Univention Bugzilla – Attachment 8592 Details for
Bug 43678
Samba: Multiple issues (4.1)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
CVE-2017-2619-v45.patch
CVE-2017-2619-v45.patch (text/plain), 28.17 KB, created by
Arvid Requate
on 2017-03-20 14:51 CET
(
hide
)
Description:
CVE-2017-2619-v45.patch
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2017-03-20 14:51 CET
Size:
28.17 KB
patch
obsolete
>From a863a6c430977a44c63c3c115365534c1d76ba9f Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Sun, 19 Mar 2017 15:58:17 +0100 >Subject: [PATCH 01/13] CVE-2017-2619: s3/smbd: re-open directory after > dptr_CloseDir() > >dptr_CloseDir() will close and invalidate the fsp's file descriptor, we >have to reopen it. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Uri Simchoni <uri@samba.org> >--- > source3/smbd/smb2_query_directory.c | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > >diff --git a/source3/smbd/smb2_query_directory.c b/source3/smbd/smb2_query_directory.c >index e18a279..2af029b 100644 >--- a/source3/smbd/smb2_query_directory.c >+++ b/source3/smbd/smb2_query_directory.c >@@ -24,6 +24,7 @@ > #include "../libcli/smb/smb_common.h" > #include "trans2.h" > #include "../lib/util/tevent_ntstatus.h" >+#include "system/filesys.h" > > static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx, > struct tevent_context *ev, >@@ -322,7 +323,23 @@ static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx, > } > > if (in_flags & SMB2_CONTINUE_FLAG_REOPEN) { >+ int flags; >+ > dptr_CloseDir(fsp); >+ >+ /* >+ * dptr_CloseDir() will close and invalidate the fsp's file >+ * descriptor, we have to reopen it. >+ */ >+ >+ flags = O_RDONLY; >+#ifdef O_DIRECTORY >+ flags |= O_DIRECTORY; >+#endif >+ status = fd_open(conn, fsp, flags, 0); >+ if (tevent_req_nterror(req, status)) { >+ return tevent_req_post(req, ev); >+ } > } > > if (!smbreq->posix_pathnames) { >-- >2.9.3 > > >From 9615ae174b79b577c502109a6a786cd7a0eba9b4 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Sun, 19 Mar 2017 18:52:10 +0100 >Subject: [PATCH 02/13] CVE-2017-2619: s4/torture: add SMB2_FIND tests with > SMB2_CONTINUE_FLAG_REOPEN flag > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Uri Simchoni <uri@samba.org> >--- > source4/torture/smb2/dir.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > >diff --git a/source4/torture/smb2/dir.c b/source4/torture/smb2/dir.c >index 98844b4..db8e456 100644 >--- a/source4/torture/smb2/dir.c >+++ b/source4/torture/smb2/dir.c >@@ -674,7 +674,7 @@ bool fill_result(void *private_data, > return true; > } > >-enum continue_type {CONT_SINGLE, CONT_INDEX, CONT_RESTART}; >+enum continue_type {CONT_SINGLE, CONT_INDEX, CONT_RESTART, CONT_REOPEN}; > > static NTSTATUS multiple_smb2_search(struct smb2_tree *tree, > TALLOC_CTX *tctx, >@@ -700,6 +700,9 @@ static NTSTATUS multiple_smb2_search(struct smb2_tree *tree, > > /* The search should start from the beginning everytime */ > f.in.continue_flags = SMB2_CONTINUE_FLAG_RESTART; >+ if (cont_type == CONT_REOPEN) { >+ f.in.continue_flags = SMB2_CONTINUE_FLAG_REOPEN; >+ } > > do { > status = smb2_find_level(tree, tree, &f, &count, &d); >@@ -803,18 +806,23 @@ static bool test_many_files(struct torture_context *tctx, > {"SMB2_FIND_BOTH_DIRECTORY_INFO", "SINGLE", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_SINGLE}, > {"SMB2_FIND_BOTH_DIRECTORY_INFO", "INDEX", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_INDEX}, > {"SMB2_FIND_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_RESTART}, >+ {"SMB2_FIND_BOTH_DIRECTORY_INFO", "REOPEN", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_REOPEN}, > {"SMB2_FIND_DIRECTORY_INFO", "SINGLE", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_SINGLE}, > {"SMB2_FIND_DIRECTORY_INFO", "INDEX", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_INDEX}, > {"SMB2_FIND_DIRECTORY_INFO", "RESTART", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_RESTART}, >+ {"SMB2_FIND_DIRECTORY_INFO", "REOPEN", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_REOPEN}, > {"SMB2_FIND_FULL_DIRECTORY_INFO", "SINGLE", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_SINGLE}, > {"SMB2_FIND_FULL_DIRECTORY_INFO", "INDEX", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_INDEX}, > {"SMB2_FIND_FULL_DIRECTORY_INFO", "RESTART", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_RESTART}, >+ {"SMB2_FIND_FULL_DIRECTORY_INFO", "REOPEN", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_REOPEN}, > {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "SINGLE", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_SINGLE}, > {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "INDEX", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_INDEX}, > {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_RESTART}, >+ {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "REOPEN", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_REOPEN}, > {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "SINGLE", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_SINGLE}, > {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "INDEX", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_INDEX}, >- {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_RESTART} >+ {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_RESTART}, >+ {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "REOPEN", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_REOPEN}, > }; > > smb2_deltree(tree, DNAME); >-- >2.9.3 > > >From 5abff7718164ab21398211cb60824a65514ef36d Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 19 Dec 2016 11:55:56 -0800 >Subject: [PATCH 03/13] CVE-2017-2619: s3: smbd: Create wrapper function for > OpenDir in preparation for making robust. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Uri Simchoni <uri@samba.org> >--- > source3/smbd/dir.c | 15 ++++++++++++++- > 1 file changed, 14 insertions(+), 1 deletion(-) > >diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c >index 3c6f000..b22d92d 100644 >--- a/source3/smbd/dir.c >+++ b/source3/smbd/dir.c >@@ -1630,7 +1630,8 @@ static int smb_Dir_destructor(struct smb_Dir *dirp) > Open a directory. > ********************************************************************/ > >-struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn, >+static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx, >+ connection_struct *conn, > const struct smb_filename *smb_dname, > const char *mask, > uint32_t attr) >@@ -1672,6 +1673,18 @@ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn, > return NULL; > } > >+struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn, >+ const struct smb_filename *smb_dname, >+ const char *mask, >+ uint32_t attr) >+{ >+ return OpenDir_internal(mem_ctx, >+ conn, >+ smb_dname, >+ mask, >+ attr); >+} >+ > /******************************************************************* > Open a directory from an fsp. > ********************************************************************/ >-- >2.9.3 > > >From 8cbf7ff9e8ab3bfa765355ef292aed2d6e735378 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 19 Dec 2016 16:25:26 -0800 >Subject: [PATCH 04/13] CVE-2017-2619: s3: smbd: Opendir_internal() early > return if SMB_VFS_OPENDIR failed. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Uri Simchoni <uri@samba.org> >--- > source3/smbd/dir.c | 18 +++++++++--------- > 1 file changed, 9 insertions(+), 9 deletions(-) > >diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c >index b22d92d..a5d172a 100644 >--- a/source3/smbd/dir.c >+++ b/source3/smbd/dir.c >@@ -1643,6 +1643,15 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx, > return NULL; > } > >+ dirp->dir = SMB_VFS_OPENDIR(conn, smb_dname, mask, attr); >+ >+ if (!dirp->dir) { >+ DEBUG(5,("OpenDir: Can't open %s. %s\n", >+ smb_dname->base_name, >+ strerror(errno) )); >+ goto fail; >+ } >+ > dirp->conn = conn; > dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn)); > >@@ -1657,15 +1666,6 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx, > } > talloc_set_destructor(dirp, smb_Dir_destructor); > >- dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_smb_fname, mask, attr); >- >- if (!dirp->dir) { >- DEBUG(5,("OpenDir: Can't open %s. %s\n", >- dirp->dir_smb_fname->base_name, >- strerror(errno) )); >- goto fail; >- } >- > return dirp; > > fail: >-- >2.9.3 > > >From 421e6b8d3365cd4b5bb415eb2afc159f6f152c9e Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 19 Dec 2016 16:35:00 -0800 >Subject: [PATCH 05/13] CVE-2017-2619: s3: smbd: Create and use > open_dir_safely(). Use from OpenDir(). > >Hardens OpenDir against TOC/TOU races. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Uri Simchoni <uri@samba.org> >--- > source3/smbd/dir.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++----- > 1 file changed, 70 insertions(+), 7 deletions(-) > >diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c >index a5d172a..2b107a9 100644 >--- a/source3/smbd/dir.c >+++ b/source3/smbd/dir.c >@@ -1655,12 +1655,6 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx, > dirp->conn = conn; > dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn)); > >- dirp->dir_smb_fname = cp_smb_filename(dirp, smb_dname); >- if (!dirp->dir_smb_fname) { >- errno = ENOMEM; >- goto fail; >- } >- > if (sconn && !sconn->using_smb2) { > sconn->searches.dirhandles_open++; > } >@@ -1673,12 +1667,81 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx, > return NULL; > } > >+/**************************************************************************** >+ Open a directory handle by pathname, ensuring it's under the share path. >+****************************************************************************/ >+ >+static struct smb_Dir *open_dir_safely(TALLOC_CTX *ctx, >+ connection_struct *conn, >+ const struct smb_filename *smb_dname, >+ const char *wcard, >+ uint32_t attr) >+{ >+ struct smb_Dir *dir_hnd = NULL; >+ struct smb_filename *smb_fname_cwd = NULL; >+ char *saved_dir = vfs_GetWd(ctx, conn); >+ NTSTATUS status; >+ >+ if (saved_dir == NULL) { >+ return NULL; >+ } >+ >+ if (vfs_ChDir(conn, smb_dname->base_name) == -1) { >+ goto out; >+ } >+ >+ smb_fname_cwd = synthetic_smb_fname(talloc_tos(), >+ ".", >+ NULL, >+ NULL, >+ smb_dname->flags); >+ if (smb_fname_cwd == NULL) { >+ goto out; >+ } >+ >+ /* >+ * Now the directory is pinned, use >+ * REALPATH to ensure we can access it. >+ */ >+ status = check_name(conn, "."); >+ if (!NT_STATUS_IS_OK(status)) { >+ goto out; >+ } >+ >+ dir_hnd = OpenDir_internal(ctx, >+ conn, >+ smb_fname_cwd, >+ wcard, >+ attr); >+ >+ if (dir_hnd == NULL) { >+ goto out; >+ } >+ >+ /* >+ * OpenDir_internal only gets "." as the dir name. >+ * Store the real dir name here. >+ */ >+ >+ dir_hnd->dir_smb_fname = cp_smb_filename(dir_hnd, smb_dname); >+ if (!dir_hnd->dir_smb_fname) { >+ TALLOC_FREE(dir_hnd); >+ errno = ENOMEM; >+ } >+ >+ out: >+ >+ vfs_ChDir(conn, saved_dir); >+ TALLOC_FREE(saved_dir); >+ return dir_hnd; >+} >+ > struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn, > const struct smb_filename *smb_dname, > const char *mask, > uint32_t attr) > { >- return OpenDir_internal(mem_ctx, >+ return open_dir_safely(mem_ctx, > conn, > smb_dname, > mask, >-- >2.9.3 > > >From 075229ed491cb478a27a8210b86bad9af4f223fd Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 19 Dec 2016 12:13:20 -0800 >Subject: [PATCH 06/13] CVE-2017-2619: s3: smbd: OpenDir_fsp() use early > returns. