5.15-stable patches

added patches:
	smb-client-reject-userspace-cifs.spnego-descriptions.patch

diff --git a/queue-5.15/series b/queue-5.15/series
index 064c46271e285545e37881dc51073fab09b7a16f..fd27f2b761a9b67cb22051ed825d40e8be4ae60d 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -679,3 +679,4 @@ net-dsa-sja1105-fix-kasan-out-of-bounds-warning-in-s.patch
 wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch
 kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-.patch
 revert-s390-cio-fix-device-lifecycle-handling-in-css.patch
+smb-client-reject-userspace-cifs.spnego-descriptions.patch

diff --git a/queue-5.15/smb-client-reject-userspace-cifs.spnego-descriptions.patch b/queue-5.15/smb-client-reject-userspace-cifs.spnego-descriptions.patch
new file mode 100644 (file)
index 0000000..2e57d38
--- /dev/null
+++ b/queue-5.15/smb-client-reject-userspace-cifs.spnego-descriptions.patch
@@ -0,0 +1,70 @@
+From 3da1fdf4efbc490041eb4f836bf596201203f8f2 Mon Sep 17 00:00:00 2001
+From: Asim Viladi Oglu Manizada <manizada@pm.me>
+Date: Sat, 16 May 2026 21:15:39 +0000
+Subject: smb: client: reject userspace cifs.spnego descriptions
+
+From: Asim Viladi Oglu Manizada <manizada@pm.me>
+
+commit 3da1fdf4efbc490041eb4f836bf596201203f8f2 upstream.
+
+cifs.spnego key descriptions contain authority-bearing fields such as
+pid, uid, creduid, and upcall_target that cifs.upcall treats as
+kernel-originating inputs. However, userspace can also create keys of
+this type through request_key(2) or add_key(2), allowing those fields to
+be supplied without CIFS origin.
+
+Only accept cifs.spnego descriptions while CIFS is using its private
+spnego_cred to request the key.
+
+Fixes: f1d662a7d5e5 ("[CIFS] Add upcall files for cifs to use spnego/kerberos")
+Assisted-by: avom-custom-harness:gpt-5.5-qwen3.6-mod-mix
+Reviewed-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Asim Viladi Oglu Manizada <manizada@pm.me>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+[Salvatore Bonaccorso: Apply changes to fs/cifs/cifs_spnego.c instead of
+fs/smb/client/cifs_spnego.c before 38c8a9a52082 ("smb: move client and server
+files to common directory fs/smb") in v6.4-rc1 and backported to v6.1.36]
+Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifs_spnego.c |   16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/fs/cifs/cifs_spnego.c
++++ b/fs/cifs/cifs_spnego.c
+@@ -8,6 +8,7 @@
+  */
+ 
+ #include <linux/list.h>
++#include <linux/cred.h>
+ #include <linux/slab.h>
+ #include <linux/string.h>
+ #include <keys/user-type.h>
+@@ -46,12 +47,27 @@ cifs_spnego_key_destroy(struct key *key)
+       kfree(key->payload.data[0]);
+ }
+ 
++static int
++cifs_spnego_key_vet_description(const char *description)
++{
++      /*
++       * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall.
++       * They are only valid when produced by CIFS while using the private
++       * spnego_cred installed below.  Do not let userspace create this type
++       * of key through request_key(2)/add_key(2), since the helper treats
++       * pid/uid/creduid/upcall_target as kernel-originating fields.
++       */
++      if (current_cred() != spnego_cred)
++              return -EPERM;
++      return 0;
++}
+ 
+ /*
+  * keytype for CIFS spnego keys
+  */
+ struct key_type cifs_spnego_key_type = {
+       .name           = "cifs.spnego",
++      .vet_description = cifs_spnego_key_vet_description,
+       .instantiate    = cifs_spnego_key_instantiate,
+       .destroy        = cifs_spnego_key_destroy,
+       .describe       = user_describe,