/[smeserver]/rpms/samba/sme10/CVE-2017-2619-v4-4.patch
ViewVC logotype

Contents of /rpms/samba/sme10/CVE-2017-2619-v4-4.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (show annotations) (download)
Tue May 8 16:37:54 2018 UTC (6 years, 5 months ago) by jpp
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +0 -0 lines
FILE REMOVED
upgrade to samba-4.6.2-12

1 From 72e7e7b7d378e7ba3afe18ea41802aac5366b094 Mon Sep 17 00:00:00 2001
2 From: Ralph Boehme <slow@samba.org>
3 Date: Sun, 19 Mar 2017 15:58:17 +0100
4 Subject: [PATCH 01/13] CVE-2017-2619: s3/smbd: re-open directory after
5 dptr_CloseDir()
6
7 dptr_CloseDir() will close and invalidate the fsp's file descriptor, we
8 have to reopen it.
9
10 Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
11
12 Signed-off-by: Ralph Boehme <slow@samba.org>
13 Reviewed-by: Uri Simchoni <uri@samba.org>
14 ---
15 source3/smbd/smb2_query_directory.c | 17 +++++++++++++++++
16 1 file changed, 17 insertions(+)
17
18 diff --git a/source3/smbd/smb2_query_directory.c b/source3/smbd/smb2_query_directory.c
19 index 4b6ca1b..1703310 100644
20 --- a/source3/smbd/smb2_query_directory.c
21 +++ b/source3/smbd/smb2_query_directory.c
22 @@ -24,6 +24,7 @@
23 #include "../libcli/smb/smb_common.h"
24 #include "trans2.h"
25 #include "../lib/util/tevent_ntstatus.h"
26 +#include "system/filesys.h"
27
28 static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx,
29 struct tevent_context *ev,
30 @@ -322,7 +323,23 @@ static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx,
31 }
32
33 if (in_flags & SMB2_CONTINUE_FLAG_REOPEN) {
34 + int flags;
35 +
36 dptr_CloseDir(fsp);
37 +
38 + /*
39 + * dptr_CloseDir() will close and invalidate the fsp's file
40 + * descriptor, we have to reopen it.
41 + */
42 +
43 + flags = O_RDONLY;
44 +#ifdef O_DIRECTORY
45 + flags |= O_DIRECTORY;
46 +#endif
47 + status = fd_open(conn, fsp, flags, 0);
48 + if (tevent_req_nterror(req, status)) {
49 + return tevent_req_post(req, ev);
50 + }
51 }
52
53 if (!smbreq->posix_pathnames) {
54 --
55 2.9.3
56
57
58 From f9a9e7ed2f11c8eb9f8f9f40ec054e9735614e91 Mon Sep 17 00:00:00 2001
59 From: Ralph Boehme <slow@samba.org>
60 Date: Sun, 19 Mar 2017 18:52:10 +0100
61 Subject: [PATCH 02/13] CVE-2017-2619: s4/torture: add SMB2_FIND tests with
62 SMB2_CONTINUE_FLAG_REOPEN flag
63
64 Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
65
66 Signed-off-by: Ralph Boehme <slow@samba.org>
67 Reviewed-by: Uri Simchoni <uri@samba.org>
68 ---
69 source4/torture/smb2/dir.c | 12 ++++++++++--
70 1 file changed, 10 insertions(+), 2 deletions(-)
71
72 diff --git a/source4/torture/smb2/dir.c b/source4/torture/smb2/dir.c
73 index 98844b4..db8e456 100644
74 --- a/source4/torture/smb2/dir.c
75 +++ b/source4/torture/smb2/dir.c
76 @@ -674,7 +674,7 @@ bool fill_result(void *private_data,
77 return true;
78 }
79
80 -enum continue_type {CONT_SINGLE, CONT_INDEX, CONT_RESTART};
81 +enum continue_type {CONT_SINGLE, CONT_INDEX, CONT_RESTART, CONT_REOPEN};
82
83 static NTSTATUS multiple_smb2_search(struct smb2_tree *tree,
84 TALLOC_CTX *tctx,
85 @@ -700,6 +700,9 @@ static NTSTATUS multiple_smb2_search(struct smb2_tree *tree,
86
87 /* The search should start from the beginning everytime */
88 f.in.continue_flags = SMB2_CONTINUE_FLAG_RESTART;
89 + if (cont_type == CONT_REOPEN) {
90 + f.in.continue_flags = SMB2_CONTINUE_FLAG_REOPEN;
91 + }
92
93 do {
94 status = smb2_find_level(tree, tree, &f, &count, &d);
95 @@ -803,18 +806,23 @@ static bool test_many_files(struct torture_context *tctx,
96 {"SMB2_FIND_BOTH_DIRECTORY_INFO", "SINGLE", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_SINGLE},
97 {"SMB2_FIND_BOTH_DIRECTORY_INFO", "INDEX", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_INDEX},
98 {"SMB2_FIND_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_RESTART},
99 + {"SMB2_FIND_BOTH_DIRECTORY_INFO", "REOPEN", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_REOPEN},
