umount.cifs in 3.0.25b is assuming wrong semantics for the CIFS_IOC_CHECKUMOUNT ioctl: the return value of ioctl() is checked for a value > 0, when the standard error return from ioctl (and the error return in this case) is -1 with errno set to a more descriptive value. As a result of misinterpreting the return value, umount.cifs is allowing all users to unmount shares mounted by any other user. In specialized circumstances, this could become a security hole if a user believes their mount point is safe and the share is unmounted to expose malicious directory contents below. Patch to follow.
Created attachment 2815 [details] patch to correctly check the return value of ioctl() This patch fixes umount.cifs to correctly treat all non-zero return values from ioctl() as errors, instead of just positive return values. There is probably a second bug here, in that ENOTTY is being compared against the return value instead of against errno; I'm not absolutely certain that this is a bug, though, and I don't have any machines with older cifs support around that I could check it against, so I haven't included this change in my patch.
Applied for 3.0.28a. Thanks ! Jeremy.