| Message ID | 20260109092843.1924568-1-ankur.tyagi85@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-networking,scarthgap,01/12] cifs-utils: patch CVE-2025-2312 | expand |
This patch needs a bit of caution, because it requires kernel 6.13 at least, without it it has not effect. The required kernel change[1] was not backported to older stable versions (both Scarthgap and Kirkstone are out of luck with the default kernel). Not saying the patch should be dropped, rather that CVE tag in the patch will mark is patched, but it's only half of the fix. Not sure what (if anything at all) should be done about this. [1]: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/smb?id=db363b0a1d9e6b9dc556296f1b1007aeb496a8cf On 1/9/26 10:28, Ankur Tyagi via lists.openembedded.org wrote: > From: Ankur Tyagi <ankur.tyagi85@gmail.com> > > Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2312 > > Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> > --- > .../cifs/cifs-utils/CVE-2025-2312.patch | 136 ++++++++++++++++++ > .../recipes-support/cifs/cifs-utils_7.0.bb | 4 +- > 2 files changed, 139 insertions(+), 1 deletion(-) > create mode 100644 meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch > > diff --git a/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch b/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch > new file mode 100644 > index 0000000000..3e62b0f1c3 > --- /dev/null > +++ b/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch > @@ -0,0 +1,136 @@ > +From faf6ce0abd6fbca95721eb88754add9c0c700a5c Mon Sep 17 00:00:00 2001 > +From: Ritvik Budhiraja <rbudhiraja@microsoft.com> > +Date: Tue, 19 Nov 2024 06:07:58 +0000 > +Subject: [PATCH] CIFS.upcall to accomodate new namespace mount opt > + > +NOTE: This patch is dependent on one of the previously sent patches: > +[PATCH] CIFS: New mount option for cifs.upcall namespace resolution > +which introduces a new mount option called upcall_target, to > +customise the upcall behaviour. > + > +Building upon the above patch, the following patch adds functionality > +to handle upcall_target as a mount option in cifs.upcall. It can have 2 values - > +mount, app. > +Having this new mount option allows the mount command to specify where the > +upcall should happen: 'mount' for resolving the upcall to the host > +namespace, and 'app' for resolving the upcall to the ns of the calling > +thread. This will enable both the scenarios where the Kerberos credentials > +can be found on the application namespace or the host namespace to which > +just the mount operation is "delegated". > +This aids use cases like Kubernetes where the mount > +happens on behalf of the application in another container altogether. > + > +Signed-off-by: Ritvik Budhiraja <rbudhiraja@microsoft.com> > +Signed-off-by: Steve French <stfrench@microsoft.com> > + > +CVE: CVE-2025-2312 > +Upstream-Status: Backport [https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174] > +(cherry picked from commit 89b679228cc1be9739d54203d28289b03352c174) > +Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> > +--- > + cifs.upcall.c | 55 +++++++++++++++++++++++++++++++++++++++++++-------- > + 1 file changed, 47 insertions(+), 8 deletions(-) > + > +diff --git a/cifs.upcall.c b/cifs.upcall.c > +index 52c0328..0883afa 100644 > +--- a/cifs.upcall.c > ++++ b/cifs.upcall.c > +@@ -953,6 +953,13 @@ struct decoded_args { > + #define MAX_USERNAME_SIZE 256 > + char username[MAX_USERNAME_SIZE + 1]; > + > ++#define MAX_UPCALL_STRING_LEN 6 /* "mount\0" */ > ++ enum upcall_target_enum { > ++ UPTARGET_UNSPECIFIED, /* not specified, defaults to app */ > ++ UPTARGET_MOUNT, /* upcall to the mount namespace */ > ++ UPTARGET_APP, /* upcall to the application namespace which did the mount */ > ++ } upcall_target; > ++ > + uid_t uid; > + uid_t creduid; > + pid_t pid; > +@@ -969,6 +976,7 @@ struct decoded_args { > + #define DKD_HAVE_PID 0x20 > + #define DKD_HAVE_CREDUID 0x40 > + #define DKD_HAVE_USERNAME 0x80 > ++#define DKD_HAVE_UPCALL_TARGET 0x100 > + #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC) > + int have; > + }; > +@@ -979,6 +987,7 @@ __decode_key_description(const char *desc, struct decoded_args *arg) > + size_t len; > + char *pos; > + const char *tkn = desc; > ++ arg->upcall_target = UPTARGET_UNSPECIFIED; > + > + do { > + pos = index(tkn, ';'); > +@@ -1077,6 +1086,31 @@ __decode_key_description(const char *desc, struct decoded_args *arg) > + } > + arg->have |= DKD_HAVE_VERSION; > + syslog(LOG_DEBUG, "ver=%d", arg->ver); > ++ } else if (strncmp(tkn, "upcall_target=", 14) == 0) { > ++ if (pos == NULL) > ++ len = strlen(tkn); > ++ else > ++ len = pos - tkn; > ++ > ++ len -= 14; > ++ if (len > MAX_UPCALL_STRING_LEN) { > ++ syslog(LOG_ERR, "upcall_target= value too long for buffer"); > ++ return 1; > ++ } > ++ if (strncmp(tkn + 14, "mount", 5) == 0) { > ++ arg->upcall_target = UPTARGET_MOUNT; > ++ syslog(LOG_DEBUG, "upcall_target=mount"); > ++ } else if (strncmp(tkn + 14, "app", 3) == 0) { > ++ arg->upcall_target = UPTARGET_APP; > ++ syslog(LOG_DEBUG, "upcall_target=app"); > ++ } else { > ++ // Should never happen > ++ syslog(LOG_ERR, "Invalid upcall_target value: %s, defaulting to app", > ++ tkn + 14); > ++ arg->upcall_target = UPTARGET_APP; > ++ syslog(LOG_DEBUG, "upcall_target=app"); > ++ } > ++ arg->have |= DKD_HAVE_UPCALL_TARGET; > + } > + if (pos == NULL) > + break; > +@@ -1440,15 +1474,20 @@ int main(const int argc, char *const argv[]) > + * acceptably in containers, because we'll be looking at the correct > + * filesystem and have the correct network configuration. > + */ > +- rc = switch_to_process_ns(arg->pid); > +- if (rc == -1) { > +- syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno)); > +- rc = 1; > +- goto out; > ++ if (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED) { > ++ syslog(LOG_INFO, "upcall_target=app, switching namespaces to application thread"); > ++ rc = switch_to_process_ns(arg->pid); > ++ if (rc == -1) { > ++ syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno)); > ++ rc = 1; > ++ goto out; > ++ } > ++ if (trim_capabilities(env_probe)) > ++ goto out; > ++ } else { > ++ syslog(LOG_INFO, "upcall_target=mount, not switching namespaces to application thread"); > + } > + > +- if (trim_capabilities(env_probe)) > +- goto out; > + > + /* > + * The kernel doesn't pass down the gid, so we resort here to scraping > +@@ -1495,7 +1534,7 @@ int main(const int argc, char *const argv[]) > + * look at the environ file. > + */ > + env_cachename = > +- get_cachename_from_process_env(env_probe ? arg->pid : 0); > ++ get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0); > + > + rc = setuid(uid); > + if (rc == -1) { > diff --git a/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb b/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb > index c78bbae7b8..4e27491bba 100644 > --- a/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb > +++ b/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb > @@ -5,7 +5,9 @@ LICENSE = "GPL-3.0-only & LGPL-3.0-only" > LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" > > SRCREV = "316522036133d44ed02cd39ed2748e2b59c85b30" > -SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master" > +SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master \ > + file://CVE-2025-2312.patch \ > +" > > S = "${WORKDIR}/git" > DEPENDS += "libtalloc" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#123279): https://lists.openembedded.org/g/openembedded-devel/message/123279 > Mute This Topic: https://lists.openembedded.org/mt/117172363/6084445 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Fri, Jan 9, 2026 at 11:47 PM Gyorgy Sarvari <skandigraun@gmail.com> wrote: > > This patch needs a bit of caution, because it requires kernel 6.13 at > least, without it it has not effect. The required kernel change[1] was > not backported to older stable versions (both Scarthgap and Kirkstone > are out of luck with the default kernel). > > Not saying the patch should be dropped, rather that CVE tag in the patch > will mark is patched, but it's only half of the fix. Not sure what (if > anything at all) should be done about this. > > [1]: > https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/smb?id=db363b0a1d9e6b9dc556296f1b1007aeb496a8cf Thanks Gyorgy, I overlooked that aspect. It will be misleading to mark CVE tag as patched when vulnerability still exists. I am in favor of dropping this patch. > > On 1/9/26 10:28, Ankur Tyagi via lists.openembedded.org wrote: > > From: Ankur Tyagi <ankur.tyagi85@gmail.com> > > > > Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2312 > > > > Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> > > --- > > .../cifs/cifs-utils/CVE-2025-2312.patch | 136 ++++++++++++++++++ > > .../recipes-support/cifs/cifs-utils_7.0.bb | 4 +- > > 2 files changed, 139 insertions(+), 1 deletion(-) > > create mode 100644 meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch > > > > diff --git a/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch b/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch > > new file mode 100644 > > index 0000000000..3e62b0f1c3 > > --- /dev/null > > +++ b/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch > > @@ -0,0 +1,136 @@ > > +From faf6ce0abd6fbca95721eb88754add9c0c700a5c Mon Sep 17 00:00:00 2001 > > +From: Ritvik Budhiraja <rbudhiraja@microsoft.com> > > +Date: Tue, 19 Nov 2024 06:07:58 +0000 > > +Subject: [PATCH] CIFS.upcall to accomodate new namespace mount opt > > + > > +NOTE: This patch is dependent on one of the previously sent patches: > > +[PATCH] CIFS: New mount option for cifs.upcall namespace resolution > > +which introduces a new mount option called upcall_target, to > > +customise the upcall behaviour. > > + > > +Building upon the above patch, the following patch adds functionality > > +to handle upcall_target as a mount option in cifs.upcall. It can have 2 values - > > +mount, app. > > +Having this new mount option allows the mount command to specify where the > > +upcall should happen: 'mount' for resolving the upcall to the host > > +namespace, and 'app' for resolving the upcall to the ns of the calling > > +thread. This will enable both the scenarios where the Kerberos credentials > > +can be found on the application namespace or the host namespace to which > > +just the mount operation is "delegated". > > +This aids use cases like Kubernetes where the mount > > +happens on behalf of the application in another container altogether. > > + > > +Signed-off-by: Ritvik Budhiraja <rbudhiraja@microsoft.com> > > +Signed-off-by: Steve French <stfrench@microsoft.com> > > + > > +CVE: CVE-2025-2312 > > +Upstream-Status: Backport [https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174] > > +(cherry picked from commit 89b679228cc1be9739d54203d28289b03352c174) > > +Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> > > +--- > > + cifs.upcall.c | 55 +++++++++++++++++++++++++++++++++++++++++++-------- > > + 1 file changed, 47 insertions(+), 8 deletions(-) > > + > > +diff --git a/cifs.upcall.c b/cifs.upcall.c > > +index 52c0328..0883afa 100644 > > +--- a/cifs.upcall.c > > ++++ b/cifs.upcall.c > > +@@ -953,6 +953,13 @@ struct decoded_args { > > + #define MAX_USERNAME_SIZE 256 > > + char username[MAX_USERNAME_SIZE + 1]; > > + > > ++#define MAX_UPCALL_STRING_LEN 6 /* "mount\0" */ > > ++ enum upcall_target_enum { > > ++ UPTARGET_UNSPECIFIED, /* not specified, defaults to app */ > > ++ UPTARGET_MOUNT, /* upcall to the mount namespace */ > > ++ UPTARGET_APP, /* upcall to the application namespace which did the mount */ > > ++ } upcall_target; > > ++ > > + uid_t uid; > > + uid_t creduid; > > + pid_t pid; > > +@@ -969,6 +976,7 @@ struct decoded_args { > > + #define DKD_HAVE_PID 0x20 > > + #define DKD_HAVE_CREDUID 0x40 > > + #define DKD_HAVE_USERNAME 0x80 > > ++#define DKD_HAVE_UPCALL_TARGET 0x100 > > + #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC) > > + int have; > > + }; > > +@@ -979,6 +987,7 @@ __decode_key_description(const char *desc, struct decoded_args *arg) > > + size_t len; > > + char *pos; > > + const char *tkn = desc; > > ++ arg->upcall_target = UPTARGET_UNSPECIFIED; > > + > > + do { > > + pos = index(tkn, ';'); > > +@@ -1077,6 +1086,31 @@ __decode_key_description(const char *desc, struct decoded_args *arg) > > + } > > + arg->have |= DKD_HAVE_VERSION; > > + syslog(LOG_DEBUG, "ver=%d", arg->ver); > > ++ } else if (strncmp(tkn, "upcall_target=", 14) == 0) { > > ++ if (pos == NULL) > > ++ len = strlen(tkn); > > ++ else > > ++ len = pos - tkn; > > ++ > > ++ len -= 14; > > ++ if (len > MAX_UPCALL_STRING_LEN) { > > ++ syslog(LOG_ERR, "upcall_target= value too long for buffer"); > > ++ return 1; > > ++ } > > ++ if (strncmp(tkn + 14, "mount", 5) == 0) { > > ++ arg->upcall_target = UPTARGET_MOUNT; > > ++ syslog(LOG_DEBUG, "upcall_target=mount"); > > ++ } else if (strncmp(tkn + 14, "app", 3) == 0) { > > ++ arg->upcall_target = UPTARGET_APP; > > ++ syslog(LOG_DEBUG, "upcall_target=app"); > > ++ } else { > > ++ // Should never happen > > ++ syslog(LOG_ERR, "Invalid upcall_target value: %s, defaulting to app", > > ++ tkn + 14); > > ++ arg->upcall_target = UPTARGET_APP; > > ++ syslog(LOG_DEBUG, "upcall_target=app"); > > ++ } > > ++ arg->have |= DKD_HAVE_UPCALL_TARGET; > > + } > > + if (pos == NULL) > > + break; > > +@@ -1440,15 +1474,20 @@ int main(const int argc, char *const argv[]) > > + * acceptably in containers, because we'll be looking at the correct > > + * filesystem and have the correct network configuration. > > + */ > > +- rc = switch_to_process_ns(arg->pid); > > +- if (rc == -1) { > > +- syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno)); > > +- rc = 1; > > +- goto out; > > ++ if (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED) { > > ++ syslog(LOG_INFO, "upcall_target=app, switching namespaces to application thread"); > > ++ rc = switch_to_process_ns(arg->pid); > > ++ if (rc == -1) { > > ++ syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno)); > > ++ rc = 1; > > ++ goto out; > > ++ } > > ++ if (trim_capabilities(env_probe)) > > ++ goto out; > > ++ } else { > > ++ syslog(LOG_INFO, "upcall_target=mount, not switching namespaces to application thread"); > > + } > > + > > +- if (trim_capabilities(env_probe)) > > +- goto out; > > + > > + /* > > + * The kernel doesn't pass down the gid, so we resort here to scraping > > +@@ -1495,7 +1534,7 @@ int main(const int argc, char *const argv[]) > > + * look at the environ file. > > + */ > > + env_cachename = > > +- get_cachename_from_process_env(env_probe ? arg->pid : 0); > > ++ get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0); > > + > > + rc = setuid(uid); > > + if (rc == -1) { > > diff --git a/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb b/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb > > index c78bbae7b8..4e27491bba 100644 > > --- a/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb > > +++ b/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb > > @@ -5,7 +5,9 @@ LICENSE = "GPL-3.0-only & LGPL-3.0-only" > > LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" > > > > SRCREV = "316522036133d44ed02cd39ed2748e2b59c85b30" > > -SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master" > > +SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master \ > > + file://CVE-2025-2312.patch \ > > +" > > > > S = "${WORKDIR}/git" > > DEPENDS += "libtalloc" > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#123279): https://lists.openembedded.org/g/openembedded-devel/message/123279 > > Mute This Topic: https://lists.openembedded.org/mt/117172363/6084445 > > Group Owner: openembedded-devel+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
diff --git a/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch b/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch new file mode 100644 index 0000000000..3e62b0f1c3 --- /dev/null +++ b/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch @@ -0,0 +1,136 @@ +From faf6ce0abd6fbca95721eb88754add9c0c700a5c Mon Sep 17 00:00:00 2001 +From: Ritvik Budhiraja <rbudhiraja@microsoft.com> +Date: Tue, 19 Nov 2024 06:07:58 +0000 +Subject: [PATCH] CIFS.upcall to accomodate new namespace mount opt + +NOTE: This patch is dependent on one of the previously sent patches: +[PATCH] CIFS: New mount option for cifs.upcall namespace resolution +which introduces a new mount option called upcall_target, to +customise the upcall behaviour. + +Building upon the above patch, the following patch adds functionality +to handle upcall_target as a mount option in cifs.upcall. It can have 2 values - +mount, app. +Having this new mount option allows the mount command to specify where the +upcall should happen: 'mount' for resolving the upcall to the host +namespace, and 'app' for resolving the upcall to the ns of the calling +thread. This will enable both the scenarios where the Kerberos credentials +can be found on the application namespace or the host namespace to which +just the mount operation is "delegated". +This aids use cases like Kubernetes where the mount +happens on behalf of the application in another container altogether. + +Signed-off-by: Ritvik Budhiraja <rbudhiraja@microsoft.com> +Signed-off-by: Steve French <stfrench@microsoft.com> + +CVE: CVE-2025-2312 +Upstream-Status: Backport [https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174] +(cherry picked from commit 89b679228cc1be9739d54203d28289b03352c174) +Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> +--- + cifs.upcall.c | 55 +++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 47 insertions(+), 8 deletions(-) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index 52c0328..0883afa 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -953,6 +953,13 @@ struct decoded_args { + #define MAX_USERNAME_SIZE 256 + char username[MAX_USERNAME_SIZE + 1]; + ++#define MAX_UPCALL_STRING_LEN 6 /* "mount\0" */ ++ enum upcall_target_enum { ++ UPTARGET_UNSPECIFIED, /* not specified, defaults to app */ ++ UPTARGET_MOUNT, /* upcall to the mount namespace */ ++ UPTARGET_APP, /* upcall to the application namespace which did the mount */ ++ } upcall_target; ++ + uid_t uid; + uid_t creduid; + pid_t pid; +@@ -969,6 +976,7 @@ struct decoded_args { + #define DKD_HAVE_PID 0x20 + #define DKD_HAVE_CREDUID 0x40 + #define DKD_HAVE_USERNAME 0x80 ++#define DKD_HAVE_UPCALL_TARGET 0x100 + #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC) + int have; + }; +@@ -979,6 +987,7 @@ __decode_key_description(const char *desc, struct decoded_args *arg) + size_t len; + char *pos; + const char *tkn = desc; ++ arg->upcall_target = UPTARGET_UNSPECIFIED; + + do { + pos = index(tkn, ';'); +@@ -1077,6 +1086,31 @@ __decode_key_description(const char *desc, struct decoded_args *arg) + } + arg->have |= DKD_HAVE_VERSION; + syslog(LOG_DEBUG, "ver=%d", arg->ver); ++ } else if (strncmp(tkn, "upcall_target=", 14) == 0) { ++ if (pos == NULL) ++ len = strlen(tkn); ++ else ++ len = pos - tkn; ++ ++ len -= 14; ++ if (len > MAX_UPCALL_STRING_LEN) { ++ syslog(LOG_ERR, "upcall_target= value too long for buffer"); ++ return 1; ++ } ++ if (strncmp(tkn + 14, "mount", 5) == 0) { ++ arg->upcall_target = UPTARGET_MOUNT; ++ syslog(LOG_DEBUG, "upcall_target=mount"); ++ } else if (strncmp(tkn + 14, "app", 3) == 0) { ++ arg->upcall_target = UPTARGET_APP; ++ syslog(LOG_DEBUG, "upcall_target=app"); ++ } else { ++ // Should never happen ++ syslog(LOG_ERR, "Invalid upcall_target value: %s, defaulting to app", ++ tkn + 14); ++ arg->upcall_target = UPTARGET_APP; ++ syslog(LOG_DEBUG, "upcall_target=app"); ++ } ++ arg->have |= DKD_HAVE_UPCALL_TARGET; + } + if (pos == NULL) + break; +@@ -1440,15 +1474,20 @@ int main(const int argc, char *const argv[]) + * acceptably in containers, because we'll be looking at the correct + * filesystem and have the correct network configuration. + */ +- rc = switch_to_process_ns(arg->pid); +- if (rc == -1) { +- syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno)); +- rc = 1; +- goto out; ++ if (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED) { ++ syslog(LOG_INFO, "upcall_target=app, switching namespaces to application thread"); ++ rc = switch_to_process_ns(arg->pid); ++ if (rc == -1) { ++ syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno)); ++ rc = 1; ++ goto out; ++ } ++ if (trim_capabilities(env_probe)) ++ goto out; ++ } else { ++ syslog(LOG_INFO, "upcall_target=mount, not switching namespaces to application thread"); + } + +- if (trim_capabilities(env_probe)) +- goto out; + + /* + * The kernel doesn't pass down the gid, so we resort here to scraping +@@ -1495,7 +1534,7 @@ int main(const int argc, char *const argv[]) + * look at the environ file. + */ + env_cachename = +- get_cachename_from_process_env(env_probe ? arg->pid : 0); ++ get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0); + + rc = setuid(uid); + if (rc == -1) { diff --git a/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb b/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb index c78bbae7b8..4e27491bba 100644 --- a/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb +++ b/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb @@ -5,7 +5,9 @@ LICENSE = "GPL-3.0-only & LGPL-3.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" SRCREV = "316522036133d44ed02cd39ed2748e2b59c85b30" -SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master" +SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master \ + file://CVE-2025-2312.patch \ +" S = "${WORKDIR}/git" DEPENDS += "libtalloc"