From patchwork Thu Oct 3 22:38:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 11173479 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E4D5276 for ; Thu, 3 Oct 2019 22:39:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C2F222086A for ; Thu, 3 Oct 2019 22:39:01 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VuXotxnb" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728531AbfJCWjB (ORCPT ); Thu, 3 Oct 2019 18:39:01 -0400 Received: from mail-io1-f45.google.com ([209.85.166.45]:41673 "EHLO mail-io1-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727302AbfJCWjB (ORCPT ); Thu, 3 Oct 2019 18:39:01 -0400 Received: by mail-io1-f45.google.com with SMTP id n26so9275350ioj.8; Thu, 03 Oct 2019 15:38:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=xfQsyRrCq1AzCVJLTgc7JdY4HG0z0X5Xs7b59g9+I5Q=; b=VuXotxnbCf9TOWbMIlo9KTk2/qnDyjDImJuSKpp55BJaMSxGjncZ7teSLawu638w4a fWSFxEUNfxSXEEb90YHaLvNYfxJ8Y+lNLqmbXa8dEY1hdTntHtkM4koVSZI9i7Gcmpcf oSWje2RRqeJ+8dkIAJa8bfSlhNFWqoNnbcIOczpAKldSq+gV3vs0g1XbGVV2i6exrFKL OlIuQFlPAyu7Hn8ZQQGHhMu2Pv9VASYfzufHaoi2TGeSyBP/Etq5VnNpACqyH+YcZ0ju U7XDqiDf0dxGc84gyo8Jvps0w1i3bxWremBRsWnJE64ew62TU56/oxWSAvm5GzAEhwFG 9/fw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=xfQsyRrCq1AzCVJLTgc7JdY4HG0z0X5Xs7b59g9+I5Q=; b=dYF/n+qX9W7esWDInO5psRT489H2Ir7PFN31ZppOg/mf0nknPe0IWQMSy2F9TPYM6F kewPNGgk4NQy+aufRdQaGT0GZgE40sS2QtpnrdGRrHhvkPZt0ImW7AkBiOSaDpzCpPhf yewqzvR1QIGKwviXSG7iyu0HK9IH58Wk1jZu7goZBvnyW+1Gpp42nkFHNJDOEdyMG3NI /8zeF/59ZL26e7hx2qYjHcoi8s9zmUCU7ZkFbKEkUiYja0dyZUFj8bSRJyWG7F8heAtE e4rNpDJf+XsibAOAWJ8NGoEyTVvy72nUj3V9+Vzcbz7diMIygQOEZVp2doHsD6wmr1pA hqyA== X-Gm-Message-State: APjAAAVYKwbMR9on7yKdSCI0DGuMhcfM0N7wsjZWqpsdG5gwFjNiSdMx NqfrRa8oTg1vnjCCMQ7C8uVQa0wMH2RHAxB9QE7RjcHgvZI= X-Google-Smtp-Source: APXvYqzyxST3QfOn+yWV2/V9aaKbk7QFjbjDBk7Jxtb6owfp0tIs7k4UziWStbXMfx/5Gl++U8VGXOV8Bws7+69nKrE= X-Received: by 2002:a92:c00d:: with SMTP id q13mr12838884ild.169.1570142338347; Thu, 03 Oct 2019 15:38:58 -0700 (PDT) MIME-Version: 1.0 From: Steve French Date: Thu, 3 Oct 2019 17:38:47 -0500 Message-ID: Subject: To: CIFS , linux-fsdevel , samba Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Haven't heard anything recently on this (although something similar was apparently discussed last month on various other mailing lists) so posting Aurelien's patch for external review/comments before deciding whether to put in cifs's for-next branch. One question is whether the check should (only) be done at the higher (VFS) layer, but if ok to check at (potentially both the layer above, the VFS and ) the individual fs level, I would prefer to get this patch or something similar in pretty soon into cifs.ko. Although cifs.ko is probably less at risk due to signing and encryption - the idea seems fine to protect against / in path components. [PATCH] cifs: do not accept filenames containing dir separators Check for / in all connection types and additionally check for \ in non-posix paths connections. By returning early we do not add this directory entry via dir_emits(), essentially skipping it. Since the code relies on ctx->pos being incremented regardless of errors, we return 0. This fix addresses CVE-2019-10220. Link: https://bugzilla.samba.org/show_bug.cgi?id=14072 CC: Signed-off-by: Paulo Alcantara (SUSE) Signed-off-by: Aurelien Aptel Signed-off-by: Steve French --- fs/cifs/readdir.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) cifs_unix_basic_to_fattr(&fattr, From 66eb352a709af18134489f1727c2404dd0e7b033 Mon Sep 17 00:00:00 2001 From: Aurelien Aptel Date: Thu, 8 Aug 2019 18:42:17 +0200 Subject: [PATCH] cifs: do not accept filenames containing dir separators Check for / in all connection types and additionally check for \ in non-posix paths connections. By returning early we do not add this directory entry via dir_emits(), essentially skipping it. Since the code relies on ctx->pos being incremented regardless of errors, we return 0. This fix addresses CVE-2019-10220. Link: https://bugzilla.samba.org/show_bug.cgi?id=14072 CC: Signed-off-by: Paulo Alcantara (SUSE) Signed-off-by: Aurelien Aptel Signed-off-by: Steve French --- fs/cifs/readdir.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c index 3925a7bfc74d..30d69a9d3e94 100644 --- a/fs/cifs/readdir.c +++ b/fs/cifs/readdir.c @@ -744,6 +744,20 @@ static int cifs_filldir(char *find_entry, struct file *file, name.len = de.namelen; } + /* + * Regardless of connection type, / is always forbidden + * IFF we use normal windows paths then \ is forbidden + */ + + if (strnchr(name.name, name.len, '/') + || (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) + && strnchr(name.name, name.len, '\\'))) { + cifs_dbg(VFS, "server returned name containing dir separator"); + /* skip this entry for next readdir() interaction */ + file_info->srch_inf.entries_in_buffer--; + return 0; + } + switch (file_info->srch_inf.info_level) { case SMB_FIND_FILE_UNIX: cifs_unix_basic_to_fattr(&fattr, -- 2.20.1