char or block devices when sfu is used. Added update to Ronnie's patch to handle a tcon link leak, and to address a buf leak noticed by Gustavo and Colin. Acked-by: Gustavo A. R. Silva CC: Colin Ian King Reviewed-by: Pavel Shilovsky Reported-by: Eryu Guan Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- fs/cifs/dir.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) --- a/fs/cifs/dir.c +++ b/fs/cifs/dir.c @@ -674,6 +674,9 @@ int cifs_mknod(struct inode *inode, stru goto mknod_out; } + if (!S_ISCHR(mode) && !S_ISBLK(mode)) + goto mknod_out; + if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL)) goto mknod_out; @@ -682,10 +685,8 @@ int cifs_mknod(struct inode *inode, stru buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL); if (buf == NULL) { - kfree(full_path); rc = -ENOMEM; - free_xid(xid); - return rc; + goto mknod_out; } if (backup_cred(cifs_sb)) @@ -732,7 +733,7 @@ int cifs_mknod(struct inode *inode, stru pdev->minor = cpu_to_le64(MINOR(device_number)); rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms, &bytes_written, iov, 1); - } /* else if (S_ISFIFO) */ + } tcon->ses->server->ops->close(xid, tcon, &fid); d_drop(direntry);