100 {"SMB2_FIND_DIRECTORY_INFO", "SINGLE", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_SINGLE},
101 {"SMB2_FIND_DIRECTORY_INFO", "INDEX", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_INDEX},
102 {"SMB2_FIND_DIRECTORY_INFO", "RESTART", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_RESTART},
103 + {"SMB2_FIND_DIRECTORY_INFO", "REOPEN", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_REOPEN},
104 {"SMB2_FIND_FULL_DIRECTORY_INFO", "SINGLE", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_SINGLE},
105 {"SMB2_FIND_FULL_DIRECTORY_INFO", "INDEX", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_INDEX},
106 {"SMB2_FIND_FULL_DIRECTORY_INFO", "RESTART", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_RESTART},
107 + {"SMB2_FIND_FULL_DIRECTORY_INFO", "REOPEN", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_REOPEN},
108 {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "SINGLE", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_SINGLE},
109 {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "INDEX", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_INDEX},
110 {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_RESTART},
111 + {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "REOPEN", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_REOPEN},
112 {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "SINGLE", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_SINGLE},
113 {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "INDEX", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_INDEX},
114 - {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_RESTART}
115 + {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_RESTART},
116 + {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "REOPEN", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_REOPEN},
117 };
118
119 smb2_deltree(tree, DNAME);
120 --
121 2.9.3
122
123
124 From d329035b5bda87ab95a33b8d4af1936079db6fd1 Mon Sep 17 00:00:00 2001
125 From: Jeremy Allison <jra@samba.org>
126 Date: Mon, 19 Dec 2016 11:55:56 -0800
127 Subject: [PATCH 03/13] CVE-2017-2619: s3: smbd: Create wrapper function for
128 OpenDir in preparation for making robust.
129
130 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
131
132 Signed-off-by: Jeremy Allison <jra@samba.org>
133 Reviewed-by: Uri Simchoni <uri@samba.org>
134 ---
135 source3/smbd/dir.c | 15 ++++++++++++++-
136 1 file changed, 14 insertions(+), 1 deletion(-)
137
138 diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
139 index 3805915..cbd32e3 100644
140 --- a/source3/smbd/dir.c
141 +++ b/source3/smbd/dir.c
142 @@ -1588,7 +1588,8 @@ static int smb_Dir_destructor(struct smb_Dir *dirp)
143 Open a directory.
144 ********************************************************************/
145
146 -struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
147 +static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
148 + connection_struct *conn,
149 const char *name,
150 const char *mask,
151 uint32_t attr)
152 @@ -1628,6 +1629,18 @@ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
153 return NULL;
154 }
155
156 +struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
157 + const char *name,
158 + const char *mask,
159 + uint32_t attr)
160 +{
161 + return OpenDir_internal(mem_ctx,
162 + conn,
163 + name,
164 + mask,
165 + attr);
166 +}
167 +
168 /*******************************************************************
169 Open a directory from an fsp.
170 ********************************************************************/
171 --
172 2.9.3
173
174
175 From 484dda03a69f5c687b6ec6db1332bcc51e72e0c2 Mon Sep 17 00:00:00 2001
176 From: Jeremy Allison <jra@samba.org>
177 Date: Mon, 19 Dec 2016 16:25:26 -0800
178 Subject: [PATCH 04/13] CVE-2017-2619: s3: smbd: Opendir_internal() early
179 return if SMB_VFS_OPENDIR failed.
