Attachment 8592 Details for Bug 43678

[patch] CVE-2017-2619-v45.patch

CVE-2017-2619-v45.patch (text/plain), 28.17 KB, created by Arvid Requate on 2017-03-20 14:51 CET

(hide)

Description:

Filename:

MIME Type:

Creator: Arvid Requate

Created: 2017-03-20 14:51 CET

Size: 28.17 KB

patch

obsolete

>From a863a6c430977a44c63c3c115365534c1d76ba9f Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Sun, 19 Mar 2017 15:58:17 +0100
>Subject: [PATCH 01/13] CVE-2017-2619: s3/smbd: re-open directory after
> dptr_CloseDir()
>
>dptr_CloseDir() will close and invalidate the fsp's file descriptor, we
>have to reopen it.
>
>Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Uri Simchoni <uri@samba.org>
>---
> source3/smbd/smb2_query_directory.c | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
>diff --git a/source3/smbd/smb2_query_directory.c b/source3/smbd/smb2_query_directory.c
>index e18a279..2af029b 100644
>--- a/source3/smbd/smb2_query_directory.c
>+++ b/source3/smbd/smb2_query_directory.c
>@@ -24,6 +24,7 @@
> #include "../libcli/smb/smb_common.h"
> #include "trans2.h"
> #include "../lib/util/tevent_ntstatus.h"
>+#include "system/filesys.h"
> 
> static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx,
> 					      struct tevent_context *ev,
>@@ -322,7 +323,23 @@ static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx,
> 	}
> 
> 	if (in_flags & SMB2_CONTINUE_FLAG_REOPEN) {
>+		int flags;
>+
> 		dptr_CloseDir(fsp);
>+
>+		/*
>+		 * dptr_CloseDir() will close and invalidate the fsp's file
>+		 * descriptor, we have to reopen it.
>+		 */
>+
>+		flags = O_RDONLY;
>+#ifdef O_DIRECTORY
>+		flags |= O_DIRECTORY;
>+#endif
>+		status = fd_open(conn, fsp, flags, 0);
>+		if (tevent_req_nterror(req, status)) {
>+			return tevent_req_post(req, ev);
>+		}
> 	}
> 
> 	if (!smbreq->posix_pathnames) {
>-- 
>2.9.3
>
>
>From 9615ae174b79b577c502109a6a786cd7a0eba9b4 Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Sun, 19 Mar 2017 18:52:10 +0100
>Subject: [PATCH 02/13] CVE-2017-2619: s4/torture: add SMB2_FIND tests with
> SMB2_CONTINUE_FLAG_REOPEN flag
>
>Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Uri Simchoni <uri@samba.org>
>---
> source4/torture/smb2/dir.c | 12 ++++++++++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
>
>diff --git a/source4/torture/smb2/dir.c b/source4/torture/smb2/dir.c
>index 98844b4..db8e456 100644
>--- a/source4/torture/smb2/dir.c
>+++ b/source4/torture/smb2/dir.c
>@@ -674,7 +674,7 @@ bool fill_result(void *private_data,
> 	return true;
> }
> 
>-enum continue_type {CONT_SINGLE, CONT_INDEX, CONT_RESTART};
>+enum continue_type {CONT_SINGLE, CONT_INDEX, CONT_RESTART, CONT_REOPEN};
> 
> static NTSTATUS multiple_smb2_search(struct smb2_tree *tree,
> 				     TALLOC_CTX *tctx,
>@@ -700,6 +700,9 @@ static NTSTATUS multiple_smb2_search(struct smb2_tree *tree,
> 
> 	/* The search should start from the beginning everytime */
> 	f.in.continue_flags = SMB2_CONTINUE_FLAG_RESTART;
>+	if (cont_type == CONT_REOPEN) {
>+		f.in.continue_flags = SMB2_CONTINUE_FLAG_REOPEN;
>+	}
> 
> 	do {
> 		status = smb2_find_level(tree, tree, &f, &count, &d);
>@@ -803,18 +806,23 @@ static bool test_many_files(struct torture_context *tctx,
> 		{"SMB2_FIND_BOTH_DIRECTORY_INFO",    "SINGLE",  SMB2_FIND_BOTH_DIRECTORY_INFO,    RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO,    CONT_SINGLE},
> 		{"SMB2_FIND_BOTH_DIRECTORY_INFO",    "INDEX",   SMB2_FIND_BOTH_DIRECTORY_INFO,    RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO,    CONT_INDEX},
> 		{"SMB2_FIND_BOTH_DIRECTORY_INFO",    "RESTART", SMB2_FIND_BOTH_DIRECTORY_INFO,    RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO,    CONT_RESTART},
>+		{"SMB2_FIND_BOTH_DIRECTORY_INFO",    "REOPEN",  SMB2_FIND_BOTH_DIRECTORY_INFO,    RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO,    CONT_REOPEN},
> 		{"SMB2_FIND_DIRECTORY_INFO",         "SINGLE",  SMB2_FIND_DIRECTORY_INFO,         RAW_SEARCH_DATA_DIRECTORY_INFO,         CONT_SINGLE},
> 		{"SMB2_FIND_DIRECTORY_INFO",         "INDEX",   SMB2_FIND_DIRECTORY_INFO,         RAW_SEARCH_DATA_DIRECTORY_INFO,         CONT_INDEX},
> 		{"SMB2_FIND_DIRECTORY_INFO",         "RESTART", SMB2_FIND_DIRECTORY_INFO,         RAW_SEARCH_DATA_DIRECTORY_INFO,         CONT_RESTART},
>+		{"SMB2_FIND_DIRECTORY_INFO",         "REOPEN",  SMB2_FIND_DIRECTORY_INFO,         RAW_SEARCH_DATA_DIRECTORY_INFO,         CONT_REOPEN},
> 		{"SMB2_FIND_FULL_DIRECTORY_INFO",    "SINGLE",  SMB2_FIND_FULL_DIRECTORY_INFO,    RAW_SEARCH_DATA_FULL_DIRECTORY_INFO,    CONT_SINGLE},
> 		{"SMB2_FIND_FULL_DIRECTORY_INFO",    "INDEX",   SMB2_FIND_FULL_DIRECTORY_INFO,    RAW_SEARCH_DATA_FULL_DIRECTORY_INFO,    CONT_INDEX},
> 		{"SMB2_FIND_FULL_DIRECTORY_INFO",    "RESTART", SMB2_FIND_FULL_DIRECTORY_INFO,    RAW_SEARCH_DATA_FULL_DIRECTORY_INFO,    CONT_RESTART},
>+		{"SMB2_FIND_FULL_DIRECTORY_INFO",    "REOPEN",  SMB2_FIND_FULL_DIRECTORY_INFO,    RAW_SEARCH_DATA_FULL_DIRECTORY_INFO,    CONT_REOPEN},
> 		{"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "SINGLE",  SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_SINGLE},
> 		{"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "INDEX",   SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_INDEX},
> 		{"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_RESTART},
>+		{"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "REOPEN",  SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_REOPEN},
> 		{"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "SINGLE",  SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_SINGLE},
> 		{"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "INDEX",   SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_INDEX},
>-		{"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_RESTART}
>+		{"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_RESTART},
>+		{"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "REOPEN",  SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_REOPEN},
> 	};
> 
> 	smb2_deltree(tree, DNAME);
>-- 
>2.9.3
>
>
>From 5abff7718164ab21398211cb60824a65514ef36d Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Mon, 19 Dec 2016 11:55:56 -0800
>Subject: [PATCH 03/13] CVE-2017-2619: s3: smbd: Create wrapper function for
> OpenDir in preparation for making robust.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Uri Simchoni <uri@samba.org>
>---
> source3/smbd/dir.c | 15 ++++++++++++++-
> 1 file changed, 14 insertions(+), 1 deletion(-)
>
>diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
>index 3c6f000..b22d92d 100644
>--- a/source3/smbd/dir.c
>+++ b/source3/smbd/dir.c
>@@ -1630,7 +1630,8 @@ static int smb_Dir_destructor(struct smb_Dir *dirp)
>  Open a directory.
> ********************************************************************/
> 
>-struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
>+static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
>+			connection_struct *conn,
> 			const struct smb_filename *smb_dname,
> 			const char *mask,
> 			uint32_t attr)
>@@ -1672,6 +1673,18 @@ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
> 	return NULL;
> }
> 
>+struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
>+			const struct smb_filename *smb_dname,
>+			const char *mask,
>+			uint32_t attr)
>+{
>+	return OpenDir_internal(mem_ctx,
>+				conn,
>+				smb_dname,
>+				mask,
>+				attr);
>+}
>+
> /*******************************************************************
>  Open a directory from an fsp.
