The Samba-Bugzilla – Attachment 13319 Details for
Bug 12860
CVE-2017-2619 regression with non-wide symlinks to directories
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.6.next
bug-12860-4.6.x (text/plain), 7.19 KB, created by
Jeremy Allison
on 2017-06-27 23:40:16 UTC
(
hide
)
Description:
git-am fix for 4.6.next
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2017-06-27 23:40:16 UTC
Size:
7.19 KB
patch
obsolete
>From be4c55e12c9f7bef6f4e5f1876ce032d49aa0285 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 23 Jun 2017 11:12:22 -0700 >Subject: [PATCH 1/2] s3: smbd: Add regression test for non-wide symlinks to > directories fail over SMB3. > >Mark as knownfail. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12860 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit f1f388ef80a6516c2f44b7778420f8ffe28c6471) >--- > selftest/knownfail | 1 + > selftest/target/Samba3.pm | 7 ++++ > source3/script/tests/test_smbclient_s3.sh | 55 +++++++++++++++++++++++++++++++ > 3 files changed, 63 insertions(+) > >diff --git a/selftest/knownfail b/selftest/knownfail >index d16d7231711..745042132fc 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -306,3 +306,4 @@ > ^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_add_duplicate_different_type.* > ^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_rank_none.* > ^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_security_descriptor.* >+^samba3.blackbox.smbclient_s3.*follow local symlinks.* >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index fb6d0f4f86b..a7699f8ccb4 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1356,6 +1356,9 @@ sub provision($$$$$$$$) > my $nosymlinks_shrdir="$shrdir/nosymlinks"; > push(@dirs,$nosymlinks_shrdir); > >+ my $local_symlinks_shrdir="$shrdir/local_symlinks"; >+ push(@dirs,$local_symlinks_shrdir); >+ > # this gets autocreated by winbindd > my $wbsockdir="$prefix_abs/winbindd"; > my $wbsockprivdir="$lockdir/winbindd_privileged"; >@@ -1981,6 +1984,10 @@ sub provision($$$$$$$$) > copy = tmp > path = $nosymlinks_shrdir > follow symlinks = no >+[local_symlinks] >+ copy = tmp >+ path = $local_symlinks_shrdir >+ follow symlinks = yes > [kernel_oplocks] > copy = tmp > kernel oplocks = yes >diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh >index be7aafbed7c..ce1cb089ea9 100755 >--- a/source3/script/tests/test_smbclient_s3.sh >+++ b/source3/script/tests/test_smbclient_s3.sh >@@ -1215,6 +1215,57 @@ EOF > fi > } > >+# Test we can follow normal symlinks. >+# Bug: https://bugzilla.samba.org/show_bug.cgi?id=12860 >+# Note - this needs to be tested over SMB3, not SMB1. >+ >+test_local_symlinks() >+{ >+# Setup test dirs. >+ LOCAL_RAWARGS="${CONFIGURATION} -mSMB3" >+ LOCAL_ADDARGS="${LOCAL_RAWARGS} $*" >+ >+ test_dir="$LOCAL_PATH/local_symlinks/test" >+ >+ slink_name="$test_dir/sym_name" >+ slink_target_dir="$test_dir/dir1" >+ >+ rm -rf $test_dir >+ >+ mkdir -p $test_dir >+ mkdir $slink_target_dir >+ ln -s $slink_target_dir $slink_name >+ >+# Can we cd into the symlink name and ls ? >+ tmpfile=$PREFIX/smbclient_interactive_prompt_commands >+ cat > $tmpfile <<EOF >+cd test\\sym_name >+ls >+quit >+EOF >+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/local_symlinks -I $SERVER_IP $LOCAL_ADDARGS < $tmpfile 2>&1' >+ eval echo "$cmd" >+ out=`eval $cmd` >+ ret=$? >+ rm -f $tmpfile >+ >+ if [ $ret -ne 0 ] ; then >+ echo "$out" >+ echo "failed accessing local_symlinks with error $ret" >+ false >+ return >+ fi >+ >+ echo "$out" | grep 'NT_STATUS_' >+ ret=$? >+ if [ $ret -eq 0 ] ; then >+ echo "$out" >+ echo "failed - got an NT_STATUS error" >+ false >+ return >+ fi >+} >+ > LOGDIR_PREFIX=test_smbclient_s3 > > # possibly remove