Browse code
kernels: Revert SMB commit to fix mount regression with SMB3
Mounting SMB3 shares was broken by this upstream commit:
commit 0603c96f3af50 "SMB: Validate negotiate (to protect against
downgrade) even if signing off"
It has been fixed in upstream by a subsequent commit:
commit 4587eee04e2ac "SMB3: Validate negotiate request must always be
signed"
However, backporting this patch to stable kernels (4.4 or 4.9) doesn't
fix the problem; it appears that a more involved patch is required. So
in the meantime, fix the regression by reverting the original commit
that broke SMB3 mounting.
Change-Id: I154253f6698b3ad5aba306e7361b75dda555d732
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4595
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Srivatsa S. Bhat authored on 2018/01/04 12:42:28Showing 4 changed files
- SPECS/linux/linux-esx.spec
- SPECS/linux/linux-secure.spec
- SPECS/linux/linux.spec
- SPECS/linux/revert-SMB-validate-negotiate-even-if-signing-off.patch
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-esx |
| 4 | 4 |
Version: 4.9.74 |
| 5 |
-Release: 1%{?dist}
|
|
| 5 |
+Release: 2%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -47,6 +47,7 @@ Patch26: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch |
| 47 | 47 |
Patch27: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
| 48 | 48 |
# Fix CVE-2017-17450 |
| 49 | 49 |
Patch28: netfilter-xt_osf-Add-missing-permission-checks.patch |
| 50 |
+Patch29: revert-SMB-validate-negotiate-even-if-signing-off.patch |
|
| 50 | 51 |
|
| 51 | 52 |
BuildRequires: bc |
| 52 | 53 |
BuildRequires: kbd |
| ... | ... |
@@ -112,6 +113,7 @@ The Linux package contains the Linux kernel doc files |
| 112 | 112 |
%patch26 -p1 |
| 113 | 113 |
%patch27 -p1 |
| 114 | 114 |
%patch28 -p1 |
| 115 |
+%patch29 -p1 |
|
| 115 | 116 |
|
| 116 | 117 |
%build |
| 117 | 118 |
# patch vmw_balloon driver |
| ... | ... |
@@ -208,6 +210,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
|
| 208 | 208 |
/usr/src/linux-headers-%{uname_r}
|
| 209 | 209 |
|
| 210 | 210 |
%changelog |
| 211 |
+* Wed Jan 03 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-2 |
|
| 212 |
+- Fix SMB3 mount regression. |
|
| 211 | 213 |
* Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-1 |
| 212 | 214 |
- Version update |
| 213 | 215 |
- Add patches to fix CVE-2017-8824, CVE-2017-17448 and CVE-2017-17450. |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-secure |
| 4 | 4 |
Version: 4.9.74 |
| 5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist}
|
|
| 5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -56,6 +56,7 @@ Patch32: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch |
| 56 | 56 |
Patch33: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
| 57 | 57 |
# Fix CVE-2017-17450 |
| 58 | 58 |
Patch34: netfilter-xt_osf-Add-missing-permission-checks.patch |
| 59 |
+Patch35: revert-SMB-validate-negotiate-even-if-signing-off.patch |
|
| 59 | 60 |
|
| 60 | 61 |
# NSX requirements (should be removed) |
| 61 | 62 |
Patch99: LKCM.patch |
| ... | ... |
@@ -168,6 +169,7 @@ EOF |
| 168 | 168 |
%patch32 -p1 |
| 169 | 169 |
%patch33 -p1 |
| 170 | 170 |
%patch34 -p1 |
| 171 |
+%patch35 -p1 |
|
| 171 | 172 |
|
| 172 | 173 |
pushd .. |
| 173 | 174 |
%patch99 -p0 |
| ... | ... |
@@ -294,6 +296,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
|
| 294 | 294 |
/usr/src/linux-headers-%{uname_r}
|
| 295 | 295 |
|
| 296 | 296 |
%changelog |
| 297 |
+* Wed Jan 03 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-2 |
|
| 298 |
+- Fix SMB3 mount regression. |
|
| 297 | 299 |
* Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-1 |
| 298 | 300 |
- Version update |
| 299 | 301 |
- Add patches to fix CVE-2017-8824, CVE-2017-17448 and CVE-2017-17450. |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux |
| 4 | 4 |
Version: 4.9.74 |
| 5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist}
|
|
| 5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -53,6 +53,7 @@ Patch29: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch |
| 53 | 53 |
Patch30: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
| 54 | 54 |
