[kernel] r7922 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
. patches patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Dec 3 23:17:47 UTC 2006
Author: dannf
Date: Mon Dec 4 00:17:46 2006
New Revision: 7922
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/smbfs-honor-mount-opts.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
Log:
* smbfs-honor-mount-opts.dpatch
Honor uid, gid and mode mount options for smbfs even when unix extensions
are enabled
See CVE-2006-5871
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Mon Dec 4 00:17:46 2006
@@ -29,8 +29,12 @@
remaining bytes of the kernel buffer after a fault on the userspace
address in copy_from_user()
See CVE-2006-5174
+ * smbfs-honor-mount-opts.dpatch
+ Honor uid, gid and mode mount options for smbfs even when unix extensions
+ are enabled
+ See CVE-2006-5871
- -- dann frazier <dannf at debian.org> Sun, 12 Nov 2006 21:02:15 -0700
+ -- dann frazier <dannf at debian.org> Sun, 3 Dec 2006 16:14:55 -0700
kernel-source-2.6.8 (2.6.8-16sarge5) stable-security; urgency=high
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6 Mon Dec 4 00:17:46 2006
@@ -5,3 +5,4 @@
+ ip6_flowlabel-lockup.dpatch
+ ppc-alignment-exception-table-check.dpatch
+ s390-uaccess-memleak.dpatch
++ smbfs-honor-mount-opts.dpatch
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/smbfs-honor-mount-opts.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/smbfs-honor-mount-opts.dpatch Mon Dec 4 00:17:46 2006
@@ -0,0 +1,215 @@
+diff -Naru a/fs/smbfs/inode.c b/fs/smbfs/inode.c
+--- a/fs/smbfs/inode.c 2006-12-03 23:32:47 -08:00
++++ b/fs/smbfs/inode.c 2006-12-03 23:32:47 -08:00
+@@ -368,7 +368,6 @@
+ &optopt, &optarg, &flags, &value)) > 0) {
+
+ VERBOSE("'%s' -> '%s'\n", optopt, optarg ? optarg : "<none>");
+-
+ switch (c) {
+ case 1:
+ /* got a "flag" option */
+@@ -383,15 +382,19 @@
+ break;
+ case 'u':
+ mnt->uid = value;
++ flags |= SMB_MOUNT_UID;
+ break;
+ case 'g':
+ mnt->gid = value;
++ flags |= SMB_MOUNT_GID;
+ break;
+ case 'f':
+ mnt->file_mode = (value & S_IRWXUGO) | S_IFREG;
++ flags |= SMB_MOUNT_FMODE;
+ break;
+ case 'd':
+ mnt->dir_mode = (value & S_IRWXUGO) | S_IFDIR;
++ flags |= SMB_MOUNT_DMODE;
+ break;
+ case 'i':
+ strlcpy(mnt->codepage.local_name, optarg,
+@@ -429,9 +432,9 @@
+ if (mnt->flags & opts[i].flag)
+ seq_printf(s, ",%s", opts[i].name);
+
+- if (mnt->uid != 0)
++ if (mnt->flags & SMB_MOUNT_UID)
+ seq_printf(s, ",uid=%d", mnt->uid);
+- if (mnt->gid != 0)
++ if (mnt->flags & SMB_MOUNT_GID)
+ seq_printf(s, ",gid=%d", mnt->gid);
+ if (mnt->mounted_uid != 0)
+ seq_printf(s, ",mounted_uid=%d", mnt->mounted_uid);
+@@ -440,8 +443,10 @@
+ * Defaults for file_mode and dir_mode are unknown to us; they
+ * depend on the current umask of the user doing the mount.
