From: Greg Kroah-Hartman Date: Wed, 27 May 2026 12:16:04 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.10.258~50 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=a9d5b3b360a4a9052ac936ca5386b7cea835ae91;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: smb-client-reject-userspace-cifs.spnego-descriptions.patch --- diff --git a/queue-5.10/series b/queue-5.10/series index 43d5bc7ec4..ec26414632 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -530,3 +530,4 @@ selftests-lib.mk-also-install-config-and-settings.patch revert-x86-vdso-fix-output-operand-size-of-rdpid.patch net-dsa-sja1105-fix-kasan-out-of-bounds-warning-in-s.patch revert-s390-cio-fix-device-lifecycle-handling-in-css.patch +smb-client-reject-userspace-cifs.spnego-descriptions.patch diff --git a/queue-5.10/smb-client-reject-userspace-cifs.spnego-descriptions.patch b/queue-5.10/smb-client-reject-userspace-cifs.spnego-descriptions.patch new file mode 100644 index 0000000000..30be7d6c29 --- /dev/null +++ b/queue-5.10/smb-client-reject-userspace-cifs.spnego-descriptions.patch @@ -0,0 +1,70 @@ +From 3da1fdf4efbc490041eb4f836bf596201203f8f2 Mon Sep 17 00:00:00 2001 +From: Asim Viladi Oglu Manizada +Date: Sat, 16 May 2026 21:15:39 +0000 +Subject: smb: client: reject userspace cifs.spnego descriptions + +From: Asim Viladi Oglu Manizada + +commit 3da1fdf4efbc490041eb4f836bf596201203f8f2 upstream. + +cifs.spnego key descriptions contain authority-bearing fields such as +pid, uid, creduid, and upcall_target that cifs.upcall treats as +kernel-originating inputs. However, userspace can also create keys of +this type through request_key(2) or add_key(2), allowing those fields to +be supplied without CIFS origin. + +Only accept cifs.spnego descriptions while CIFS is using its private +spnego_cred to request the key. + +Fixes: f1d662a7d5e5 ("[CIFS] Add upcall files for cifs to use spnego/kerberos") +Assisted-by: avom-custom-harness:gpt-5.5-qwen3.6-mod-mix +Reviewed-by: David Howells +Signed-off-by: Asim Viladi Oglu Manizada +Signed-off-by: Steve French +[Salvatore Bonaccorso: Apply changes to fs/cifs/cifs_spnego.c instead of +fs/smb/client/cifs_spnego.c before 38c8a9a52082 ("smb: move client and server +files to common directory fs/smb") in v6.4-rc1 and backported to v6.1.36] +Signed-off-by: Salvatore Bonaccorso +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifs_spnego.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/fs/cifs/cifs_spnego.c ++++ b/fs/cifs/cifs_spnego.c +@@ -20,6 +20,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -58,12 +59,27 @@ cifs_spnego_key_destroy(struct key *key) + kfree(key->payload.data[0]); + } + ++static int ++cifs_spnego_key_vet_description(const char *description) ++{ ++ /* ++ * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. ++ * They are only valid when produced by CIFS while using the private ++ * spnego_cred installed below. Do not let userspace create this type ++ * of key through request_key(2)/add_key(2), since the helper treats ++ * pid/uid/creduid/upcall_target as kernel-originating fields. ++ */ ++ if (current_cred() != spnego_cred) ++ return -EPERM; ++ return 0; ++} + + /* + * keytype for CIFS spnego keys + */ + struct key_type cifs_spnego_key_type = { + .name = "cifs.spnego", ++ .vet_description = cifs_spnego_key_vet_description, + .instantiate = cifs_spnego_key_instantiate, + .destroy = cifs_spnego_key_destroy, + .describe = user_describe,