180
181 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
182
183 Signed-off-by: Jeremy Allison <jra@samba.org>
184 Reviewed-by: Uri Simchoni <uri@samba.org>
185 ---
186 source3/smbd/dir.c | 16 ++++++++--------
187 1 file changed, 8 insertions(+), 8 deletions(-)
188
189 diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
190 index cbd32e3..ea4b301 100644
191 --- a/source3/smbd/dir.c
192 +++ b/source3/smbd/dir.c
193 @@ -1601,20 +1601,12 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
194 return NULL;
195 }
196
197 - dirp->conn = conn;
198 - dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
199 -
200 dirp->dir_path = talloc_strdup(dirp, name);
201 if (!dirp->dir_path) {
202 errno = ENOMEM;
203 goto fail;
204 }
205
206 - if (sconn && !sconn->using_smb2) {
207 - sconn->searches.dirhandles_open++;
208 - }
209 - talloc_set_destructor(dirp, smb_Dir_destructor);
210 -
211 dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
212 if (!dirp->dir) {
213 DEBUG(5,("OpenDir: Can't open %s. %s\n", dirp->dir_path,
214 @@ -1622,6 +1614,14 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
215 goto fail;
216 }
217
218 + dirp->conn = conn;
219 + dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
220 +
221 + if (sconn && !sconn->using_smb2) {
222 + sconn->searches.dirhandles_open++;
223 + }
224 + talloc_set_destructor(dirp, smb_Dir_destructor);
225 +
226 return dirp;
227
228 fail:
229 --
230 2.9.3
231
232
233 From 84d4bbde7c1682e4c8daf680f930a14e3444f659 Mon Sep 17 00:00:00 2001
234 From: Jeremy Allison <jra@samba.org>
235 Date: Mon, 19 Dec 2016 16:35:00 -0800
236 Subject: [PATCH 05/13] CVE-2017-2619: s3: smbd: Create and use
237 open_dir_safely(). Use from OpenDir().
238
239 Hardens OpenDir against TOC/TOU races.
240
241 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
242
243 Signed-off-by: Jeremy Allison <jra@samba.org>
244 Reviewed-by: Uri Simchoni <uri@samba.org>
245 ---
246 source3/smbd/dir.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++-------
247 1 file changed, 61 insertions(+), 9 deletions(-)
248
249 diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
250 index ea4b301..39a6e67 100644
251 --- a/source3/smbd/dir.c
252 +++ b/source3/smbd/dir.c
253 @@ -1601,15 +1601,9 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
254 return NULL;
255 }
256
257 - dirp->dir_path = talloc_strdup(dirp, name);
258 - if (!dirp->dir_path) {
259 - errno = ENOMEM;
260 - goto fail;
261 - }
262 -
263 - dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
264 + dirp->dir = SMB_VFS_OPENDIR(conn, name, mask, attr);
265 if (!dirp->dir) {
266 - DEBUG(5,("OpenDir: Can't open %s. %s\n", dirp->dir_path,
267 + DEBUG(5,("OpenDir: Can't open %s. %s\n", name,
268 strerror(errno) ));
269 goto fail;
270 }
271 @@ -1629,12 +1623,70 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
272 return NULL;
273 }
274
275 +/****************************************************************************
276 + Open a directory handle by pathname, ensuring it's under the share path.
277 +****************************************************************************/
278 +
279 +static struct smb_Dir *open_dir_safely(TALLOC_CTX *ctx,
280 + connection_struct *conn,
281 + const char *name,
282 + const char *wcard,
283 + uint32_t attr)
284 +{
285 + struct smb_Dir *dir_hnd = NULL;
286 + char *saved_dir = vfs_GetWd(ctx, conn);
287 + NTSTATUS status;
288 +
289 + if (saved_dir == NULL) {
290 + return NULL;
291 + }
292 +
293 + if (vfs_ChDir(conn, name) == -1) {
294 + goto out;
295 + }
296 +
297 + /*
298 + * Now the directory is pinned, use
299 + * REALPATH to ensure we can access it.
300 + */
301 + status = check_name(conn, ".");
302 + if (!NT_STATUS_IS_OK(status)) {
303 + goto out;
304 + }
305 +
306 + dir_hnd = OpenDir_internal(ctx,
307 + conn,
308 + ".",
309 + wcard,
310 + attr);
311 +
312 + if (dir_hnd == NULL) {
313 + goto out;
314 + }
315 +
316 + /*
317 + * OpenDir_internal only gets "." as the dir name.
318 + * Store the real dir name here.
319 + */
320 +
321 + dir_hnd->dir_path = talloc_strdup(dir_hnd, name);
322 + if (!dir_hnd->dir_path) {
323 + errno = ENOMEM;
324 + }
325 +
326 + out:
327 +
328 + vfs_ChDir(conn, saved_dir);
329 + TALLOC_FREE(saved_dir);
330 + return dir_hnd;
331 +}
332 +
333 struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
334 const char *name,
335 const char *mask,
336 uint32_t attr)
337 {
338 - return OpenDir_internal(mem_ctx,
339 + return open_dir_safely(mem_ctx,
340 conn,
341 name,
342 mask,
343 --
344 2.9.3
345
346
347 From 8aece1e0d15bf059daf70259142e8ad35a7658ed Mon Sep 17 00:00:00 2001
348 From: Jeremy Allison <jra@samba.org>
349 Date: Mon, 19 Dec 2016 12:13:20 -0800
350 Subject: [PATCH 06/13] CVE-2017-2619: s3: smbd: OpenDir_fsp() use early
351 returns.
