new file mode 100644
@@ -0,0 +1,135 @@
+From 44312bbc9aaae39a88541abe7ab7700314d34047 Mon Sep 17 00:00:00 2001
+From: Ritvik Budhiraja <rbudhiraja@microsoft.com>
+Date: Tue, 19 Nov 2024 06:07:58 +0000
+Subject: [PATCH] CIFS.upcall to accomodate new namespace mount opt
+
+NOTE: This patch is dependent on one of the previously sent patches:
+[PATCH] CIFS: New mount option for cifs.upcall namespace resolution
+which introduces a new mount option called upcall_target, to
+customise the upcall behaviour.
+
+Building upon the above patch, the following patch adds functionality
+to handle upcall_target as a mount option in cifs.upcall. It can have 2 values -
+mount, app.
+Having this new mount option allows the mount command to specify where the
+upcall should happen: 'mount' for resolving the upcall to the host
+namespace, and 'app' for resolving the upcall to the ns of the calling
+thread. This will enable both the scenarios where the Kerberos credentials
+can be found on the application namespace or the host namespace to which
+just the mount operation is "delegated".
+This aids use cases like Kubernetes where the mount
+happens on behalf of the application in another container altogether.
+
+Signed-off-by: Ritvik Budhiraja <rbudhiraja@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+
+CVE: CVE-2025-2312
+Upstream-Status: Backport [https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ cifs.upcall.c | 55 +++++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 47 insertions(+), 8 deletions(-)
+
+diff --git a/cifs.upcall.c b/cifs.upcall.c
+index 52c0328..0883afa 100644
+--- a/cifs.upcall.c
++++ b/cifs.upcall.c
+@@ -953,6 +953,13 @@ struct decoded_args {
+ #define MAX_USERNAME_SIZE 256
+ char username[MAX_USERNAME_SIZE + 1];
+
++#define MAX_UPCALL_STRING_LEN 6 /* "mount\0" */
++ enum upcall_target_enum {
++ UPTARGET_UNSPECIFIED, /* not specified, defaults to app */
++ UPTARGET_MOUNT, /* upcall to the mount namespace */
++ UPTARGET_APP, /* upcall to the application namespace which did the mount */
++ } upcall_target;
++
+ uid_t uid;
+ uid_t creduid;
+ pid_t pid;
+@@ -969,6 +976,7 @@ struct decoded_args {
+ #define DKD_HAVE_PID 0x20
+ #define DKD_HAVE_CREDUID 0x40
+ #define DKD_HAVE_USERNAME 0x80
++#define DKD_HAVE_UPCALL_TARGET 0x100
+ #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC)
+ int have;
+ };
+@@ -979,6 +987,7 @@ __decode_key_description(const char *desc, struct decoded_args *arg)
+ size_t len;
+ char *pos;
+ const char *tkn = desc;
++ arg->upcall_target = UPTARGET_UNSPECIFIED;
+
+ do {
+ pos = index(tkn, ';');
+@@ -1077,6 +1086,31 @@ __decode_key_description(const char *desc, struct decoded_args *arg)
+ }
+ arg->have |= DKD_HAVE_VERSION;
+ syslog(LOG_DEBUG, "ver=%d", arg->ver);
++ } else if (strncmp(tkn, "upcall_target=", 14) == 0) {
++ if (pos == NULL)
++ len = strlen(tkn);
++ else
++ len = pos - tkn;
++
++ len -= 14;
++ if (len > MAX_UPCALL_STRING_LEN) {
++ syslog(LOG_ERR, "upcall_target= value too long for buffer");
++ return 1;
++ }
++ if (strncmp(tkn + 14, "mount", 5) == 0) {
++ arg->upcall_target = UPTARGET_MOUNT;
++ syslog(LOG_DEBUG, "upcall_target=mount");
++ } else if (strncmp(tkn + 14, "app", 3) == 0) {
++ arg->upcall_target = UPTARGET_APP;
++ syslog(LOG_DEBUG, "upcall_target=app");
++ } else {
++ // Should never happen
++ syslog(LOG_ERR, "Invalid upcall_target value: %s, defaulting to app",
++ tkn + 14);
++ arg->upcall_target = UPTARGET_APP;
++ syslog(LOG_DEBUG, "upcall_target=app");
++ }
++ arg->have |= DKD_HAVE_UPCALL_TARGET;
+ }
+ if (pos == NULL)
+ break;
+@@ -1440,15 +1474,20 @@ int main(const int argc, char *const argv[])
+ * acceptably in containers, because we'll be looking at the correct
+ * filesystem and have the correct network configuration.
+ */
+- rc = switch_to_process_ns(arg->pid);
+- if (rc == -1) {
+- syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno));
+- rc = 1;
+- goto out;
++ if (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED) {
++ syslog(LOG_INFO, "upcall_target=app, switching namespaces to application thread");
++ rc = switch_to_process_ns(arg->pid);
++ if (rc == -1) {
++ syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno));
++ rc = 1;
++ goto out;
++ }
++ if (trim_capabilities(env_probe))
++ goto out;
++ } else {
++ syslog(LOG_INFO, "upcall_target=mount, not switching namespaces to application thread");
+ }
+
+- if (trim_capabilities(env_probe))
+- goto out;
+
+ /*
+ * The kernel doesn't pass down the gid, so we resort here to scraping
+@@ -1495,7 +1534,7 @@ int main(const int argc, char *const argv[])
+ * look at the environ file.
+ */
+ env_cachename =
+- get_cachename_from_process_env(env_probe ? arg->pid : 0);
++ get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);
+
+ rc = setuid(uid);
+ if (rc == -1) {
@@ -5,7 +5,9 @@ LICENSE = "GPL-3.0-only & LGPL-3.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
SRCREV = "316522036133d44ed02cd39ed2748e2b59c85b30"
-SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master"
+SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master \
+ file://CVE-2025-2312.patch \
+ "
DEPENDS += "libtalloc"
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2312 Pick the patch that is referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../cifs/cifs-utils/CVE-2025-2312.patch | 135 ++++++++++++++++++ .../recipes-support/cifs/cifs-utils_7.0.bb | 4 +- 2 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch