The Samba-Bugzilla – Attachment 4901 Details for
Bug 6853
mount.cifs race that allows user to replace mountpoint with a symlink; CVE-2010-0787
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch -- take extra care that mountpoint isn't changed
0001-mount.cifs-take-extra-care-that-mountpoint-isn-t-ch.patch (text/plain), 2.82 KB, created by
Jeff Layton
on 2009-10-28 07:59:50 UTC
(
hide
)
Description:
patch -- take extra care that mountpoint isn't changed
Filename:
MIME Type:
Creator:
Jeff Layton
Created:
2009-10-28 07:59:50 UTC
Size:
2.82 KB
patch
obsolete
>From 29829555a8373b90f262117ce16e3938194cce73 Mon Sep 17 00:00:00 2001 >From: Jeff Layton <jlayton@redhat.com> >Date: Sat, 24 Oct 2009 08:31:11 -0400 >Subject: [PATCH] mount.cifs: take extra care that mountpoint isn't changed during mount > >It's possible to trick mount.cifs into mounting onto the wrong directory >by replacing the mountpoint with a symlink to a directory. mount.cifs >attempts to check the validity of the mountpoint, but there's still a >possible race between those checks and the mount(2) syscall. > >To guard against this, chdir to the mountpoint very early, and only deal >with it as "." from then on out. > >Signed-off-by: Jeff Layton <jlayton@redhat.com> >--- > client/mount.cifs.c | 34 ++++++++++++++++++++++++++-------- > 1 files changed, 26 insertions(+), 8 deletions(-) > >diff --git a/client/mount.cifs.c b/client/mount.cifs.c >index 3baaad7..fcddaa8 100644 >--- a/client/mount.cifs.c >+++ b/client/mount.cifs.c >@@ -179,7 +179,7 @@ check_mountpoint(const char *progname, char *mountpoint) > struct stat statbuf; > > /* does mountpoint exist and is it a directory? */ >- err = stat(mountpoint, &statbuf); >+ err = stat(".", &statbuf); > if (err) { > fprintf(stderr, "%s: failed to stat %s: %s\n", progname, > mountpoint, strerror(errno)); >@@ -1378,6 +1378,14 @@ int main(int argc, char ** argv) > } > > /* make sure mountpoint is legit */ >+ rc = chdir(mountpoint); >+ if (rc) { >+ fprintf(stderr, "Couldn't chdir to %s: %s\n", mountpoint, >+ strerror(errno)); >+ rc = EX_USAGE; >+ goto mount_exit; >+ } >+ > rc = check_mountpoint(thisprogram, mountpoint); > if (rc) > goto mount_exit; >@@ -1440,13 +1448,23 @@ int main(int argc, char ** argv) > > /* BB save off path and pop after mount returns? */ > resolved_path = (char *)malloc(PATH_MAX+1); >- if(resolved_path) { >- /* Note that if we can not canonicalize the name, we get >- another chance to see if it is valid when we chdir to it */ >- if (realpath(mountpoint, resolved_path)) { >- mountpoint = resolved_path; >- } >+ if (!resolved_path) { >+ fprintf(stderr, "Unable to allocate memory.\n"); >+ rc = EX_SYSERR; >+ goto mount_exit; > } >+ >+ /* Note that if we can not canonicalize the name, we get >+ another chance to see if it is valid when we chdir to it */ >+ if(!realpath(".", resolved_path)) { >+ fprintf(stderr, "Unable to resolve %s to canonical path: %s\n", >+ mountpoint, strerror(errno)); >+ rc = EX_SYSERR; >+ goto mount_exit; >+ } >+ >+ mountpoint = resolved_path; >+ > if(got_user == 0) { > /* Note that the password will not be retrieved from the > USER env variable (ie user%password form) as there is >@@ -1590,7 +1608,7 @@ mount_retry: > if (verboseflag) > fprintf(stderr, "\n"); > >- if (!fakemnt && mount(dev_name, mountpoint, "cifs", flags, options)) { >+ if (!fakemnt && mount(dev_name, ".", "cifs", flags, options)) { > switch (errno) { > case ECONNREFUSED: > case EHOSTUNREACH: >-- >1.6.0.6 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jlayton
:
review?
(
sfrench
)
Actions:
View
Attachments on
bug 6853
: 4901 |
4904
|
5222