352
353 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
354
355 Signed-off-by: Jeremy Allison <jra@samba.org>
356 Reviewed-by: Uri Simchoni <uri@samba.org>
357 ---
358 source3/smbd/dir.c | 34 +++++++++++++++++++++-------------
359 1 file changed, 21 insertions(+), 13 deletions(-)
360
361 diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
362 index 39a6e67..ea4f1ab 100644
363 --- a/source3/smbd/dir.c
364 +++ b/source3/smbd/dir.c
365 @@ -1706,7 +1706,17 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
366 struct smbd_server_connection *sconn = conn->sconn;
367
368 if (!dirp) {
369 - return NULL;
370 + goto fail;
371 + }
372 +
373 + if (!fsp->is_directory) {
374 + errno = EBADF;
375 + goto fail;
376 + }
377 +
378 + if (fsp->fh->fd == -1) {
379 + errno = EBADF;
380 + goto fail;
381 }
382
383 dirp->conn = conn;
384 @@ -1723,18 +1733,16 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
385 }
386 talloc_set_destructor(dirp, smb_Dir_destructor);
387
388 - if (fsp->is_directory && fsp->fh->fd != -1) {
389 - dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
390 - if (dirp->dir != NULL) {
391 - dirp->fsp = fsp;
392 - } else {
393 - DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
394 - "NULL (%s)\n",
395 - dirp->dir_path,
396 - strerror(errno)));
397 - if (errno != ENOSYS) {
398 - return NULL;
399 - }
400 + dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
401 + if (dirp->dir != NULL) {
402 + dirp->fsp = fsp;
403 + } else {
404 + DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
405 + "NULL (%s)\n",
406 + dirp->dir_path,
407 + strerror(errno)));
408 + if (errno != ENOSYS) {
409 + return NULL;
410 }
411 }
412
413 --
414 2.9.3
415
416
417 From 16fa5af1a491c410d4579434b7e9f6e388ea319b Mon Sep 17 00:00:00 2001
418 From: Jeremy Allison <jra@samba.org>
419 Date: Mon, 19 Dec 2016 12:15:59 -0800
420 Subject: [PATCH 07/13] CVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory
421 leak on error.
422
423 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
424
425 Signed-off-by: Jeremy Allison <jra@samba.org>
426 Reviewed-by: Uri Simchoni <uri@samba.org>
427 ---
428 source3/smbd/dir.c | 2 +-
429 1 file changed, 1 insertion(+), 1 deletion(-)
430
431 diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
432 index ea4f1ab..b8034be 100644
433 --- a/source3/smbd/dir.c
434 +++ b/source3/smbd/dir.c
435 @@ -1742,7 +1742,7 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
436 dirp->dir_path,
437 strerror(errno)));
438 if (errno != ENOSYS) {
439 - return NULL;
440 + goto fail;
441 }
442 }
443
444 --
445 2.9.3
446
447
448 From 2c1830915b0b59646503ee4d043fd9176090627f Mon Sep 17 00:00:00 2001
449 From: Jeremy Allison <jra@samba.org>
450 Date: Mon, 19 Dec 2016 12:32:07 -0800
451 Subject: [PATCH 08/13] CVE-2017-2619: s3: smbd: Move the reference counting
452 and destructor setup to just before retuning success.