old logdirs: >@@ -1318,6 +1369,10 @@ testit "follow symlinks = no" \ > test_nosymlinks || \ > failed=`expr $failed + 1` > >+testit "follow local symlinks" \ >+ test_local_symlinks || \ >+ failed=`expr $failed + 1` >+ > testit "rm -rf $LOGDIR" \ > rm -rf $LOGDIR || \ > failed=`expr $failed + 1` >-- >2.13.2.725.g09c95d1e9-goog > > >From 9073a5b712a53afa333269c321e7caf7a3c81a0e Mon Sep 17 00:00:00 2001 >From: Daniel Kobras <d.kobras@science-computing.de> >Date: Fri, 23 Jun 2017 15:39:21 +0200 >Subject: [PATCH 2/2] s3: smbd: fix regression with non-wide symlinks to > directories over SMB3. > >The errno returned by open() is ambiguous when called with flags O_NOFOLLOW and >O_DIRECTORY on a symlink. With ELOOP, we know for certain that we've tried to >open a symlink. With ENOTDIR, we might have hit a symlink, and need to perform >further checks to be sure. Adjust non_widelink_open() accordingly. This fixes >a regression where symlinks to directories within the same share were no >longer followed for some call paths on systems returning ENOTDIR in the above >case. > >Also remove the knownfail added in previous commit. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12860 > >Signed-off-by: Daniel Kobras <d.kobras@science-computing.de> >Reviewed-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit acc16592b451905dabc093f1d261e93cd3b59520) >--- > selftest/knownfail | 1 - > source3/smbd/open.c | 24 ++++++++++++++++++++++-- > 2 files changed, 22 insertions(+), 3 deletions(-) > >diff --git a/selftest/knownfail b/selftest/knownfail >index 745042132fc..d16d7231711 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -306,4 +306,3 @@ > ^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_add_duplicate_different_type.* > ^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_rank_none.* > ^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_security_descriptor.* >-^samba3.blackbox.smbclient_s3.*follow local symlinks.* >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index bdd0cdeddc5..42d3679e7e3 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -579,7 +579,18 @@ static int non_widelink_open(struct connection_struct *conn, > > if (fd == -1) { > saved_errno = link_errno_convert(errno); >- if (saved_errno == ELOOP) { >+ /* >+ * Trying to open a symlink to a directory with O_NOFOLLOW and >+ * O_DIRECTORY can return either of ELOOP and ENOTDIR. So >+ * ENOTDIR really means: might be a symlink, but we're not sure. >+ * In this case, we just assume there's a symlink. If we were >+ * wrong, process_symlink_open() will return EINVAL. We check >+ * this below, and fall back to returning the initial >+ * saved_errno. >+ * >+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=12860 >+ */ >+ if (saved_errno == ELOOP || saved_errno == ENOTDIR) { > if (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) { > /* Never follow symlinks on posix open. */ > goto out; >@@ -589,7 +600,7 @@ static int non_widelink_open(struct connection_struct *conn, > goto out; > } > /* >- * We have a symlink. Follow in userspace >+ * We may have a symlink. Follow in userspace > * to ensure it's under the share definition. > */ > fd = process_symlink_open(conn, >@@ -600,6 +611,15 @@ static int non_widelink_open(struct connection_struct *conn, > mode, > link_depth); > if (fd == -1) { >+ if (saved_errno == ENOTDIR && >+ errno == EINVAL) { >+ /* >+ * O_DIRECTORY on neither a directory, >+ * nor a symlink. Just return >+ * saved_errno from initial open() >+ */ >+ goto out; >+ } > saved_errno = > link_errno_convert(errno); > } >-- >2.13.2.725.g09c95d1e9-goog >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 12860
:
13305
|
13306
| 13319 |
13320