> ********************************************************************/
>-- 
>2.9.3
>
>
>From 8cbf7ff9e8ab3bfa765355ef292aed2d6e735378 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Mon, 19 Dec 2016 16:25:26 -0800
>Subject: [PATCH 04/13] CVE-2017-2619: s3: smbd: Opendir_internal() early
> return if SMB_VFS_OPENDIR failed.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Uri Simchoni <uri@samba.org>
>---
> source3/smbd/dir.c | 18 +++++++++---------
> 1 file changed, 9 insertions(+), 9 deletions(-)
>
>diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
>index b22d92d..a5d172a 100644
>--- a/source3/smbd/dir.c
>+++ b/source3/smbd/dir.c
>@@ -1643,6 +1643,15 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
> 		return NULL;
> 	}
> 
>+	dirp->dir = SMB_VFS_OPENDIR(conn, smb_dname, mask, attr);
>+
>+	if (!dirp->dir) {
>+		DEBUG(5,("OpenDir: Can't open %s. %s\n",
>+			smb_dname->base_name,
>+			strerror(errno) ));
>+		goto fail;
>+	}
>+
> 	dirp->conn = conn;
> 	dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
> 
>@@ -1657,15 +1666,6 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
> 	}
> 	talloc_set_destructor(dirp, smb_Dir_destructor);
> 
>-	dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_smb_fname, mask, attr);
>-
>-	if (!dirp->dir) {
>-		DEBUG(5,("OpenDir: Can't open %s. %s\n",
>-			dirp->dir_smb_fname->base_name,
>-			strerror(errno) ));
>-		goto fail;
>-	}
>-
> 	return dirp;
> 
>   fail:
>-- 
>2.9.3
>
>
>From 421e6b8d3365cd4b5bb415eb2afc159f6f152c9e Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Mon, 19 Dec 2016 16:35:00 -0800
>Subject: [PATCH 05/13] CVE-2017-2619: s3: smbd: Create and use
> open_dir_safely(). Use from OpenDir().
>
>Hardens OpenDir against TOC/TOU races.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Uri Simchoni <uri@samba.org>
>---
> source3/smbd/dir.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++-----
> 1 file changed, 70 insertions(+), 7 deletions(-)
>
>diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
>index a5d172a..2b107a9 100644
>--- a/source3/smbd/dir.c
>+++ b/source3/smbd/dir.c
>@@ -1655,12 +1655,6 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
> 	dirp->conn = conn;
> 	dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
> 
>-	dirp->dir_smb_fname = cp_smb_filename(dirp, smb_dname);
>-	if (!dirp->dir_smb_fname) {
>-		errno = ENOMEM;
>-		goto fail;
>-	}
>-
> 	if (sconn && !sconn->using_smb2) {
> 		sconn->searches.dirhandles_open++;
> 	}
>@@ -1673,12 +1667,81 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
> 	return NULL;
> }
> 
>+/****************************************************************************
>+ Open a directory handle by pathname, ensuring it's under the share path.
>+****************************************************************************/
>+
>+static struct smb_Dir *open_dir_safely(TALLOC_CTX *ctx,
>+					connection_struct *conn,
>+					const struct smb_filename *smb_dname,
>+					const char *wcard,
>+					uint32_t attr)
>+{
>+	struct smb_Dir *dir_hnd = NULL;
>+	struct smb_filename *smb_fname_cwd = NULL;
>+	char *saved_dir = vfs_GetWd(ctx, conn);
>+	NTSTATUS status;
>+
>+	if (saved_dir == NULL) {
>+		return NULL;
>+	}
>+
>+	if (vfs_ChDir(conn, smb_dname->base_name) == -1) {
>+		goto out;
>+	}
>+
>+	smb_fname_cwd = synthetic_smb_fname(talloc_tos(),
>+					".",
>+					NULL,
>+					NULL,
>+					smb_dname->flags);
>+	if (smb_fname_cwd == NULL) {
>+		goto out;
>+	}
>+
>+	/*
>+	 * Now the directory is pinned, use
>+	 * REALPATH to ensure we can access it.
>+	 */
>+	status = check_name(conn, ".");
>+	if (!NT_STATUS_IS_OK(status)) {
>+		goto out;
>+	}
>+
>+	dir_hnd = OpenDir_internal(ctx,
>+				conn,
>+				smb_fname_cwd,
>+				wcard,
>+				attr);
>+
>+	if (dir_hnd == NULL) {
>+		goto out;
>+	}
>+
>+	/*
>+	 * OpenDir_internal only gets "." as the dir name.
>+	 * Store the real dir name here.
>+	 */
>+
>+	dir_hnd->dir_smb_fname = cp_smb_filename(dir_hnd, smb_dname);
>+	if (!dir_hnd->dir_smb_fname) {
>+		TALLOC_FREE(dir_hnd);
>+		errno = ENOMEM;
>+	}
>+
>+  out:
>+
>+	vfs_ChDir(conn, saved_dir);
>+	TALLOC_FREE(saved_dir);
>+	return dir_hnd;
>+}
>+
> struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
> 			const struct smb_filename *smb_dname,
> 			const char *mask,
> 			uint32_t attr)
> {
>-	return OpenDir_internal(mem_ctx,
>+	return open_dir_safely(mem_ctx,
> 				conn,
> 				smb_dname,
> 				mask,
>-- 
>2.9.3
>
>
>From 075229ed491cb478a27a8210b86bad9af4f223fd Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Mon, 19 Dec 2016 12:13:20 -0800
>Subject: [PATCH 06/13] CVE-2017-2619: s3: smbd: OpenDir_fsp() use early
> returns.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Uri Simchoni <uri@samba.org>
>---
> source3/smbd/dir.c | 34 +++++++++++++++++++++-------------
> 1 file changed, 21 insertions(+), 13 deletions(-)
>
>diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
>index 2b107a9..12edf80 100644
>--- a/source3/smbd/dir.c
>+++ b/source3/smbd/dir.c
>@@ -1761,7 +1761,17 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
> 	struct smbd_server_connection *sconn = conn->sconn;
> 
> 	if (!dirp) {
>-		return NULL;
>+		goto fail;
>+	}
>+
>+	if (!fsp->is_directory) {
>+		errno = EBADF;
>+		goto fail;
>+	}
>+
>+	if (fsp->fh->fd == -1) {
>+		errno = EBADF;
>+		goto fail;
> 	}
> 
> 	dirp->conn = conn;
>@@ -1778,18 +1788,16 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
> 	}
> 	talloc_set_destructor(dirp, smb_Dir_destructor);
> 
>-	if (fsp->is_directory && fsp->fh->fd != -1) {
>-		dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
>-		if (dirp->dir != NULL) {
>-			dirp->fsp = fsp;
>-		} else {
>-			DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
>-				"NULL (%s)\n",
>-				dirp->dir_smb_fname->base_name,
>-				strerror(errno)));
>-			if (errno != ENOSYS) {
>-				return NULL;
>-			}
>+	dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
>+	if (dirp->dir != NULL) {
>+		dirp->fsp = fsp;
>+	} else {
>+		DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
>+			"NULL (%s)\n",
>+			dirp->dir_smb_fname->base_name,
>+			strerror(errno)));
>+		if (errno != ENOSYS) {
>+			return NULL;
> 		}
> 	}
> 
>-- 
>2.9.3
>
>
>From 1d4810ede5aacd2b53ae5936e48a40811103c222 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Mon, 19 Dec 2016 12:15:59 -0800
>Subject: [PATCH 07/13] CVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory
> leak on error.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Uri Simchoni <uri@samba.org>
>---
> source3/smbd/dir.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
>index 12edf80..42e787b 100644
>--- a/source3/smbd/dir.c
>+++ b/source3/smbd/dir.c
>@@ -1797,7 +1797,7 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
> 			dirp->dir_smb_fname->base_name,
> 			strerror(errno)));
> 		if (errno != ENOSYS) {
>-			return NULL;
>+			goto fail;
> 		}
> 	}
> 
>-- 
>2.9.3
>
>
>From ae9398a104e7df91356198708165c3d48df16be2 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Mon, 19 Dec 2016 12:32:07 -0800
>Subject: [PATCH 08/13] CVE-2017-2619: s3: smbd: Move the reference counting
> and destructor setup to just before retuning success.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Uri Simchoni <uri@samba.org>
>---
> source3/smbd/dir.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
>diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
>index 42e787b..2fd5085 100644
>--- a/source3/smbd/dir.c
>+++ b/source3/smbd/dir.c
>@@ -1783,11 +1783,6 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
> 		goto fail;
> 	}
> 
>-	if (sconn && !sconn->using_smb2) {
>-		sconn->searches.dirhandles_open++;
>-	}
>-	talloc_set_destructor(dirp, smb_Dir_destructor);
>-
> 	dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
> 	if (dirp->dir != NULL) {
> 		dirp->fsp = fsp;
>@@ -1816,6 +1811,11 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
> 		goto fail;
> 	}
> 
>+	if (sconn && !sconn->using_smb2) {
>+		sconn->searches.dirhandles_open++;
>+	}
>+	talloc_set_destructor(dirp, smb_Dir_destructor);
>+
> 	return dirp;
> 
>   fail:
>-- 
>2.9.3
>
>
>From 112f3faaf9854e4837ef9cf3a04a790b01a527b6 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Mon, 19 Dec 2016 12:35:32 -0800
>Subject: [PATCH 09/13] CVE-2017-2619: s3: smbd: Correctly fallback to
> open_dir_safely if FDOPENDIR not supported on system.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Uri Simchoni <uri@samba.org>
>---
> source3/smbd/dir.c | 15 +++++----------
> 1 file changed, 5 insertions(+), 10 deletions(-)
>
>diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
>index 2fd5085..1348d12 100644
>--- a/source3/smbd/dir.c
>+++ b/source3/smbd/dir.c
>@@ -1797,20 +1797,15 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
> 	}
> 
> 	if (dirp->dir == NULL) {
>-		/* FDOPENDIR didn't work. Use OPENDIR instead. */
>-		dirp->dir = SMB_VFS_OPENDIR(conn,
>-					dirp->dir_smb_fname,
>+		/* FDOPENDIR is not supported. Use OPENDIR instead. */
>+		TALLOC_FREE(dirp);
>+		return open_dir_safely(mem_ctx,
>+					conn,
>+					fsp->fsp_name,
> 					mask,
> 					attr);
> 	}
> 
>-	if (!dirp->dir) {
>-		DEBUG(5,("OpenDir_fsp: Can't open %s. %s\n",
>-			dirp->dir_smb_fname->base_name,
>-			strerror(errno) ));
>-		goto fail;
>-	}
>-
> 	if (sconn && !sconn->using_smb2) {
> 		sconn->searches.dirhandles_open++;
> 	}
>-- 
>2.9.3
>
>
>From abb23d35ce6d49545fe5fe07fc4e98e8660bc71e Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Thu, 15 Dec 2016 12:52:13 -0800
>Subject: [PATCH 10/13] CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We
> insist on O_NOFOLLOW existing.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Uri Simchoni <uri@samba.org>
>---
> source3/smbd/open.c | 6 +-----
> 1 file changed, 1 insertion(+), 5 deletions(-)
>
>diff --git a/source3/smbd/open.c b/source3/smbd/open.c
>index f0a68c9..9828c99 100644
>--- a/source3/smbd/open.c
>+++ b/source3/smbd/open.c
>@@ -366,8 +366,7 @@ NTSTATUS fd_open(struct connection_struct *conn,
> 	struct smb_filename *smb_fname = fsp->fsp_name;
> 	NTSTATUS status = NT_STATUS_OK;
> 
>-#ifdef O_NOFOLLOW
>-	/* 
>+	/*
> 	 * Never follow symlinks on a POSIX client. The
> 	 * client should be doing this.
> 	 */
>@@ -375,12 +374,10 @@ NTSTATUS fd_open(struct connection_struct *conn,
> 	if ((fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) || !lp_follow_symlinks(SNUM(conn))) {
> 		flags |= O_NOFOLLOW;
> 	}
>-#endif
> 
> 	fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
> 	if (fsp->fh->fd == -1) {
> 		int posix_errno = errno;
>-#ifdef O_NOFOLLOW
> #if defined(ENOTSUP) && defined(OSF1)
> 		/* handle special Tru64 errno */
> 		if (errno == ENOTSUP) {
>@@ -397,7 +394,6 @@ NTSTATUS fd_open(struct connection_struct *conn,
> 		if (errno == EMLINK) {
> 			posix_errno = ELOOP;
> 		}
>-#endif /* O_NOFOLLOW */
> 		status = map_nt_error_from_unix(posix_errno);
> 		if (errno == EMFILE) {
> 			static time_t last_warned = 0L;
>-- 
>2.9.3
>
>
>From a0c258f6da51caf767ed50a5f97eb1e3e2f87b18 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Thu, 15 Dec 2016 12:56:08 -0800
>Subject: [PATCH 11/13] CVE-2017-2619: s3: smbd: Move special handling of
> symlink errno's into a utility function.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Uri Simchoni <uri@samba.org>
>---
> source3/smbd/open.c | 43 ++++++++++++++++++++++++++-----------------
> 1 file changed, 26 insertions(+), 17 deletions(-)
>
>diff --git a/source3/smbd/open.c b/source3/smbd/open.c
>index 9828c99..a72b483 100644
>--- a/source3/smbd/open.c
>+++ b/source3/smbd/open.c
>@@ -355,6 +355,31 @@ static NTSTATUS check_base_file_access(struct connection_struct *conn,
> }
> 
> /****************************************************************************
>+ Handle differing symlink errno's
>+****************************************************************************/
>+
>+static int link_errno_convert(int err)
>+{
>+#if defined(ENOTSUP) && defined(OSF1)
>+	/* handle special Tru64 errno */
>+	if (err == ENOTSUP) {
>+		err = ELOOP;
>+	}
>+#endif /* ENOTSUP */
>+#ifdef EFTYPE
>+	/* fix broken NetBSD errno */
>+	if (err == EFTYPE) {
>+		err = ELOOP;
>+	}
>+#endif /* EFTYPE */
>+	/* fix broken FreeBSD errno */
>+	if (err == EMLINK) {
>+		err = ELOOP;
>+	}
>+	return err;
>+}
>+
>+/****************************************************************************
>  fd support routines - attempt to do a dos_open.
> ****************************************************************************/
> 
>@@ -377,23 +402,7 @@ NTSTATUS fd_open(struct connection_struct *conn,
> 
> 	fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
> 	if (fsp->fh->fd == -1) {
>-		int posix_errno = errno;
>-#if defined(ENOTSUP) && defined(OSF1)
>-		/* handle special Tru64 errno */
>-		if (errno == ENOTSUP) {
>-			posix_errno = ELOOP;
>-		}
>-#endif /* ENOTSUP */
>-#ifdef EFTYPE
>-		/* fix broken NetBSD errno */
>-		if (errno == EFTYPE) {
>-			posix_errno = ELOOP;
>-		}
>-#endif /* EFTYPE */
>-		/* fix broken FreeBSD errno */
>-		if (errno == EMLINK) {
>-			posix_errno = ELOOP;
>-		}
>+		int posix_errno = link_errno_convert(errno);
> 		status = map_nt_error_from_unix(posix_errno);
> 		if (errno == EMFILE) {
> 			static time_t last_warned = 0L;
>-- 
>2.9.3
>
>
>From 1d03b8420bf201c2edcebcb165d2483549a5ab46 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Thu, 15 Dec 2016 13:04:46 -0800
>Subject: [PATCH 12/13] CVE-2017-2619: s3: smbd: Add the core functions to
> prevent symlink open races.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Uri Simchoni <uri@samba.org>
>---
> source3/smbd/open.c | 238 ++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 238 insertions(+)
>
>diff --git a/source3/smbd/open.c b/source3/smbd/open.c
>index a72b483..d628d0b 100644
>--- a/source3/smbd/open.c
>+++ b/source3/smbd/open.c
>@@ -379,6 +379,244 @@ static int link_errno_convert(int err)
> 	return err;
> }
> 
>+static int non_widelink_open(struct connection_struct *conn,
>+			const char *conn_rootdir,
>+			files_struct *fsp,
>+			struct smb_filename *smb_fname,
>+			int flags,
>+			mode_t mode,
>+			unsigned int link_depth);
>+
>+/****************************************************************************
>+ Follow a symlink in userspace.
>+****************************************************************************/
>+
>+static int process_symlink_open(struct connection_struct *conn,
>+			const char *conn_rootdir,
>+			files_struct *fsp,
>+			struct smb_filename *smb_fname,
>+			int flags,
>+			mode_t mode,
>+			unsigned int link_depth)
>+{
>+	int fd = -1;
>+	char *link_target = NULL;
>+	int link_len = -1;
>+	char *oldwd = NULL;
>+	size_t rootdir_len = 0;
>+	char *resolved_name = NULL;
>+	bool matched = false;
>+	int saved_errno = 0;
>+
>+	/*
>+	 * Ensure we don't get stuck in a symlink loop.
>+	 */
>+	link_depth++;
>+	if (link_depth >= 20) {
>+		errno = ELOOP;
>+		goto out;
>+	}
>+
>+	/* Allocate space for the link target. */
>+	link_target = talloc_array(talloc_tos(), char, PATH_MAX);
>+	if (link_target == NULL) {
>+		errno = ENOMEM;
>+		goto out;
>+	}
>+
>+	/* Read the link target. */
>+	link_len = SMB_VFS_READLINK(conn,
>+				smb_fname->base_name,
>+				link_target,
>+				PATH_MAX - 1);
>+	if (link_len == -1) {
>+		goto out;
>+	}
>+
>+	/* Ensure it's at least null terminated. */
>+	link_target[link_len] = '\0';
>+
>+	/* Convert to an absolute path. */
>+	resolved_name = SMB_VFS_REALPATH(conn, link_target);
>+	if (resolved_name == NULL) {
>+		goto out;
>+	}
>+
>+	/*
>+	 * We know conn_rootdir starts with '/' and
>+	 * does not end in '/'. FIXME ! Should we
>+	 * smb_assert this ?
>+	 */
>+	rootdir_len = strlen(conn_rootdir);
>+
>+	matched = (strncmp(conn_rootdir, resolved_name, rootdir_len) == 0);
>+	if (!matched) {
>+		errno = EACCES;
>+		goto out;
>+	}
>+
>+	/*
>+	 * Turn into a path relative to the share root.
>+	 */
>+	if (resolved_name[rootdir_len] == '\0') {
>+		/* Link to the root of the share. */
>+		smb_fname->base_name = talloc_strdup(talloc_tos(), ".");
>+		if (smb_fname->base_name == NULL) {
>+			errno = ENOMEM;
>+			goto out;
>+		}
>+	} else if (resolved_name[rootdir_len] == '/') {
>+		smb_fname->base_name = &resolved_name[rootdir_len+1];
>+	} else {
>+		errno = EACCES;
>+		goto out;
>+	}
>+
>+	oldwd = vfs_GetWd(talloc_tos(), conn);
>+	if (oldwd == NULL) {
>+		goto out;
>+	}
>+
>+	/* Ensure we operate from the root of the share. */
>+	if (vfs_ChDir(conn, conn_rootdir) == -1) {
>+		goto out;
>+	}
>+
>+	/* And do it all again.. */
>+	fd = non_widelink_open(conn,
>+				conn_rootdir,
>+				fsp,
>+				smb_fname,
>+				flags,
>+				mode,
>+				link_depth);
>+	if (fd == -1) {
>+		saved_errno = errno;
>+	}
>+
>+  out:
>+
>+	SAFE_FREE(resolved_name);
>+	TALLOC_FREE(link_target);
>+	if (oldwd != NULL) {
>+		int ret = vfs_ChDir(conn, oldwd);
>+		if (ret == -1) {
>+			smb_panic("unable to get back to old directory\n");
>+		}
>+		TALLOC_FREE(oldwd);
>+	}
>+	if (saved_errno != 0) {
>+		errno = saved_errno;
>+	}
>+	return fd;
>+}
>+
>+/****************************************************************************
>+ Non-widelink open.
>+****************************************************************************/
>+
>+static int non_widelink_open(struct connection_struct *conn,
>+			const char *conn_rootdir,
>+			files_struct *fsp,
>+			struct smb_filename *smb_fname,
>+			int flags,
>+			mode_t mode,
>+			unsigned int link_depth)
>+{
>+	NTSTATUS status;
>+	int fd = -1;
>+	struct smb_filename *smb_fname_rel = NULL;
>+	int saved_errno = 0;
>+	char *oldwd = NULL;
>+	char *parent_dir = NULL;
>+	const char *final_component = NULL;
>+
>+	if (!parent_dirname(talloc_tos(),
>+			smb_fname->base_name,
>+			&parent_dir,
>+			&final_component)) {
>+		goto out;
>+	}
>+
>+	oldwd = vfs_GetWd(talloc_tos(), conn);
>+	if (oldwd == NULL) {
>+		goto out;
>+	}
>+
>+	/* Pin parent directory in place. */
>+	if (vfs_ChDir(conn, parent_dir) == -1) {
>+		goto out;
>+	}
>+
>+	/* Ensure the relative path is below the share. */
>+	status = check_reduced_name(conn, final_component);
>+	if (!NT_STATUS_IS_OK(status)) {
>+		saved_errno = map_errno_from_nt_status(status);
>+		goto out;
>+	}
>+
>+	smb_fname_rel = synthetic_smb_fname(talloc_tos(),
>+				final_component,
>+				smb_fname->stream_name,
>+				&smb_fname->st,
>+				smb_fname->flags);
>+
>+	flags |= O_NOFOLLOW;
>+
>+	{
>+		struct smb_filename *tmp_name = fsp->fsp_name;
>+		fsp->fsp_name = smb_fname_rel;
>+		fd = SMB_VFS_OPEN(conn, smb_fname_rel, fsp, flags, mode);
>+		fsp->fsp_name = tmp_name;
>+	}
>+
>+	if (fd == -1) {
>+		saved_errno = link_errno_convert(errno);
>+		if (saved_errno == ELOOP) {
>+			if (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) {
>+				/* Never follow symlinks on posix open. */
>+				goto out;
>+			}
>+			if (!lp_follow_symlinks(SNUM(conn))) {
>+				/* Explicitly no symlinks. */
>+				goto out;
>+			}
>+			/*
>+			 * We have a symlink. Follow in userspace
>+			 * to ensure it's under the share definition.
>+			 */
>+			fd = process_symlink_open(conn,
>+					conn_rootdir,
>+					fsp,
>+					smb_fname_rel,
>+					flags,
>+					mode,
>+					link_depth);
>+			if (fd == -1) {
>+				saved_errno =
>+					link_errno_convert(errno);
>+			}
>+		}
>+	}
>+
>+  out:
>+
>+	TALLOC_FREE(parent_dir);
>+	TALLOC_FREE(smb_fname_rel);
>+
>+	if (oldwd != NULL) {
>+		int ret = vfs_ChDir(conn, oldwd);
>+		if (ret == -1) {
>+			smb_panic("unable to get back to old directory\n");
>+		}
>+		TALLOC_FREE(oldwd);
>+	}
>+	if (saved_errno != 0) {
>+		errno = saved_errno;
>+	}
>+	return fd;
>+}
>+
> /****************************************************************************
>  fd support routines - attempt to do a dos_open.
> ****************************************************************************/
>-- 
>2.9.3
>
>
>From 74dc827ce1bc1fe29f9a5a587f2618dbee67ec94 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Thu, 15 Dec 2016 13:06:31 -0800
>Subject: [PATCH 13/13] CVE-2017-2619: s3: smbd: Use the new
> non_widelink_open() function.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Uri Simchoni <uri@samba.org>
>---
> source3/smbd/open.c | 23 ++++++++++++++++++++++-
> 1 file changed, 22 insertions(+), 1 deletion(-)
>
>diff --git a/source3/smbd/open.c b/source3/smbd/open.c
>index d628d0b..006be91 100644
>--- a/source3/smbd/open.c
>+++ b/source3/smbd/open.c
>@@ -638,7 +638,28 @@ NTSTATUS fd_open(struct connection_struct *conn,
> 		flags |= O_NOFOLLOW;
> 	}
> 
>-	fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
>+	/* Ensure path is below share definition. */
>+	if (!lp_widelinks(SNUM(conn))) {
>+		const char *conn_rootdir = SMB_VFS_CONNECTPATH(conn,
>+						smb_fname->base_name);
>+		if (conn_rootdir == NULL) {
>+			return NT_STATUS_NO_MEMORY;
>+		}
>+		/*
>+		 * Only follow symlinks within a share
>+		 * definition.
>+		 */
>+		fsp->fh->fd = non_widelink_open(conn,
>+					conn_rootdir,
>+					fsp,
>+					smb_fname,
>+					flags,
>+					mode,
>+					0);
>+	} else {
>+		fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
>+	}
>+
> 	if (fsp->fh->fd == -1) {
> 		int posix_errno = link_errno_convert(errno);
> 		status = map_nt_error_from_unix(posix_errno);
>-- 
>2.9.3
>

Actions: View | Diff

Attachments on bug 43678: 8576 | 8577 | 8578 | 8579 | 8592