453
454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
455
456 Signed-off-by: Jeremy Allison <jra@samba.org>
457 Reviewed-by: Uri Simchoni <uri@samba.org>
458 ---
459 source3/smbd/dir.c | 10 +++++-----
460 1 file changed, 5 insertions(+), 5 deletions(-)
461
462 diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
463 index b8034be..6b62f14 100644
464 --- a/source3/smbd/dir.c
465 +++ b/source3/smbd/dir.c
466 @@ -1728,11 +1728,6 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
467 goto fail;
468 }
469
470 - if (sconn && !sconn->using_smb2) {
471 - sconn->searches.dirhandles_open++;
472 - }
473 - talloc_set_destructor(dirp, smb_Dir_destructor);
474 -
475 dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
476 if (dirp->dir != NULL) {
477 dirp->fsp = fsp;
478 @@ -1757,6 +1752,11 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
479 goto fail;
480 }
481
482 + if (sconn && !sconn->using_smb2) {
483 + sconn->searches.dirhandles_open++;
484 + }
485 + talloc_set_destructor(dirp, smb_Dir_destructor);
486 +
487 return dirp;
488
489 fail:
490 --
491 2.9.3
492
493
494 From 72bf8c2c2b2c4aff1ac4da52aa087c060ea5eef1 Mon Sep 17 00:00:00 2001
495 From: Jeremy Allison <jra@samba.org>
496 Date: Mon, 19 Dec 2016 12:35:32 -0800
497 Subject: [PATCH 09/13] CVE-2017-2619: s3: smbd: Correctly fallback to
498 open_dir_safely if FDOPENDIR not supported on system.
499
500 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
501
502 Signed-off-by: Jeremy Allison <jra@samba.org>
503 Reviewed-by: Uri Simchoni <uri@samba.org>
504 ---
505 source3/smbd/dir.c | 15 +++++++--------
506 1 file changed, 7 insertions(+), 8 deletions(-)
507
508 diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
509 index 6b62f14..3432788 100644
510 --- a/source3/smbd/dir.c
511 +++ b/source3/smbd/dir.c
512 @@ -1742,14 +1742,13 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
513 }
514
515 if (dirp->dir == NULL) {
516 - /* FDOPENDIR didn't work. Use OPENDIR instead. */
517 - dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
518 - }
519 -
520 - if (!dirp->dir) {
521 - DEBUG(5,("OpenDir_fsp: Can't open %s. %s\n", dirp->dir_path,
522 - strerror(errno) ));
523 - goto fail;
524 + /* FDOPENDIR is not supported. Use OPENDIR instead. */
525 + TALLOC_FREE(dirp);
526 + return open_dir_safely(mem_ctx,
527 + conn,
528 + fsp->fsp_name->base_name,
529 + mask,
530 + attr);
531 }
532
533 if (sconn && !sconn->using_smb2) {
534 --
535 2.9.3
536
537
538 From 015e488ce39e097944acdad7a88a801386d9935b Mon Sep 17 00:00:00 2001
539 From: Jeremy Allison <jra@samba.org>
540 Date: Thu, 15 Dec 2016 12:52:13 -0800
541 Subject: [PATCH 10/13] CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We
542 insist on O_NOFOLLOW existing.
543
544 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
545
546 Signed-off-by: Jeremy Allison <jra@samba.org>
547 Reviewed-by: Uri Simchoni <uri@samba.org>
548 ---
549 source3/smbd/open.c | 6 +-----
550 1 file changed, 1 insertion(+), 5 deletions(-)
551
552 diff --git a/source3/smbd/open.c b/source3/smbd/open.c
553 index 1c67684..a014b5e 100644
554 --- a/source3/smbd/open.c
555 +++ b/source3/smbd/open.c
556 @@ -363,8 +363,7 @@ NTSTATUS fd_open(struct connection_struct *conn,
557 struct smb_filename *smb_fname = fsp->fsp_name;
558 NTSTATUS status = NT_STATUS_OK;
559
560 -#ifdef O_NOFOLLOW
561 - /*
562 + /*
563 * Never follow symlinks on a POSIX client. The
564 * client should be doing this.
565 */
566 @@ -372,12 +371,10 @@ NTSTATUS fd_open(struct connection_struct *conn,
567 if ((fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) || !lp_follow_symlinks(SNUM(conn))) {
568 flags |= O_NOFOLLOW;
569 }
570 -#endif
571
572 fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
573 if (fsp->fh->fd == -1) {
574 int posix_errno = errno;
575 -#ifdef O_NOFOLLOW
576 #if defined(ENOTSUP) && defined(OSF1)
577 /* handle special Tru64 errno */
578 if (errno == ENOTSUP) {
579 @@ -394,7 +391,6 @@ NTSTATUS fd_open(struct connection_struct *conn,
580 if (errno == EMLINK) {
581 posix_errno = ELOOP;
582 }
583 -#endif /* O_NOFOLLOW */
584 status = map_nt_error_from_unix(posix_errno);
585 if (errno == EMFILE) {
586 static time_t last_warned = 0L;
587 --
588 2.9.3
589
590
591 From b7199aaa0a4d10dd6b3d2a040e345a209ec0c42f Mon Sep 17 00:00:00 2001
592 From: Jeremy Allison <jra@samba.org>
593 Date: Thu, 15 Dec 2016 12:56:08 -0800
594 Subject: [PATCH 11/13] CVE-2017-2619: s3: smbd: Move special handling of
595 symlink errno's into a utility function.
