Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp1138792rwi; Wed, 19 Oct 2022 07:10:39 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6wgMpW8CAAHbivzyj+6qqIBFRa+0/MofqoKl8ahlHZHVOXGCEkmEEtCml82Ic5/LVdAYRk X-Received: by 2002:a63:6c84:0:b0:43c:700f:6218 with SMTP id h126-20020a636c84000000b0043c700f6218mr7340011pgc.420.1666188639146; Wed, 19 Oct 2022 07:10:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666188639; cv=none; d=google.com; s=arc-20160816; b=AN34eI7X3oSoy0Kt9PZMElPF07UclAJBgPy/dHjW9tQV/WaDHtFJ9RWviwlD0XxcRZ bvc8q0n5TBJr5CZ6ONW/PH1yu7+z3dByiqWXNFCOl/DuPPOrct+0E/LZVHGx0ePefjsk W2fpI4Rblrjc7MBLf7TUJplnrN62C/njYkLs4C4ds9eGBUa1Sra8bshQiVvgxYXLCbS7 ucJcO1OZlwDnfhQPXi9ggQl+XUjc6Irv0HtPbfZeEMX4FcxAY86Uj3Na5a4/ltxmBxww 6x4zx5Po87qARfxKGh1rUFku+54qkO1gjBmh5YrVNfMUyyNLQKAtQlSccad3ZhELMgXn bFUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=YQY9nhnTBw4kViPNm7NRI6QgE4+DWnEhqy0h21WYqik=; b=RIRAPL/bJztun3+OJ/Ex/sRwoAqSeNPvrrqJKJ92Y8XxfS+QSwHeVK15RWBwFhIMQH xEPKllD5yyBIa+/zUlEzDH/3MejW+Z+Q2KhLlSR1OcPAaqtcbmWS3aRe7OHWzpmyvRBC E0+AkbLpHCXzFUpCb5YdhZieE7dTbg8FMsJ2+oEIvAPEddSho6OO6BJEfqADowLj+Zlh 3NomUnxJNmpXiw4qOS6WeVfNsIUEIv/Z1sU7v6dE8g2M/fU4EUDBCjyZTCfqifUS6Cjg U64R2J9jBtgMSjRKCTIG3sUT+5OQ1qqQYvDqJRPtZNTvntTC0JDTyD/3W6yB99lYldnP qZhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nQhVd5fn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g8-20020a1709026b4800b001784c98bfddsi17159767plt.24.2022.10.19.07.10.24; Wed, 19 Oct 2022 07:10:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nQhVd5fn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231559AbiJSNwk (ORCPT + 99 others); Wed, 19 Oct 2022 09:52:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36468 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233180AbiJSNwG (ORCPT ); Wed, 19 Oct 2022 09:52:06 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1D10106A75; Wed, 19 Oct 2022 06:35:51 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 523E1CE20EF; Wed, 19 Oct 2022 08:44:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 499DEC433D7; Wed, 19 Oct 2022 08:44:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666169087; bh=zRbI9r4T8ATwG60e0stmIJjCAwfIsLK3ZdgJqhNquO4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nQhVd5fnzuNumD7Ikg/PmTRpQkUqsLbwreGVl03cA/CScDGMcysinwkcD4bimUZWE A1J370Y0HH0HTQDyFThxC5piP9arJDvmiwW08BPVQZf16nDMN0xTBdvfXtUQUlcAlv FkAFLDQBS/K3f0ErGqWBx5ji6PFxhJMGbKkrkQs0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hyunchul Lee , Steve French , =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , "Christian Brauner (Microsoft)" , Namjae Jeon , Steve French Subject: [PATCH 6.0 116/862] ksmbd: Fix user namespace mapping Date: Wed, 19 Oct 2022 10:23:23 +0200 Message-Id: <20221019083255.053626341@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221019083249.951566199@linuxfoundation.org> References: <20221019083249.951566199@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mickaël Salaün commit 7c88c1e0ab1704bacb751341ee6431c3be34b834 upstream. A kernel daemon should not rely on the current thread, which is unknown and might be malicious. Before this security fix, ksmbd_override_fsids() didn't correctly override FS UID/GID which means that arbitrary user space threads could trick the kernel to impersonate arbitrary users or groups for file system access checks, leading to file system access bypass. This was found while investigating truncate support for Landlock: https://lore.kernel.org/r/CAKYAXd8fpMJ7guizOjHgxEyyjoUwPsx3jLOPZP=wPYcbhkVXqA@mail.gmail.com Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: Hyunchul Lee Cc: Steve French Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20220929100447.108468-1-mic@digikod.net Acked-by: Christian Brauner (Microsoft) Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/ksmbd/smb_common.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -4,6 +4,8 @@ * Copyright (C) 2018 Namjae Jeon */ +#include + #include "smb_common.h" #include "server.h" #include "misc.h" @@ -625,8 +627,8 @@ int ksmbd_override_fsids(struct ksmbd_wo if (!cred) return -ENOMEM; - cred->fsuid = make_kuid(current_user_ns(), uid); - cred->fsgid = make_kgid(current_user_ns(), gid); + cred->fsuid = make_kuid(&init_user_ns, uid); + cred->fsgid = make_kgid(&init_user_ns, gid); gi = groups_alloc(0); if (!gi) {