# Fix CVE-2017-17450 |
| 55 | 55 |
Patch31: netfilter-xt_osf-Add-missing-permission-checks.patch |
| 56 |
+Patch32: revert-SMB-validate-negotiate-even-if-signing-off.patch |
|
| 56 | 57 |
|
| 57 | 58 |
%if 0%{?kat_build:1}
|
| 58 | 59 |
Patch1000: %{kat_build}.patch
|
| ... | ... |
@@ -155,6 +156,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
| 155 | 155 |
%patch29 -p1 |
| 156 | 156 |
%patch30 -p1 |
| 157 | 157 |
%patch31 -p1 |
| 158 |
+%patch32 -p1 |
|
| 158 | 159 |
|
| 159 | 160 |
%if 0%{?kat_build:1}
|
| 160 | 161 |
%patch1000 -p1 |
| ... | ... |
@@ -322,6 +324,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
|
| 322 | 322 |
/usr/share/doc/* |
| 323 | 323 |
|
| 324 | 324 |
%changelog |
| 325 |
+* Wed Jan 03 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-2 |
|
| 326 |
+- Fix SMB3 mount regression. |
|
| 325 | 327 |
* Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-1 |
| 326 | 328 |
- Version update |
| 327 | 329 |
- Add patches to fix CVE-2017-8824, CVE-2017-17448 and CVE-2017-17450. |
| 328 | 330 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,57 @@ |
| 0 |
+ |
|
| 1 |
+This code reverts the commit mentioned below. (Apply it with patch -p1, |
|
| 2 |
+not patch -p1 -R). |
|
| 3 |
+ |
|
| 4 |
+commit 0e1b85a41a25ac888fb64a60ad2949dbc2ab61ed |
|
| 5 |
+Author: Steve French <smfrench@gmail.com> |
|
| 6 |
+Date: Wed Sep 20 19:57:18 2017 -0500 |
|
| 7 |
+ |
|
| 8 |
+ SMB: Validate negotiate (to protect against downgrade) even if signing off |
|
| 9 |
+ |
|
| 10 |
+ commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9 upstream. |
|
| 11 |
+ |
|
| 12 |
+ As long as signing is supported (ie not a guest user connection) and |
|
| 13 |
+ connection is SMB3 or SMB3.02, then validate negotiate (protect |
|
| 14 |
+ against man in the middle downgrade attacks). We had been doing this |
|
| 15 |
+ only when signing was required, not when signing was just enabled, |
|
| 16 |
+ but this more closely matches recommended SMB3 behavior and is |
|
| 17 |
+ better security. Suggested by Metze. |
|
| 18 |
+ |
|
| 19 |
+ Signed-off-by: Steve French <smfrench@gmail.com> |
|
| 20 |
+ Reviewed-by: Jeremy Allison <jra@samba.org> |
|
| 21 |
+ Acked-by: Stefan Metzmacher <metze@samba.org> |
|
| 22 |
+ Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> |
|
| 23 |
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
| 24 |
+ |
|
| 25 |
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c |
|
| 26 |
+index 69b610ad..b98d96a 100644 |
|
| 27 |
+--- a/fs/cifs/smb2pdu.c |
|
| 28 |
+@@ -531,22 +531,15 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) |
|
| 29 |
+ |
|
| 30 |
+ /* |
|
| 31 |
+ * validation ioctl must be signed, so no point sending this if we |
|
| 32 |
+- * can not sign it (ie are not known user). Even if signing is not |
|
| 33 |
+- * required (enabled but not negotiated), in those cases we selectively |
|
| 34 |
++ * can not sign it. We could eventually change this to selectively |
|
| 35 |
+ * sign just this, the first and only signed request on a connection. |
|
| 36 |
+- * Having validation of negotiate info helps reduce attack vectors. |
|
| 37 |
++ * This is good enough for now since a user who wants better security |
|
| 38 |
++ * would also enable signing on the mount. Having validation of |
|
| 39 |
++ * negotiate info for signed connections helps reduce attack vectors |
|
| 40 |
+ */ |
|
| 41 |
+- if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_GUEST) |
|
| 42 |
++ if (tcon->ses->server->sign == false) |
|
| 43 |
+ return 0; /* validation requires signing */ |
|
| 44 |
+ |
|
| 45 |
+- if (tcon->ses->user_name == NULL) {
|
|
| 46 |
+- cifs_dbg(FYI, "Can't validate negotiate: null user mount\n"); |
|
| 47 |
+- return 0; /* validation requires signing */ |
|
| 48 |
+- } |
|
| 49 |
+- |
|
| 50 |
+- if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL) |
|
| 51 |
+- cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n"); |
|
| 52 |
+- |
|
| 53 |
+ vneg_inbuf.Capabilities = |
|
| 54 |
+ cpu_to_le32(tcon->ses->server->vals->req_capabilities); |
|
| 55 |
+ memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid, |