+ */
+- seq_printf(s, ",file_mode=%04o", mnt->file_mode & S_IRWXUGO);
+- seq_printf(s, ",dir_mode=%04o", mnt->dir_mode & S_IRWXUGO);
++ if (mnt->flags & SMB_MOUNT_FMODE)
++ seq_printf(s, ",file_mode=%04o", mnt->file_mode & S_IRWXUGO);
++ if (mnt->flags & SMB_MOUNT_DMODE)
++ seq_printf(s, ",dir_mode=%04o", mnt->dir_mode & S_IRWXUGO);
+
+ if (strcmp(mnt->codepage.local_name, CONFIG_NLS_DEFAULT))
+ seq_printf(s, ",iocharset=%s", mnt->codepage.local_name);
+@@ -566,8 +571,13 @@
+ mnt->file_mode = (oldmnt->file_mode & S_IRWXUGO) | S_IFREG;
+ mnt->dir_mode = (oldmnt->dir_mode & S_IRWXUGO) | S_IFDIR;
+
+- mnt->flags = (oldmnt->file_mode >> 9);
++ mnt->flags = (oldmnt->file_mode >> 9) | SMB_MOUNT_UID |
++ SMB_MOUNT_GID | SMB_MOUNT_FMODE | SMB_MOUNT_DMODE;
+ } else {
++ mnt->file_mode = mnt->dir_mode = S_IRWXU | S_IRGRP | S_IXGRP |
++ S_IROTH | S_IXOTH | S_IFREG;
++ mnt->dir_mode = mnt->dir_mode = S_IRWXU | S_IRGRP | S_IXGRP |
++ S_IROTH | S_IXOTH | S_IFDIR;
+ if (parse_options(mnt, raw_data))
+ goto out_bad_option;
+ }
+@@ -599,6 +609,7 @@
+ sb->s_root = d_alloc_root(root_inode);
+ if (!sb->s_root)
+ goto out_no_root;
++
+ smb_new_dentry(sb->s_root);
+
+ return 0;
+diff -Naru a/fs/smbfs/proc.c b/fs/smbfs/proc.c
+--- a/fs/smbfs/proc.c 2006-12-03 23:32:47 -08:00
++++ b/fs/smbfs/proc.c 2006-12-03 23:32:47 -08:00
+@@ -2074,7 +2074,7 @@
+ return result;
+ }
+
+-void smb_decode_unix_basic(struct smb_fattr *fattr, char *p)
++void smb_decode_unix_basic(struct smb_fattr *fattr, struct smb_sb_info *server, char *p)
+ {
+ u64 size, disk_bytes;
+
+@@ -2111,8 +2111,17 @@
+ fattr->f_ctime = smb_ntutc2unixutc(LVAL(p, 16));
+ fattr->f_atime = smb_ntutc2unixutc(LVAL(p, 24));
+ fattr->f_mtime = smb_ntutc2unixutc(LVAL(p, 32));
+- fattr->f_uid = LVAL(p, 40);
+- fattr->f_gid = LVAL(p, 48);
++
++ if (server->mnt->flags & SMB_MOUNT_UID)
++ fattr->f_uid = server->mnt->uid;
++ else
++ fattr->f_uid = LVAL(p, 40);
++
++ if (server->mnt->flags & SMB_MOUNT_GID)
++ fattr->f_gid = server->mnt->gid;
++ else
++ fattr->f_gid = LVAL(p, 48);
++
+ fattr->f_mode |= smb_filetype_to_mode(WVAL(p, 56));
+
+ if (S_ISBLK(fattr->f_mode) || S_ISCHR(fattr->f_mode)) {
+@@ -2121,10 +2130,19 @@
+
+ fattr->f_rdev = MKDEV(major & 0xffffffff, minor & 0xffffffff);
+ if (MAJOR(fattr->f_rdev) != (major & 0xffffffff) ||
+- MINOR(fattr->f_rdev) != (minor & 0xffffffff))
++ MINOR(fattr->f_rdev) != (minor & 0xffffffff))
+ fattr->f_rdev = 0;
+ }
++
+ fattr->f_mode |= LVAL(p, 84);
++
++ if ( (server->mnt->flags & SMB_MOUNT_DMODE) &&
++ (S_ISDIR(fattr->f_mode)) )
++ fattr->f_mode = (server->mnt->dir_mode & (S_IRWXU | S_IRWXG | S_IRWXO)) | S_IFDIR;
++ else if ( (server->mnt->flags & SMB_MOUNT_FMODE) &&
++ !(S_ISDIR(fattr->f_mode)) )
++ fattr->f_mode = (server->mnt->file_mode & (S_IRWXU | S_IRWXG | S_IRWXO)) | S_IFREG;
++
+ }
+
+ /*
+@@ -2210,7 +2228,7 @@
+ /* FIXME: should we check the length?? */
+
+ p += 8;
+- smb_decode_unix_basic(fattr, p);
++ smb_decode_unix_basic(fattr, server, p);
+ VERBOSE("info SMB_FIND_FILE_UNIX at %p, len=%d, name=%.*s\n",
+ p, len, len, qname->name);
+ break;
+@@ -2769,7 +2787,7 @@
+ if (result < 0)
+ goto out_free;
+
+- smb_decode_unix_basic(attr, req->rq_data);
++ smb_decode_unix_basic(attr, server, req->rq_data);
+
+ out_free:
+ smb_rput(req);
+diff -Naru a/fs/smbfs/proto.h b/fs/smbfs/proto.h
+--- a/fs/smbfs/proto.h 2006-12-03 23:32:47 -08:00
++++ b/fs/smbfs/proto.h 2006-12-03 23:32:47 -08:00
+@@ -24,7 +24,7 @@
+ extern int smb_proc_unlink(struct dentry *dentry);
+ extern int smb_proc_flush(struct smb_sb_info *server, __u16 fileid);
+ extern void smb_init_root_dirent(struct smb_sb_info *server, struct smb_fattr *fattr);
+-extern void smb_decode_unix_basic(struct smb_fattr *fattr, char *p);
++extern void smb_decode_unix_basic(struct smb_fattr *fattr, struct smb_sb_info *server, char *p);
+ extern int smb_proc_getattr(struct dentry *dir, struct smb_fattr *fattr);
+ extern int smb_proc_setattr(struct dentry *dir, struct smb_fattr *fattr);
+ extern int smb_proc_setattr_unix(struct dentry *d, struct iattr *attr, unsigned int major, unsigned int minor);
+diff -Naru a/include/linux/smb_mount.h b/include/linux/smb_mount.h
+--- a/include/linux/smb_mount.h 2006-12-03 23:32:47 -08:00
++++ b/include/linux/smb_mount.h 2006-12-03 23:32:47 -08:00
+@@ -38,7 +38,10 @@
+ #define SMB_MOUNT_DIRATTR 0x0004 /* Use find_first for getattr */
+ #define SMB_MOUNT_CASE 0x0008 /* Be case sensitive */
+ #define SMB_MOUNT_UNICODE 0x0010 /* Server talks unicode */
+-
++#define SMB_MOUNT_UID 0x0020 /* Use user specified uid */
++#define SMB_MOUNT_GID 0x0040 /* Use user specified gid */
++#define SMB_MOUNT_FMODE 0x0080 /* Use user specified file mode */
++#define SMB_MOUNT_DMODE 0x0100 /* Use user specified dir mode */
+
+ struct smb_mount_data_kernel {
+ int version;
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/10/19 08:15:14-07:00 haroldo.gamal at infolink.com.br
+# [PATCH] smbfs does not honor uid, gid, file_mode and dir_mode supplied by user mount
+#
+# This patch fixes "Samba Bugzilla Bug 999". The last version (2.6.8.1) of
+# smbfs kernel module do not honor uid, gid, file_mode and dir_mode supplied
+# by user during mount. This bug is also logged as "Kernel Bug Tracker Bug
+# 3330".
+#
+# To fully work, some modifications are needed to samba smbmount.c and
+# smbmnt.c files. Those patches are available at Samba and Kernel Bug
+# Tracker pages.
+#
+# After those patches, if the user do not supply any of the parameters above,
+# the uid, gid, file_mode and dir_mode on the server will be used by the
+# client.
+#
+# Signed-off-by: Andrew Morton <akpm at osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+#
+# fs/smbfs/inode.c
+# 2004/10/19 02:40:29-07:00 haroldo.gamal at infolink.com.br +17 -6
+# smbfs does not honor uid, gid, file_mode and dir_mode supplied by user mount
+#
+# fs/smbfs/proc.c
+# 2004/10/19 02:40:29-07:00 haroldo.gamal at infolink.com.br +24 -6
+# smbfs does not honor uid, gid, file_mode and dir_mode supplied by user mount
+#
+# fs/smbfs/proto.h
+# 2004/10/19 02:40:29-07:00 haroldo.gamal at infolink.com.br +1 -1
+# smbfs does not honor uid, gid, file_mode and dir_mode supplied by user mount
+#
+# include/linux/smb_mount.h
+# 2004/10/19 02:40:29-07:00 haroldo.gamal at infolink.com.br +4 -1
+# smbfs does not honor uid, gid, file_mode and dir_mode supplied by user mount
+#
More information about the Kernel-svn-changes
mailing list