[oe] [meta-networking][whinlatter][PATCH 03/11] cifs-utils: patch CVE-2025-2312

Mon, 29 Dec 2025 06:52:01 -0800 

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2312

Pick the patch that is referenced by the NVD report.

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 .../cifs/cifs-utils/CVE-2025-2312.patch       | 135 ++++++++++++++++++
 .../recipes-support/cifs/cifs-utils_7.0.bb    |   4 +-
 2 files changed, 138 insertions(+), 1 deletion(-)
 create mode 100644 
meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch

diff --git 
a/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch 
b/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch
new file mode 100644
index 0000000000..162e4cc4be
--- /dev/null
+++ b/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch
@@ -0,0 +1,135 @@
+From 44312bbc9aaae39a88541abe7ab7700314d34047 Mon Sep 17 00:00:00 2001
+From: Ritvik Budhiraja <[email protected]>
+Date: Tue, 19 Nov 2024 06:07:58 +0000
+Subject: [PATCH] CIFS.upcall to accomodate new namespace mount opt
+
+NOTE: This patch is dependent on one of the previously sent patches:
+[PATCH] CIFS: New mount option for cifs.upcall namespace resolution
+which introduces a new mount option called upcall_target, to
+customise the upcall behaviour.
+
+Building upon the above patch, the following patch adds functionality
+to handle upcall_target as a mount option in cifs.upcall. It can have 2 values 
-
+mount, app.
+Having this new mount option allows the mount command to specify where the
+upcall should happen: 'mount' for resolving the upcall to the host
+namespace, and 'app' for resolving the upcall to the ns of the calling
+thread. This will enable both the scenarios where the Kerberos credentials
+can be found on the application namespace or the host namespace to which
+just the mount operation is "delegated".
+This aids use cases like Kubernetes where the mount
+happens on behalf of the application in another container altogether.
+
+Signed-off-by: Ritvik Budhiraja <[email protected]>
+Signed-off-by: Steve French <[email protected]>
+
+CVE: CVE-2025-2312
+Upstream-Status: Backport 
[https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ cifs.upcall.c | 55 +++++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 47 insertions(+), 8 deletions(-)
+
+diff --git a/cifs.upcall.c b/cifs.upcall.c
+index 52c0328..0883afa 100644
+--- a/cifs.upcall.c
++++ b/cifs.upcall.c
+@@ -953,6 +953,13 @@ struct decoded_args {
+ #define MAX_USERNAME_SIZE 256
+       char username[MAX_USERNAME_SIZE + 1];
+ 
++#define MAX_UPCALL_STRING_LEN 6 /* "mount\0" */
++      enum upcall_target_enum {
++              UPTARGET_UNSPECIFIED, /* not specified, defaults to app */
++              UPTARGET_MOUNT, /* upcall to the mount namespace */
++              UPTARGET_APP, /* upcall to the application namespace which did 
the mount */
++      } upcall_target;
++
+       uid_t uid;
+       uid_t creduid;
+       pid_t pid;
+@@ -969,6 +976,7 @@ struct decoded_args {
+ #define DKD_HAVE_PID          0x20
+ #define DKD_HAVE_CREDUID      0x40
+ #define DKD_HAVE_USERNAME     0x80
++#define DKD_HAVE_UPCALL_TARGET        0x100
+ #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC)
+       int have;
+ };
+@@ -979,6 +987,7 @@ __decode_key_description(const char *desc, struct 
decoded_args *arg)
+       size_t len;
+       char *pos;
+       const char *tkn = desc;
++      arg->upcall_target = UPTARGET_UNSPECIFIED;
+ 
+       do {
+               pos = index(tkn, ';');
+@@ -1077,6 +1086,31 @@ __decode_key_description(const char *desc, struct 
decoded_args *arg)
+                       }
+                       arg->have |= DKD_HAVE_VERSION;
+                       syslog(LOG_DEBUG, "ver=%d", arg->ver);
++              } else if (strncmp(tkn, "upcall_target=", 14) == 0) {
++                      if (pos == NULL)
++                              len = strlen(tkn);
++                      else
++                              len = pos - tkn;
++
++                      len -= 14;
++                      if (len > MAX_UPCALL_STRING_LEN) {
++                              syslog(LOG_ERR, "upcall_target= value too long 
for buffer");
++                              return 1;
++                      }
++                      if (strncmp(tkn + 14, "mount", 5) == 0) {
++                              arg->upcall_target = UPTARGET_MOUNT;
++                              syslog(LOG_DEBUG, "upcall_target=mount");
++                      } else if (strncmp(tkn + 14, "app", 3) == 0) {
++                              arg->upcall_target = UPTARGET_APP;
++                              syslog(LOG_DEBUG, "upcall_target=app");
++                      } else {
++                              // Should never happen
++                              syslog(LOG_ERR, "Invalid upcall_target value: 
%s, defaulting to app",
++                                     tkn + 14);
++                              arg->upcall_target = UPTARGET_APP;
++                              syslog(LOG_DEBUG, "upcall_target=app");
++                      }
++                      arg->have |= DKD_HAVE_UPCALL_TARGET;
+               }
+               if (pos == NULL)
+                       break;
+@@ -1440,15 +1474,20 @@ int main(const int argc, char *const argv[])
+        * acceptably in containers, because we'll be looking at the correct
+        * filesystem and have the correct network configuration.
+        */
+-      rc = switch_to_process_ns(arg->pid);
+-      if (rc == -1) {
+-              syslog(LOG_ERR, "unable to switch to process namespace: %s", 
strerror(errno));
+-              rc = 1;
+-              goto out;
++      if (arg->upcall_target == UPTARGET_APP || arg->upcall_target == 
UPTARGET_UNSPECIFIED) {
++              syslog(LOG_INFO, "upcall_target=app, switching namespaces to 
application thread");
++              rc = switch_to_process_ns(arg->pid);
++              if (rc == -1) {
++                      syslog(LOG_ERR, "unable to switch to process namespace: 
%s", strerror(errno));
++                      rc = 1;
++                      goto out;
++              }
++              if (trim_capabilities(env_probe))
++                      goto out;
++      } else {
++              syslog(LOG_INFO, "upcall_target=mount, not switching namespaces 
to application thread");
+       }
+ 
+-      if (trim_capabilities(env_probe))
+-              goto out;
+ 
+       /*
+        * The kernel doesn't pass down the gid, so we resort here to scraping
+@@ -1495,7 +1534,7 @@ int main(const int argc, char *const argv[])
+        * look at the environ file.
+        */
+       env_cachename =
+-              get_cachename_from_process_env(env_probe ? arg->pid : 0);
++              get_cachename_from_process_env((env_probe && 
(arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);
+ 
+       rc = setuid(uid);
+       if (rc == -1) {
diff --git a/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb 
b/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb
index e2918503be..f86e7bd22b 100644
--- a/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb
+++ b/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb
@@ -5,7 +5,9 @@ LICENSE = "GPL-3.0-only & LGPL-3.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 
 SRCREV = "316522036133d44ed02cd39ed2748e2b59c85b30"
-SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master"
+SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master \
+           file://CVE-2025-2312.patch \
+           "
 
 DEPENDS += "libtalloc"
 

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#122982): 
https://lists.openembedded.org/g/openembedded-devel/message/122982
Mute This Topic: https://lists.openembedded.org/mt/116984423/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to