Patch cifs-utils to address CVE-2025-2312 [Medium] (#13198)

(cherry picked from commit 18d079a)

Author: jslobodzian

SPECS/cifs-utils/CVE-2025-2312.patch

@@ -0,0 +1,134 @@
+From 80c4d726a5c5eeab9b9cfb47692ceec25f444d3b Mon Sep 17 00:00:00 2001
+From: Ritvik Budhiraja <rbudhiraja@microsoft.com>
+Date: Tue, 19 Nov 2024 06:07:58 +0000
+Subject: [PATCH] CIFS.upcall to accomodate new namespace mount opt
+
+NOTE: This patch is dependent on one of the previously sent patches:
+[PATCH] CIFS: New mount option for cifs.upcall namespace resolution
+which introduces a new mount option called upcall_target, to
+customise the upcall behaviour.
+
+Building upon the above patch, the following patch adds functionality
+to handle upcall_target as a mount option in cifs.upcall. It can have 2 values -
+mount, app.
+Having this new mount option allows the mount command to specify where the
+upcall should happen: 'mount' for resolving the upcall to the host
+namespace, and 'app' for resolving the upcall to the ns of the calling
+thread. This will enable both the scenarios where the Kerberos credentials
+can be found on the application namespace or the host namespace to which
+just the mount operation is "delegated".
+This aids use cases like Kubernetes where the mount
+happens on behalf of the application in another container altogether.
+
+Signed-off-by: Ritvik Budhiraja <rbudhiraja@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ cifs.upcall.c | 55 +++++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 47 insertions(+), 8 deletions(-)
+
+diff --git a/cifs.upcall.c b/cifs.upcall.c
+index ad04301..1885273 100644
+--- a/cifs.upcall.c
++++ b/cifs.upcall.c
+@@ -801,6 +801,13 @@ struct decoded_args {
+ #define MAX_USERNAME_SIZE 256
+ 	char username[MAX_USERNAME_SIZE + 1];
+ 
++#define MAX_UPCALL_STRING_LEN 6 /* "mount\0" */
++	enum upcall_target_enum {
++		UPTARGET_UNSPECIFIED, /* not specified, defaults to app */
++		UPTARGET_MOUNT, /* upcall to the mount namespace */
++		UPTARGET_APP, /* upcall to the application namespace which did the mount */
++	} upcall_target;
++
+ 	uid_t uid;
+ 	uid_t creduid;
+ 	pid_t pid;
+@@ -817,6 +824,7 @@ struct decoded_args {
+ #define DKD_HAVE_PID		0x20
+ #define DKD_HAVE_CREDUID	0x40
+ #define DKD_HAVE_USERNAME	0x80
++#define DKD_HAVE_UPCALL_TARGET	0x100
+ #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC)
+ 	int have;
+ };
+@@ -827,6 +835,7 @@ __decode_key_description(const char *desc, struct decoded_args *arg)
+ 	size_t len;
+ 	char *pos;
+ 	const char *tkn = desc;
++	arg->upcall_target = UPTARGET_UNSPECIFIED;
+ 
+ 	do {
+ 		pos = index(tkn, ';');
+@@ -925,6 +934,31 @@ __decode_key_description(const char *desc, struct decoded_args *arg)
+ 			}
+ 			arg->have |= DKD_HAVE_VERSION;
+ 			syslog(LOG_DEBUG, "ver=%d", arg->ver);
++		} else if (strncmp(tkn, "upcall_target=", 14) == 0) {
++			if (pos == NULL)
++				len = strlen(tkn);
++			else
++				len = pos - tkn;
++
++			len -= 14;
++			if (len > MAX_UPCALL_STRING_LEN) {
++				syslog(LOG_ERR, "upcall_target= value too long for buffer");
++				return 1;
++			}
++			if (strncmp(tkn + 14, "mount", 5) == 0) {
++				arg->upcall_target = UPTARGET_MOUNT;
++				syslog(LOG_DEBUG, "upcall_target=mount");
++			} else if (strncmp(tkn + 14, "app", 3) == 0) {
++				arg->upcall_target = UPTARGET_APP;
++				syslog(LOG_DEBUG, "upcall_target=app");
++			} else {
++				// Should never happen
++				syslog(LOG_ERR, "Invalid upcall_target value: %s, defaulting to app",
++				       tkn + 14);
++				arg->upcall_target = UPTARGET_APP;
++				syslog(LOG_DEBUG, "upcall_target=app");
++			}
++			arg->have |= DKD_HAVE_UPCALL_TARGET;
+ 		}
+ 		if (pos == NULL)
+ 			break;
+@@ -1289,15 +1323,20 @@ int main(const int argc, char *const argv[])
+ 	 * acceptably in containers, because we'll be looking at the correct
+ 	 * filesystem and have the correct network configuration.
+ 	 */
+-	rc = switch_to_process_ns(arg->pid);
+-	if (rc == -1) {
+-		syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno));
+-		rc = 1;
+-		goto out;
++	if (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED) {
++		syslog(LOG_INFO, "upcall_target=app, switching namespaces to application thread");
++		rc = switch_to_process_ns(arg->pid);
++		if (rc == -1) {
++			syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno));
++			rc = 1;
++			goto out;
++		}
++		if (trim_capabilities(env_probe))
++			goto out;
++	} else {
++		syslog(LOG_INFO, "upcall_target=mount, not switching namespaces to application thread");
+ 	}
+ 
+-	if (trim_capabilities(env_probe))
+-		goto out;
+ 
+ 	/*
+ 	 * The kernel doesn't pass down the gid, so we resort here to scraping
+@@ -1344,7 +1383,7 @@ int main(const int argc, char *const argv[])
+ 	 * look at the environ file.
+ 	 */
+ 	env_cachename =
+-		get_cachename_from_process_env(env_probe ? arg->pid : 0);
++		get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);
+ 
+ 	rc = setuid(uid);
+ 	if (rc == -1) {
+-- 
+2.34.1
+

SPECS/cifs-utils/cifs-utils.spec

@@ -1,7 +1,7 @@
 Summary:        cifs client utils
 Name:           cifs-utils
 Version:        6.14
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv3
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -10,6 +10,7 @@ URL:            https://wiki.samba.org/index.php/LinuxCIFS_utils
 Source0:        https://download.samba.org/pub/linux-cifs/%{name}/%{name}-%{version}.tar.bz2
 Patch0:         CVE-2022-29869.patch
 Patch1:         CVE-2022-27239.patch
+Patch2:         CVE-2025-2312.patch
 BuildRequires:  keyutils-devel
 BuildRequires:  libcap-ng-devel
 BuildRequires:  libtalloc-devel
@@ -72,6 +73,9 @@ make %{?_smp_mflags} check
 %{_includedir}/cifsidmap.h
 
 %changelog
+* Mon Mar 31 2025 Ankita Pareek <ankitapareek@microsoft.com> - 6.14-3
+- Add patch for CVE-2025-2312
+
 * Tue May 17 2022 Chris Co <chrco@microsoft.com> - 6.14-2
 - Address CVE-2022-27239, CVE-2022-29869
 - Fix lint