596
597 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
598
599 Signed-off-by: Jeremy Allison <jra@samba.org>
600 Reviewed-by: Uri Simchoni <uri@samba.org>
601 ---
602 source3/smbd/open.c | 43 ++++++++++++++++++++++++++-----------------
603 1 file changed, 26 insertions(+), 17 deletions(-)
604
605 diff --git a/source3/smbd/open.c b/source3/smbd/open.c
606 index a014b5e..b4b77cd 100644
607 --- a/source3/smbd/open.c
608 +++ b/source3/smbd/open.c
609 @@ -352,6 +352,31 @@ static NTSTATUS check_base_file_access(struct connection_struct *conn,
610 }
611
612 /****************************************************************************
613 + Handle differing symlink errno's
614 +****************************************************************************/
615 +
616 +static int link_errno_convert(int err)
617 +{
618 +#if defined(ENOTSUP) && defined(OSF1)
619 + /* handle special Tru64 errno */
620 + if (err == ENOTSUP) {
621 + err = ELOOP;
622 + }
623 +#endif /* ENOTSUP */
624 +#ifdef EFTYPE
625 + /* fix broken NetBSD errno */
626 + if (err == EFTYPE) {
627 + err = ELOOP;
628 + }
629 +#endif /* EFTYPE */
630 + /* fix broken FreeBSD errno */
631 + if (err == EMLINK) {
632 + err = ELOOP;
633 + }
634 + return err;
635 +}
636 +
637 +/****************************************************************************
638 fd support routines - attempt to do a dos_open.
639 ****************************************************************************/
640
641 @@ -374,23 +399,7 @@ NTSTATUS fd_open(struct connection_struct *conn,
642
643 fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
644 if (fsp->fh->fd == -1) {
645 - int posix_errno = errno;
646 -#if defined(ENOTSUP) && defined(OSF1)
647 - /* handle special Tru64 errno */
648 - if (errno == ENOTSUP) {
649 - posix_errno = ELOOP;
650 - }
651 -#endif /* ENOTSUP */
652 -#ifdef EFTYPE
653 - /* fix broken NetBSD errno */
654 - if (errno == EFTYPE) {
655 - posix_errno = ELOOP;
656 - }
657 -#endif /* EFTYPE */
658 - /* fix broken FreeBSD errno */
659 - if (errno == EMLINK) {
660 - posix_errno = ELOOP;
661 - }
662 + int posix_errno = link_errno_convert(errno);
663 status = map_nt_error_from_unix(posix_errno);
664 if (errno == EMFILE) {
665 static time_t last_warned = 0L;
666 --
667 2.9.3
668
669
670 From eda8d6ed343b32efb7055778b13252842b8c4f61 Mon Sep 17 00:00:00 2001
671 From: Jeremy Allison <jra@samba.org>
672 Date: Thu, 15 Dec 2016 13:04:46 -0800
673 Subject: [PATCH 12/13] CVE-2017-2619: s3: smbd: Add the core functions to
674 prevent symlink open races.
675
676 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
677
678 Signed-off-by: Jeremy Allison <jra@samba.org>
679 Reviewed-by: Uri Simchoni <uri@samba.org>
680 ---
681 source3/smbd/open.c | 237 ++++++++++++++++++++++++++++++++++++++++++++++++++++
682 1 file changed, 237 insertions(+)
683
684 diff --git a/source3/smbd/open.c b/source3/smbd/open.c
685 index b4b77cd..aa5df2c 100644
686 --- a/source3/smbd/open.c
687 +++ b/source3/smbd/open.c
688 @@ -376,6 +376,243 @@ static int link_errno_convert(int err)
689 return err;
690 }
691
692 +static int non_widelink_open(struct connection_struct *conn,
693 + const char *conn_rootdir,
694 + files_struct *fsp,
695 + struct smb_filename *smb_fname,
696 + int flags,
697 + mode_t mode,
698 + unsigned int link_depth);
699 +
700 +/****************************************************************************
701 + Follow a symlink in userspace.