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Uri Simchoni <uri@samba.org> >--- > source3/smbd/dir.c | 34 +++++++++++++++++++++------------- > 1 file changed, 21 insertions(+), 13 deletions(-) > >diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c >index 2b107a9..12edf80 100644 >--- a/source3/smbd/dir.c >+++ b/source3/smbd/dir.c >@@ -1761,7 +1761,17 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, > struct smbd_server_connection *sconn = conn->sconn; > > if (!dirp) { >- return NULL; >+ goto fail; >+ } >+ >+ if (!fsp->is_directory) { >+ errno = EBADF; >+ goto fail; >+ } >+ >+ if (fsp->fh->fd == -1) { >+ errno = EBADF; >+ goto fail; > } > > dirp->conn = conn; >@@ -1778,18 +1788,16 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, > } > talloc_set_destructor(dirp, smb_Dir_destructor); > >- if (fsp->is_directory && fsp->fh->fd != -1) { >- dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr); >- if (dirp->dir != NULL) { >- dirp->fsp = fsp; >- } else { >- DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned " >- "NULL (%s)\n", >- dirp->dir_smb_fname->base_name, >- strerror(errno))); >- if (errno != ENOSYS) { >- return NULL; >- } >+ dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr); >+ if (dirp->dir != NULL) { >+ dirp->fsp = fsp; >+ } else { >+ DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned " >+ "NULL (%s)\n", >+ dirp->dir_smb_fname->base_name, >+ strerror(errno))); >+ if (errno != ENOSYS) { >+ return NULL; > } > } > >-- >2.9.3 > > >From 1d4810ede5aacd2b53ae5936e48a40811103c222 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 19 Dec 2016 12:15:59 -0800 >Subject: [PATCH 07/13] CVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory > leak on error. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Uri Simchoni <uri@samba.org> >--- > source3/smbd/dir.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c >index 12edf80..42e787b 100644 >--- a/source3/smbd/dir.c >+++ b/source3/smbd/dir.c >@@ -1797,7 +1797,7 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, > dirp->dir_smb_fname->base_name, > strerror(errno))); > if (errno != ENOSYS) { >- return NULL; >+ goto fail; > } > } > >-- >2.9.3 > > >From ae9398a104e7df91356198708165c3d48df16be2 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 19 Dec 2016 12:32:07 -0800 >Subject: [PATCH 08/13] CVE-2017-2619: s3: smbd: Move the reference counting > and destructor setup to just before retuning success. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Uri Simchoni <uri@samba.org> >--- > source3/smbd/dir.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > >diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c >index 42e787b..2fd5085 100644 >--- a/source3/smbd/dir.c >+++ b/source3/smbd/dir.c >@@ -1783,11 +1783,6 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, > goto fail; > } > >- if (sconn && !sconn->using_smb2) { >- sconn->searches.dirhandles_open++; >- } >- talloc_set_destructor(dirp, smb_Dir_destructor); >- > dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr); > if (dirp->dir != NULL) { > dirp->fsp = fsp; >@@ -1816,6 +1811,11 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, > goto fail; > } > >+ if (sconn && !sconn->using_smb2) { >+ sconn->searches.dirhandles_open++; >+ } >+ talloc_set_destructor(dirp, smb_Dir_destructor); >+ > return dirp; > > fail: >-- >2.9.3 > > >From 112f3faaf9854e4837ef9cf3a04a790b01a527b6 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 19 Dec 2016 12:35:32 -0800 >Subject: [PATCH 09/13] CVE-2017-2619: s3: smbd: Correctly fallback to > open_dir_safely if FDOPENDIR not supported on system. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Uri Simchoni <uri@samba.org> >--- > source3/smbd/dir.c | 15 +++++---------- > 1 file changed, 5 insertions(+), 10 deletions(-) > >diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c >index 2fd5085..1348d12 100644 >--- a/source3/smbd/dir.c >+++ b/source3/smbd/dir.c >@@ -1797,20 +1797,15 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, > } > > if (dirp->dir == NULL) { >- /* FDOPENDIR didn't work. Use OPENDIR instead. */ >- dirp->dir = SMB_VFS_OPENDIR(conn, >- dirp->dir_smb_fname, >+ /* FDOPENDIR is not supported. Use OPENDIR instead. */ >+ TALLOC_FREE(dirp); >+ return open_dir_safely(mem_ctx, >+ conn, >+ fsp->fsp_name, > mask, > attr); > } > >- if (!dirp->dir) { >- DEBUG(5,("OpenDir_fsp: Can't open %s. %s\n", >- dirp->dir_smb_fname->base_name, >- strerror(errno) )); >- goto fail; >- } >- > if (sconn && !sconn->using_smb2) { > sconn->searches.dirhandles_open++; > } >-- >2.9.3 > > >From abb23d35ce6d49545fe5fe07fc4e98e8660bc71e Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 15 Dec 2016 12:52:13 -0800 >Subject: [PATCH 10/13] CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We > insist on O_NOFOLLOW existing. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Uri Simchoni <uri@samba.org> >--- > source3/smbd/open.c | 6 +----- > 1 file changed, 1 insertion(+), 5 deletions(-) > >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index f0a68c9..9828c99 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -366,8 +366,7 @@ NTSTATUS fd_open(struct connection_struct *conn, > struct smb_filename *smb_fname = fsp->fsp_name; > NTSTATUS status = NT_STATUS_OK; > >-#ifdef O_NOFOLLOW >- /* >+ /* > * Never follow symlinks on a POSIX client. The > * client should be doing this. > */ >@@ -375,12 +374,10 @@ NTSTATUS fd_open(struct connection_struct *conn, > if ((fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) || !lp_follow_symlinks(SNUM(conn))) { > flags |= O_NOFOLLOW; > } >-#endif > > fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode); > if (fsp->fh->fd == -1) { > int posix_errno = errno; >-#ifdef O_NOFOLLOW > #if defined(ENOTSUP) && defined(OSF1) > /* handle special Tru64 errno */ > if (errno == ENOTSUP) { >@@ -397,7 +394,6 @@ NTSTATUS fd_open(struct connection_struct *conn, > if (errno == EMLINK) { > posix_errno = ELOOP; > } >-#endif /* O_NOFOLLOW */ > status = map_nt_error_from_unix(posix_errno); > if (errno == EMFILE) { > static time_t last_warned = 0L; >-- >2.9.3 > > >From a0c258f6da51caf767ed50a5f97eb1e3e2f87b18 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 15 Dec 2016 12:56:08 -0800 >Subject: [PATCH 11/13] CVE-2017-2619: s3: smbd: Move special handling of > symlink errno's into a utility function. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Uri Simchoni <uri@samba.org> >--- > source3/smbd/open.c | 43 ++++++++++++++++++++++++++----------------- > 1 file changed, 26 insertions(+), 17 deletions(-) > >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index 9828c99..a72b483 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -355,6 +355,31 @@ static NTSTATUS check_base_file_access(struct connection_struct *conn, > } > > /**************************************************************************** >+ Handle differing symlink errno's >+****************************************************************************/ >+ >+static int link_errno_convert(int err) >+{ >+#if defined(ENOTSUP) && defined(OSF1) >+ /* handle special Tru64 errno */ >+ if (err == ENOTSUP) { >+ err = ELOOP; >+ } >+#endif /* ENOTSUP */ >+#ifdef EFTYPE >+ /* fix broken NetBSD errno */ >+ if (err == EFTYPE) { >+ err = ELOOP; >+ } >+#endif /* EFTYPE */ >+ /* fix broken FreeBSD errno */ >+ if (err == EMLINK) { >+ err = ELOOP; >+ } >+ return err; >+} >+ >+/**************************************************************************** > fd support routines - attempt to do a dos_open. > ****************************************************************************/ > >@@ -377,23 +402,7 @@ NTSTATUS fd_open(struct connection_struct *conn, > > fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode); > if (fsp->fh->fd == -1) { >- int posix_errno = errno; >-#if defined(ENOTSUP) && defined(OSF1) >- /* handle special Tru64 errno */ >- if (errno == ENOTSUP) { >- posix_errno = ELOOP; >- } >-#endif /* ENOTSUP */ >-#ifdef EFTYPE >- /* fix broken NetBSD errno */ >- if (errno == EFTYPE) { >- posix_errno = ELOOP; >- } >-#endif /* EFTYPE */ >- /* fix broken FreeBSD errno */ >- if (errno == EMLINK) { >- posix_errno = ELOOP; >- } >+ int posix_errno = link_errno_convert(errno); > status = map_nt_error_from_unix(posix_errno); > if (errno == EMFILE) { > static time_t last_warned = 0L; >-- >2.9.3 > > >From 1d03b8420bf201c2edcebcb165d2483549a5ab46 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 15 Dec 2016 13:04:46 -0800 >Subject: [PATCH 12/13] CVE-2017-2619: s3: smbd: Add the core functions to > prevent symlink open races. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Uri Simchoni <uri@samba.org> >--- > source3/smbd/open.c | 238 ++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 238 insertions(+) > >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index a72b483..d628d0b 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -379,6 +379,244 @@ static int link_errno_convert(int err) > return err; > } > >+static int non_widelink_open(struct connection_struct *conn, >+ const char *conn_rootdir, >+ files_struct *fsp, >+ struct smb_filename *smb_fname, >+ int flags, >+ mode_t mode, >+ unsigned int link_depth); >+ >+/**************************************************************************** >+ Follow a symlink in userspace. >+****************************************************************************/ >+ >+static int process_symlink_open(struct connection_struct *conn, >+ const char *conn_rootdir, >+ files_struct *fsp, >+ struct smb_filename *smb_fname, >+ int flags, >+ mode_t mode, >+ unsigned int link_depth) >+{ >+ int fd = -1; >+ char *link_target = NULL; >+ int link_len = -1; >+ char *oldwd = NULL; >+ size_t rootdir_len = 0; >+ char *resolved_name = NULL; >+ bool matched = false; >+ int saved_errno = 0; >+ >+ /* >+ * Ensure we don't get stuck in a symlink loop. >+ */ >+ link_depth++; >+ if (link_depth >= 20) { >+ errno = ELOOP; >+ goto out; >+ } >+ >+ /* Allocate space for the link target. */ >+ link_target = talloc_array(talloc_tos(), char, PATH_MAX); >+ if (link_target == NULL) { >+ errno = ENOMEM; >+ goto out; >+ } >+ >+ /* Read the link target. */ >+ link_len = SMB_VFS_READLINK(conn, >+ smb_fname->base_name, >+ link_target, >+ PATH_MAX - 1); >+ if (link_len == -1) { >+ goto out; >+ } >+ >+ /* Ensure it's at least null terminated. */ >+ link_target[link_len] = '\0'; >+ >+ /* Convert to an absolute path. */ >+ resolved_name = SMB_VFS_REALPATH(conn, link_target); >+ if (resolved_name == NULL) { >+ goto out; >+ } >+ >+ /* >+ * We know conn_rootdir starts with '/' and >+ * does not end in '/'. FIXME ! Should we >+ * smb_assert this ? >+ */ >+ rootdir_len = strlen(conn_rootdir); >+ >+ matched = (strncmp(conn_rootdir, resolved_name, rootdir_len) == 0); >+ if (!matched) { >+ errno = EACCES; >+ goto out; >+ } >+ >+ /* >+ * Turn into a path relative to the share root. >+ */ >+ if (resolved_name[rootdir_len] == '\0') { >+ /* Link to the root of the share. */ >+ smb_fname->base_name = talloc_strdup(talloc_tos(), "."); >+ if (smb_fname->base_name == NULL) { >+ errno = ENOMEM; >+ goto out; >+ } >+ } else if (resolved_name[rootdir_len] == '/') { >+ smb_fname->base_name = &resolved_name[rootdir_len+1]; >+ } else { >+ errno = EACCES; >+ goto out; >+ } >+ >+ oldwd = vfs_GetWd(talloc_tos(), conn); >+ if (oldwd == NULL) { >+ goto out; >+ } >+ >+ /* Ensure we operate from the root of the share. */ >+ if (vfs_ChDir(conn, conn_rootdir) == -1) { >+ goto out; >+ } >+ >+ /* And do it all again.. */ >+ fd = non_widelink_open(conn, >+ conn_rootdir, >+ fsp, >+ smb_fname, >+ flags, >+ mode, >+ link_depth); >+ if (fd == -1) { >+ saved_errno = errno; >+ } >+ >+ out: >+ >+ SAFE_FREE(resolved_name); >+ TALLOC_FREE(link_target); >+ if (oldwd != NULL) { >+ int ret = vfs_ChDir(conn, oldwd); >+ if (ret == -1) { >+ smb_panic("unable to get back to old directory\n"); >+ } >+ TALLOC_FREE(oldwd); >+ } >+ if (saved_errno != 0) { >+ errno = saved_errno; >+ } >+ return fd; >+} >+ >+/**************************************************************************** >+ Non-widelink open. >+****************************************************************************/ >+ >+static int non_widelink_open(struct connection_struct *conn, >+ const char *conn_rootdir, >+ files_struct *fsp, >+ struct smb_filename *smb_fname, >+ int flags, >+ mode_t mode, >+ unsigned int link_depth) >+{ >+ NTSTATUS status; >+ int fd = -1; >+ struct smb_filename *smb_fname_rel = NULL; >+ int saved_errno = 0; >+ char *oldwd = NULL; >+ char *parent_dir = NULL; >+ const char *final_component = NULL; >+ >+ if (!parent_dirname(talloc_tos(), >+ smb_fname->base_name, >+ &parent_dir, >+ &final_component)) { >+ goto out; >+ } >+ >+ oldwd = vfs_GetWd(talloc_tos(), conn); >+ if (oldwd == NULL) { >+ goto out; >+ } >+ >+ /* Pin parent directory in place. */ >+ if (vfs_ChDir(conn, parent_dir) == -1) { >+ goto out; >+ } >+ >+ /* Ensure the relative path is below the share. */ >+ status = check_reduced_name(conn, final_component); >+ if (!NT_STATUS_IS_OK(status)) { >+ saved_errno = map_errno_from_nt_status(status); >+ goto out; >+ } >+ >+ smb_fname_rel = synthetic_smb_fname(talloc_tos(), >+ final_component, >+ smb_fname->stream_name, >+ &smb_fname->st, >+ smb_fname->flags); >+ >+ flags |= O_NOFOLLOW; >+ >+ { >+ struct smb_filename *tmp_name = fsp->fsp_name; >+ fsp->fsp_name = smb_fname_rel; >+ fd = SMB_VFS_OPEN(conn, smb_fname_rel, fsp, flags, mode); >+ fsp->fsp_name = tmp_name; >+ } >+ >+ if (fd == -1) { >+ saved_errno = link_errno_convert(errno); >+ if (saved_errno == ELOOP) { >+ if (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) { >+ /* Never follow symlinks on posix open. */ >+ goto out; >+ } >+ if (!lp_follow_symlinks(SNUM(conn))) { >+ /* Explicitly no symlinks. */ >+ goto out; >+ } >+ /* >+ * We have a symlink. Follow in userspace >+ * to ensure it's under the share definition. >+ */ >+ fd = process_symlink_open(conn, >+ conn_rootdir, >+ fsp, >+ smb_fname_rel, >+ flags, >+ mode, >+ link_depth); >+ if (fd == -1) { >+ saved_errno = >+ link_errno_convert(errno); >+ } >+ } >+ } >+ >+ out: >+ >+ TALLOC_FREE(parent_dir); >+ TALLOC_FREE(smb_fname_rel); >+ >+ if (oldwd != NULL) { >+ int ret = vfs_ChDir(conn, oldwd); >+ if (ret == -1) { >+ smb_panic("unable to get back to old directory\n"); >+ } >+ TALLOC_FREE(oldwd); >+ } >+ if (saved_errno != 0) { >+ errno = saved_errno; >+ } >+ return fd; >+} >+ > /**************************************************************************** > fd support routines - attempt to do a dos_open. > ****************************************************************************/ >-- >2.9.3 > > >From 74dc827ce1bc1fe29f9a5a587f2618dbee67ec94 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 15 Dec 2016 13:06:31 -0800 >Subject: [PATCH 13/13] CVE-2017-2619: s3: smbd: Use the new > non_widelink_open() function. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Uri Simchoni <uri@samba.org> >--- > source3/smbd/open.c | 23 ++++++++++++++++++++++- > 1 file changed, 22 insertions(+), 1 deletion(-) > >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index d628d0b..006be91 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -638,7 +638,28 @@ NTSTATUS fd_open(struct connection_struct *conn, > flags |= O_NOFOLLOW; > } > >- fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode); >+ /* Ensure path is below share definition. */ >+ if (!lp_widelinks(SNUM(conn))) { >+ const char *conn_rootdir = SMB_VFS_CONNECTPATH(conn, >+ smb_fname->base_name); >+ if (conn_rootdir == NULL) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ /* >+ * Only follow symlinks within a share >+ * definition. >+ */ >+ fsp->fh->fd = non_widelink_open(conn, >+ conn_rootdir, >+ fsp, >+ smb_fname, >+ flags, >+ mode, >+ 0); >+ } else { >+ fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode); >+ } >+ > if (fsp->fh->fd == -1) { > int posix_errno = link_errno_convert(errno); > status = map_nt_error_from_unix(posix_errno); >-- >2.9.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
Actions:
View
|
Diff
Attachments on
bug 43678
:
8576
|
8577
|
8578
|
8579
| 8592