On Fri, Jan 9, 2026 at 11:47 PM Gyorgy Sarvari <[email protected]> wrote: > > This patch needs a bit of caution, because it requires kernel 6.13 at > least, without it it has not effect. The required kernel change[1] was > not backported to older stable versions (both Scarthgap and Kirkstone > are out of luck with the default kernel). > > Not saying the patch should be dropped, rather that CVE tag in the patch > will mark is patched, but it's only half of the fix. Not sure what (if > anything at all) should be done about this. > > [1]: > https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/smb?id=db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
Thanks Gyorgy, I overlooked that aspect. It will be misleading to mark CVE tag as patched when vulnerability still exists. I am in favor of dropping this patch. > > On 1/9/26 10:28, Ankur Tyagi via lists.openembedded.org wrote: > > From: Ankur Tyagi <[email protected]> > > > > Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2312 > > > > Signed-off-by: Ankur Tyagi <[email protected]> > > --- > > .../cifs/cifs-utils/CVE-2025-2312.patch | 136 ++++++++++++++++++ > > .../recipes-support/cifs/cifs-utils_7.0.bb | 4 +- > > 2 files changed, 139 insertions(+), 1 deletion(-) > > create mode 100644 > > meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch > > > > diff --git > > a/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch > > b/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch > > new file mode 100644 > > index 0000000000..3e62b0f1c3 > > --- /dev/null > > +++ b/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch > > @@ -0,0 +1,136 @@ > > +From faf6ce0abd6fbca95721eb88754add9c0c700a5c Mon Sep 17 00:00:00 2001 > > +From: Ritvik Budhiraja <[email protected]> > > +Date: Tue, 19 Nov 2024 06:07:58 +0000 > > +Subject: [PATCH] CIFS.upcall to accomodate new namespace mount opt > > + > > +NOTE: This patch is dependent on one of the previously sent patches: > > +[PATCH] CIFS: New mount option for cifs.upcall namespace resolution > > +which introduces a new mount option called upcall_target, to > > +customise the upcall behaviour. > > + > > +Building upon the above patch, the following patch adds functionality > > +to handle upcall_target as a mount option in cifs.upcall. It can have 2 > > values - > > +mount, app. > > +Having this new mount option allows the mount command to specify where the > > +upcall should happen: 'mount' for resolving the upcall to the host > > +namespace, and 'app' for resolving the upcall to the ns of the calling > > +thread. This will enable both the scenarios where the Kerberos credentials > > +can be found on the application namespace or the host namespace to which > > +just the mount operation is "delegated". > > +This aids use cases like Kubernetes where the mount > > +happens on behalf of the application in another container altogether. > > + > > +Signed-off-by: Ritvik Budhiraja <[email protected]> > > +Signed-off-by: Steve French <[email protected]> > > + > > +CVE: CVE-2025-2312 > > +Upstream-Status: Backport > > [https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174] > > +(cherry picked from commit 89b679228cc1be9739d54203d28289b03352c174) > > +Signed-off-by: Ankur Tyagi <[email protected]> > > +--- > > + cifs.upcall.c | 55 +++++++++++++++++++++++++++++++++++++++++++-------- > > + 1 file changed, 47 insertions(+), 8 deletions(-) > > + > > +diff --git a/cifs.upcall.c b/cifs.upcall.c > > +index 52c0328..0883afa 100644 > > +--- a/cifs.upcall.c > > ++++ b/cifs.upcall.c > > +@@ -953,6 +953,13 @@ struct decoded_args { > > + #define MAX_USERNAME_SIZE 256 > > + char username[MAX_USERNAME_SIZE + 1]; > > + > > ++#define MAX_UPCALL_STRING_LEN 6 /* "mount\0" */ > > ++ enum upcall_target_enum { > > ++ UPTARGET_UNSPECIFIED, /* not specified, defaults to app */ > > ++ UPTARGET_MOUNT, /* upcall to the mount namespace */ > > ++ UPTARGET_APP, /* upcall to the application namespace which > > did the mount */ > > ++ } upcall_target; > > ++ > > + uid_t uid; > > + uid_t creduid; > > + pid_t pid; > > +@@ -969,6 +976,7 @@ struct decoded_args { > > + #define DKD_HAVE_PID 0x20 > > + #define DKD_HAVE_CREDUID 0x40 > > + #define DKD_HAVE_USERNAME 0x80 > > ++#define DKD_HAVE_UPCALL_TARGET 0x100 > > + #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC) > > + int have; > > + }; > > +@@ -979,6 +987,7 @@ __decode_key_description(const char *desc, struct > > decoded_args *arg) > > + size_t len; > > + char *pos; > > + const char *tkn = desc; > > ++ arg->upcall_target = UPTARGET_UNSPECIFIED; > > + > > + do { > > + pos = index(tkn, ';'); > > +@@ -1077,6 +1086,31 @@ __decode_key_description(const char *desc, struct > > decoded_args *arg) > > + } > > + arg->have |= DKD_HAVE_VERSION; > > + syslog(LOG_DEBUG, "ver=%d", arg->ver); > > ++ } else if (strncmp(tkn, "upcall_target=", 14) == 0) { > > ++ if (pos == NULL) > > ++ len = strlen(tkn); > > ++ else > > ++ len = pos - tkn; > > ++ > > ++ len -= 14; > > ++ if (len > MAX_UPCALL_STRING_LEN) { > > ++ syslog(LOG_ERR, "upcall_target= value too > > long for buffer"); > > ++ return 1; > > ++ } > > ++ if (strncmp(tkn + 14, "mount", 5) == 0) { > > ++ arg->upcall_target = UPTARGET_MOUNT; > > ++ syslog(LOG_DEBUG, "upcall_target=mount"); > > ++ } else if (strncmp(tkn + 14, "app", 3) == 0) { > > ++ arg->upcall_target = UPTARGET_APP; > > ++ syslog(LOG_DEBUG, "upcall_target=app"); > > ++ } else { > > ++ // Should never happen > > ++ syslog(LOG_ERR, "Invalid upcall_target value: > > %s, defaulting to app", > > ++ tkn + 14); > > ++ arg->upcall_target = UPTARGET_APP; > > ++ syslog(LOG_DEBUG, "upcall_target=app"); > > ++ } > > ++ arg->have |= DKD_HAVE_UPCALL_TARGET; > > + } > > + if (pos == NULL) > > + break; > > +@@ -1440,15 +1474,20 @@ int main(const int argc, char *const argv[]) > > + * acceptably in containers, because we'll be looking at the correct > > + * filesystem and have the correct network configuration. > > + */ > > +- rc = switch_to_process_ns(arg->pid); > > +- if (rc == -1) { > > +- syslog(LOG_ERR, "unable to switch to process namespace: %s", > > strerror(errno)); > > +- rc = 1; > > +- goto out; > > ++ if (arg->upcall_target == UPTARGET_APP || arg->upcall_target == > > UPTARGET_UNSPECIFIED) { > > ++ syslog(LOG_INFO, "upcall_target=app, switching namespaces to > > application thread"); > > ++ rc = switch_to_process_ns(arg->pid); > > ++ if (rc == -1) { > > ++ syslog(LOG_ERR, "unable to switch to process > > namespace: %s", strerror(errno)); > > ++ rc = 1; > > ++ goto out; > > ++ } > > ++ if (trim_capabilities(env_probe)) > > ++ goto out; > > ++ } else { > > ++ syslog(LOG_INFO, "upcall_target=mount, not switching > > namespaces to application thread"); > > + } > > + > > +- if (trim_capabilities(env_probe)) > > +- goto out; > > + > > + /* > > + * The kernel doesn't pass down the gid, so we resort here to scraping > > +@@ -1495,7 +1534,7 @@ int main(const int argc, char *const argv[]) > > + * look at the environ file. > > + */ > > + env_cachename = > > +- get_cachename_from_process_env(env_probe ? arg->pid : 0); > > ++ get_cachename_from_process_env((env_probe && > > (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0); > > + > > + rc = setuid(uid); > > + if (rc == -1) { > > diff --git a/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb > > b/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb > > index c78bbae7b8..4e27491bba 100644 > > --- a/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb > > +++ b/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb > > @@ -5,7 +5,9 @@ LICENSE = "GPL-3.0-only & LGPL-3.0-only" > > LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" > > > > SRCREV = "316522036133d44ed02cd39ed2748e2b59c85b30" > > -SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master" > > +SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master \ > > + file://CVE-2025-2312.patch \ > > +" > > > > S = "${WORKDIR}/git" > > DEPENDS += "libtalloc" > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123312): https://lists.openembedded.org/g/openembedded-devel/message/123312 Mute This Topic: https://lists.openembedded.org/mt/117172363/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