702 +****************************************************************************/
703 +
704 +static int process_symlink_open(struct connection_struct *conn,
705 + const char *conn_rootdir,
706 + files_struct *fsp,
707 + struct smb_filename *smb_fname,
708 + int flags,
709 + mode_t mode,
710 + unsigned int link_depth)
711 +{
712 + int fd = -1;
713 + char *link_target = NULL;
714 + int link_len = -1;
715 + char *oldwd = NULL;
716 + size_t rootdir_len = 0;
717 + char *resolved_name = NULL;
718 + bool matched = false;
719 + int saved_errno = 0;
720 +
721 + /*
722 + * Ensure we don't get stuck in a symlink loop.
723 + */
724 + link_depth++;
725 + if (link_depth >= 20) {
726 + errno = ELOOP;
727 + goto out;
728 + }
729 +
730 + /* Allocate space for the link target. */
731 + link_target = talloc_array(talloc_tos(), char, PATH_MAX);
732 + if (link_target == NULL) {
733 + errno = ENOMEM;
734 + goto out;
735 + }
736 +
737 + /* Read the link target. */
738 + link_len = SMB_VFS_READLINK(conn,
739 + smb_fname->base_name,
740 + link_target,
741 + PATH_MAX - 1);
742 + if (link_len == -1) {
743 + goto out;
744 + }
745 +
746 + /* Ensure it's at least null terminated. */
747 + link_target[link_len] = '\0';
748 +
749 + /* Convert to an absolute path. */
750 + resolved_name = SMB_VFS_REALPATH(conn, link_target);
751 + if (resolved_name == NULL) {
752 + goto out;
753 + }
754 +
755 + /*
756 + * We know conn_rootdir starts with '/' and
757 + * does not end in '/'. FIXME ! Should we
758 + * smb_assert this ?
759 + */
760 + rootdir_len = strlen(conn_rootdir);
761 +
762 + matched = (strncmp(conn_rootdir, resolved_name, rootdir_len) == 0);
763 + if (!matched) {
764 + errno = EACCES;
765 + goto out;
766 + }
767 +
768 + /*
769 + * Turn into a path relative to the share root.
770 + */
771 + if (resolved_name[rootdir_len] == '\0') {
772 + /* Link to the root of the share. */
773 + smb_fname->base_name = talloc_strdup(talloc_tos(), ".");
774 + if (smb_fname->base_name == NULL) {
775 + errno = ENOMEM;
776 + goto out;
777 + }
778 + } else if (resolved_name[rootdir_len] == '/') {
779 + smb_fname->base_name = &resolved_name[rootdir_len+1];
780 + } else {
781 + errno = EACCES;
782 + goto out;
783 + }
784 +
785 + oldwd = vfs_GetWd(talloc_tos(), conn);
786 + if (oldwd == NULL) {
787 + goto out;
788 + }
789 +
790 + /* Ensure we operate from the root of the share. */
791 + if (vfs_ChDir(conn, conn_rootdir) == -1) {
792 + goto out;
793 + }
794 +
795 + /* And do it all again.. */
796 + fd = non_widelink_open(conn,
797 + conn_rootdir,
798 + fsp,
799 + smb_fname,
800 + flags,
801 + mode,
802 + link_depth);
803 + if (fd == -1) {
804 + saved_errno = errno;
805 + }
806 +
807 + out:
808 +
809 + SAFE_FREE(resolved_name);
810 + TALLOC_FREE(link_target);
811 + if (oldwd != NULL) {
812 + int ret = vfs_ChDir(conn, oldwd);
813 + if (ret == -1) {
814 + smb_panic("unable to get back to old directory\n");
815 + }
816 + TALLOC_FREE(oldwd);
817 + }
818 + if (saved_errno != 0) {
819 + errno = saved_errno;
820 + }
821 + return fd;
822 +}
823 +
824 +/****************************************************************************
825 + Non-widelink open.
