Commit 1d0cffa6 authored by Steve French's avatar Steve French
Browse files

cifs: do not allow creating sockets except with SMB1 posix exensions 



RHBZ: 1453123

Since at least the 3.10 kernel and likely a lot earlier we have
not been able to create unix domain sockets in a cifs share
when mounted using the SFU mount option (except when mounted
with the cifs unix extensions to Samba e.g.)
Trying to create a socket, for example using the af_unix command from
xfstests will cause :
BUG: unable to handle kernel NULL pointer dereference at 00000000
00000040

Since no one uses or depends on being able to create unix domains sockets
on a cifs share the easiest fix to stop this vulnerability is to simply
not allow creation of any other special files than char or block devices
when sfu is used.

Added update to Ronnie's patch to handle a tcon link leak, and
to address a buf leak noticed by Gustavo and Colin.

Acked-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
CC:  Colin Ian King <colin.king@canonical.com>
Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
Reported-by: default avatarEryu Guan <eguan@redhat.com>
Signed-off-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: default avatarSteve French <smfrench@gmail.com>
Cc: stable@vger.kernel.org
parent ff30b89e

fs/cifs/dir.c

+5 −4
Original line number Diff line number Diff line
@@ -684,6 +684,9 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode, 
		goto mknod_out;

	}



	if (!S_ISCHR(mode) && !S_ISBLK(mode))

		goto mknod_out;



	if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL))

		goto mknod_out;
@@ -692,10 +695,8 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode, 


	buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL);

	if (buf == NULL) {

		kfree(full_path);

		rc = -ENOMEM;

		free_xid(xid);

		return rc;

		goto mknod_out;

	}



	if (backup_cred(cifs_sb))
@@ -742,7 +743,7 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode, 
		pdev->minor = cpu_to_le64(MINOR(device_number));

		rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms,

							&bytes_written, iov, 1);

	} /* else if (S_ISFIFO) */

	}

	tcon->ses->server->ops->close(xid, tcon, &fid);

	d_drop(direntry);

CRA Git | Maintained and supported by SUSTech CRA and CCSE