826 +****************************************************************************/
827 +
828 +static int non_widelink_open(struct connection_struct *conn,
829 + const char *conn_rootdir,
830 + files_struct *fsp,
831 + struct smb_filename *smb_fname,
832 + int flags,
833 + mode_t mode,
834 + unsigned int link_depth)
835 +{
836 + NTSTATUS status;
837 + int fd = -1;
838 + struct smb_filename *smb_fname_rel = NULL;
839 + int saved_errno = 0;
840 + char *oldwd = NULL;
841 + char *parent_dir = NULL;
842 + const char *final_component = NULL;
843 +
844 + if (!parent_dirname(talloc_tos(),
845 + smb_fname->base_name,
846 + &parent_dir,
847 + &final_component)) {
848 + goto out;
849 + }
850 +
851 + oldwd = vfs_GetWd(talloc_tos(), conn);
852 + if (oldwd == NULL) {
853 + goto out;
854 + }
855 +
856 + /* Pin parent directory in place. */
857 + if (vfs_ChDir(conn, parent_dir) == -1) {
858 + goto out;
859 + }
860 +
861 + /* Ensure the relative path is below the share. */
862 + status = check_reduced_name(conn, final_component);
863 + if (!NT_STATUS_IS_OK(status)) {
864 + saved_errno = map_errno_from_nt_status(status);
865 + goto out;
866 + }
867 +
868 + smb_fname_rel = synthetic_smb_fname(talloc_tos(),
869 + final_component,
870 + smb_fname->stream_name,
871 + &smb_fname->st);
872 +
873 + flags |= O_NOFOLLOW;
874 +
875 + {
876 + struct smb_filename *tmp_name = fsp->fsp_name;
877 + fsp->fsp_name = smb_fname_rel;
878 + fd = SMB_VFS_OPEN(conn, smb_fname_rel, fsp, flags, mode);
879 + fsp->fsp_name = tmp_name;
880 + }
881 +
882 + if (fd == -1) {
883 + saved_errno = link_errno_convert(errno);
884 + if (saved_errno == ELOOP) {
885 + if (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) {
886 + /* Never follow symlinks on posix open. */
887 + goto out;
888 + }
889 + if (!lp_follow_symlinks(SNUM(conn))) {
890 + /* Explicitly no symlinks. */
891 + goto out;
892 + }
893 + /*
894 + * We have a symlink. Follow in userspace
895 + * to ensure it's under the share definition.
896 + */
897 + fd = process_symlink_open(conn,
898 + conn_rootdir,
899 + fsp,
900 + smb_fname_rel,
901 + flags,
902 + mode,
903 + link_depth);
904 + if (fd == -1) {
905 + saved_errno =
906 + link_errno_convert(errno);
907 + }
908 + }
909 + }
910 +
911 + out:
912 +
913 + TALLOC_FREE(parent_dir);
914 + TALLOC_FREE(smb_fname_rel);
915 +
916 + if (oldwd != NULL) {
917 + int ret = vfs_ChDir(conn, oldwd);
918 + if (ret == -1) {
919 + smb_panic("unable to get back to old directory\n");
920 + }
921 + TALLOC_FREE(oldwd);
922 + }
923 + if (saved_errno != 0) {
924 + errno = saved_errno;
925 + }
926 + return fd;
927 +}
928 +
929 /****************************************************************************
930 fd support routines - attempt to do a dos_open.
931 ****************************************************************************/
932 --
933 2.9.3
934
935
936 From 81094d0c7519936b08d22efc22ba78e5bab24cd1 Mon Sep 17 00:00:00 2001
937 From: Jeremy Allison <jra@samba.org>
938 Date: Thu, 15 Dec 2016 13:06:31 -0800
939 Subject: [PATCH 13/13] CVE-2017-2619: s3: smbd: Use the new
940 non_widelink_open() function.
941
942 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
943
944 Signed-off-by: Jeremy Allison <jra@samba.org>
945 Reviewed-by: Uri Simchoni <uri@samba.org>
946 ---
947 source3/smbd/open.c | 23 ++++++++++++++++++++++-
948 1 file changed, 22 insertions(+), 1 deletion(-)
949
950 diff --git a/source3/smbd/open.c b/source3/smbd/open.c
951 index aa5df2c..0b66487 100644
952 --- a/source3/smbd/open.c
953 +++ b/source3/smbd/open.c
954 @@ -634,7 +634,28 @@ NTSTATUS fd_open(struct connection_struct *conn,
955 flags |= O_NOFOLLOW;
956 }
957
958 - fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
959 + /* Ensure path is below share definition. */
960 + if (!lp_widelinks(SNUM(conn))) {
961 + const char *conn_rootdir = SMB_VFS_CONNECTPATH(conn,
962 + smb_fname->base_name);
963 + if (conn_rootdir == NULL) {
964 + return NT_STATUS_NO_MEMORY;
965 + }
966 + /*
967 + * Only follow symlinks within a share
968 + * definition.
969 + */
970 + fsp->fh->fd = non_widelink_open(conn,
971 + conn_rootdir,
972 + fsp,
973 + smb_fname,
974 + flags,
975 + mode,
976 + 0);
977 + } else {
978 + fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
979 + }
980 +
981 if (fsp->fh->fd == -1) {
982 int posix_errno = link_errno_convert(errno);
983 status = map_nt_error_from_unix(posix_errno);
984 --
985 2.9.3
986

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed