diff options
author | Archana Polampalli <archana.polampalli@windriver.com> | 2023-11-23 06:13:07 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-12-13 13:35:51 -0500 |
commit | ad3dc46c878ae8bd90e720c672d159fe5763dbe3 (patch) | |
tree | 5beeee0002ea6f89070dc519c71b2b855f9805f2 | |
parent | 01c0aaaf620f9eeb073f39ce5149f08bb6a32cb0 (diff) | |
download | meta-openembedded-ad3dc46c878ae8bd90e720c672d159fe5763dbe3.tar.gz |
samba: fix CVE-2023-4091
A vulnerability was discovered in Samba, where the flaw allows SMB clients to
truncate files, even with read-only permissions when the Samba VFS module
"acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB
protocol allows opening files when the client requests read-only access but
then implicitly truncates the opened file to 0 bytes if the client specifies
a separate OVERWRITE create disposition request. The issue arises in configurations
that bypass kernel file system permissions checks, relying solely on Samba's permissions.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4091
Fix is patched to the function call smbd_check_access_rights_fsp() of open_file(),
But in samba_4.14.14 smbd_check_access_rights() is used, from samba_4.15.0 onwards
smbd_check_access_rights() was replaced with smbd_check_access_rights_fsp() and
samba_4.14.14 is still vulnerable through smbd_check_access_rights().
Ref:
https://github.com/samba-team/samba/commit/3f61369d153419158c0f223e6f81c0bb07275833
https://github.com/samba-team/samba/commit/26dc10bdb2cff3eece4a2874931b4058f9f87d68
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
3 files changed, 254 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0001.patch new file mode 100644 index 000000000..908ab85ba --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0001.patch | |||
@@ -0,0 +1,193 @@ | |||
1 | From b08a60160e6ab8d982d31844bcbf7ab67ff3a8de Mon Sep 17 00:00:00 2001 | ||
2 | From: Ralph Boehme <slow@samba.org> | ||
3 | Date: Tue, 1 Aug 2023 12:30:00 +0200 | ||
4 | Subject: [PATCH 2/2] CVE-2023-4091: smbtorture: test overwrite dispositions on | ||
5 | read-only file | ||
6 | |||
7 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 | ||
8 | |||
9 | Signed-off-by: Ralph Boehme <slow@samba.org> | ||
10 | |||
11 | CVE: CVE-2023-4091 | ||
12 | |||
13 | Upstream-Status: Backport [https://github.com/samba-team/samba/commit/b08a60160e6ab8d982d31844bcbf7ab67ff3a8de] | ||
14 | |||
15 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
16 | --- | ||
17 | selftest/knownfail.d/samba3.smb2.acls | 1 + | ||
18 | source4/torture/smb2/acls.c | 145 ++++++++++++++++++++++++++ | ||
19 | 2 files changed, 146 insertions(+) | ||
20 | create mode 100644 selftest/knownfail.d/samba3.smb2.acls | ||
21 | |||
22 | diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls | ||
23 | new file mode 100644 | ||
24 | index 0000000..18df260 | ||
25 | --- /dev/null | ||
26 | +++ b/selftest/knownfail.d/samba3.smb2.acls | ||
27 | @@ -0,0 +1 @@ | ||
28 | +^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE | ||
29 | diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c | ||
30 | index 4f4538b..d26caeb 100644 | ||
31 | --- a/source4/torture/smb2/acls.c | ||
32 | +++ b/source4/torture/smb2/acls.c | ||
33 | @@ -3023,6 +3023,149 @@ done: | ||
34 | return ret; | ||
35 | } | ||
36 | |||
37 | +static bool test_overwrite_read_only_file(struct torture_context *tctx, | ||
38 | + struct smb2_tree *tree) | ||
39 | +{ | ||
40 | + NTSTATUS status; | ||
41 | + struct smb2_create c; | ||
42 | + const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt"; | ||
43 | + struct smb2_handle handle = {{0}}; | ||
44 | + union smb_fileinfo q; | ||
45 | + union smb_setfileinfo set; | ||
46 | + struct security_descriptor *sd = NULL, *sd_orig = NULL; | ||
47 | + const char *owner_sid = NULL; | ||
48 | + int i; | ||
49 | + bool ret = true; | ||
50 | + | ||
51 | + struct tcase { | ||
52 | + int disposition; | ||
53 | + const char *disposition_string; | ||
54 | + NTSTATUS expected_status; | ||
55 | + } tcases[] = { | ||
56 | +#define TCASE(d, s) { \ | ||
57 | + .disposition = d, \ | ||
58 | + .disposition_string = #d, \ | ||
59 | + .expected_status = s, \ | ||
60 | + } | ||
61 | + TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK), | ||
62 | + TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED), | ||
63 | + TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED), | ||
64 | + TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED), | ||
65 | + }; | ||
66 | +#undef TCASE | ||
67 | + | ||
68 | + ret = smb2_util_setup_dir(tctx, tree, BASEDIR); | ||
69 | + torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok"); | ||
70 | + | ||
71 | + c = (struct smb2_create) { | ||
72 | + .in.desired_access = SEC_STD_READ_CONTROL | | ||
73 | + SEC_STD_WRITE_DAC | | ||
74 | + SEC_STD_WRITE_OWNER, | ||
75 | + .in.file_attributes = FILE_ATTRIBUTE_NORMAL, | ||
76 | + .in.share_access = NTCREATEX_SHARE_ACCESS_READ | | ||
77 | + NTCREATEX_SHARE_ACCESS_WRITE, | ||
78 | + .in.create_disposition = NTCREATEX_DISP_OPEN_IF, | ||
79 | + .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, | ||
80 | + .in.fname = fname, | ||
81 | + }; | ||
82 | + | ||
83 | + status = smb2_create(tree, tctx, &c); | ||
84 | + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, | ||
85 | + "smb2_create failed\n"); | ||
86 | + handle = c.out.file.handle; | ||
87 | + | ||
88 | + torture_comment(tctx, "get the original sd\n"); | ||
89 | + | ||
90 | + ZERO_STRUCT(q); | ||
91 | + q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; | ||
92 | + q.query_secdesc.in.file.handle = handle; | ||
93 | + q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; | ||
94 | + | ||
95 | + status = smb2_getinfo_file(tree, tctx, &q); | ||
96 | + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, | ||
97 | + "smb2_getinfo_file failed\n"); | ||
98 | + sd_orig = q.query_secdesc.out.sd; | ||
99 | + | ||
100 | + owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); | ||
101 | + | ||
102 | + sd = security_descriptor_dacl_create(tctx, | ||
103 | + 0, NULL, NULL, | ||
104 | + owner_sid, | ||
105 | + SEC_ACE_TYPE_ACCESS_ALLOWED, | ||
106 | + SEC_FILE_READ_DATA, | ||
107 | + 0, | ||
108 | + NULL); | ||
109 | + | ||
110 | + ZERO_STRUCT(set); | ||
111 | + set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; | ||
112 | + set.set_secdesc.in.file.handle = handle; | ||
113 | + set.set_secdesc.in.secinfo_flags = SECINFO_DACL; | ||
114 | + set.set_secdesc.in.sd = sd; | ||
115 | + | ||
116 | + status = smb2_setinfo_file(tree, &set); | ||
117 | + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, | ||
118 | + "smb2_setinfo_file failed\n"); | ||
119 | + | ||
120 | + smb2_util_close(tree, handle); | ||
121 | + ZERO_STRUCT(handle); | ||
122 | + | ||
123 | + for (i = 0; i < ARRAY_SIZE(tcases); i++) { | ||
124 | + torture_comment(tctx, "Verify open with %s dispostion\n", | ||
125 | + tcases[i].disposition_string); | ||
126 | + | ||
127 | + c = (struct smb2_create) { | ||
128 | + .in.create_disposition = tcases[i].disposition, | ||
129 | + .in.desired_access = SEC_FILE_READ_DATA, | ||
130 | + .in.file_attributes = FILE_ATTRIBUTE_NORMAL, | ||
131 | + .in.share_access = NTCREATEX_SHARE_ACCESS_MASK, | ||
132 | + .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, | ||
133 | + .in.fname = fname, | ||
134 | + }; | ||
135 | + | ||
136 | + status = smb2_create(tree, tctx, &c); | ||
137 | + smb2_util_close(tree, c.out.file.handle); | ||
138 | + torture_assert_ntstatus_equal_goto( | ||
139 | + tctx, status, tcases[i].expected_status, ret, done, | ||
140 | + "smb2_create failed\n"); | ||
141 | + }; | ||
142 | + | ||
143 | + torture_comment(tctx, "put back original sd\n"); | ||
144 | + | ||
145 | + c = (struct smb2_create) { | ||
146 | + .in.desired_access = SEC_STD_WRITE_DAC, | ||
147 | + .in.file_attributes = FILE_ATTRIBUTE_NORMAL, | ||
148 | + .in.share_access = NTCREATEX_SHARE_ACCESS_MASK, | ||
149 | + .in.create_disposition = NTCREATEX_DISP_OPEN_IF, | ||
150 | + .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, | ||
151 | + .in.fname = fname, | ||
152 | + }; | ||
153 | + | ||
154 | + status = smb2_create(tree, tctx, &c); | ||
155 | + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, | ||
156 | + "smb2_create failed\n"); | ||
157 | + handle = c.out.file.handle; | ||
158 | + | ||
159 | + ZERO_STRUCT(set); | ||
160 | + set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; | ||
161 | + set.set_secdesc.in.file.handle = handle; | ||
162 | + set.set_secdesc.in.secinfo_flags = SECINFO_DACL; | ||
163 | + set.set_secdesc.in.sd = sd_orig; | ||
164 | + | ||
165 | + status = smb2_setinfo_file(tree, &set); | ||
166 | + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, | ||
167 | + "smb2_setinfo_file failed\n"); | ||
168 | + | ||
169 | + smb2_util_close(tree, handle); | ||
170 | + ZERO_STRUCT(handle); | ||
171 | + | ||
172 | +done: | ||
173 | + smb2_util_close(tree, handle); | ||
174 | + smb2_util_unlink(tree, fname); | ||
175 | + smb2_deltree(tree, BASEDIR); | ||
176 | + return ret; | ||
177 | +} | ||
178 | + | ||
179 | + | ||
180 | /* | ||
181 | basic testing of SMB2 ACLs | ||
182 | */ | ||
183 | @@ -3051,6 +3194,8 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx) | ||
184 | test_deny1); | ||
185 | torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED", | ||
186 | test_mxac_not_granted); | ||
187 | + torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", | ||
188 | + test_overwrite_read_only_file); | ||
189 | |||
190 | suite->description = talloc_strdup(suite, "SMB2-ACLS tests"); | ||
191 | |||
192 | -- | ||
193 | 2.40.0 | ||
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0002.patch new file mode 100644 index 000000000..43d3b4929 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0002.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 8b26f634372f11edcbea33dfd68a3d57889dfcc5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ralph Boehme <slow@samba.org> | ||
3 | Date: Tue, 1 Aug 2023 13:04:36 +0200 | ||
4 | Subject: [PATCH] CVE-2023-4091: smbd: use open_access_mask for access check in | ||
5 | open_file() | ||
6 | |||
7 | If the client requested FILE_OVERWRITE[_IF], we're implicitly adding | ||
8 | FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the | ||
9 | access check we're using access_mask which doesn't contain the additional | ||
10 | right, which means we can end up truncating a file for which the user has | ||
11 | only read-only access via an SD. | ||
12 | |||
13 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 | ||
14 | |||
15 | Signed-off-by: Ralph Boehme <slow@samba.org> | ||
16 | |||
17 | CVE: CVE-2023-4091 | ||
18 | |||
19 | Upstream-Status: Backport [https://github.com/samba-team/samba/commit/8b26f634372f11edcbea33dfd68a3d57889dfcc5] | ||
20 | |||
21 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
22 | --- | ||
23 | selftest/knownfail.d/samba3.smb2.acls | 1 - | ||
24 | source3/smbd/open.c | 4 ++-- | ||
25 | 2 files changed, 2 insertions(+), 3 deletions(-) | ||
26 | delete mode 100644 selftest/knownfail.d/samba3.smb2.acls | ||
27 | |||
28 | diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls | ||
29 | deleted file mode 100644 | ||
30 | index 18df260..0000000 | ||
31 | --- a/selftest/knownfail.d/samba3.smb2.acls | ||
32 | +++ /dev/null | ||
33 | @@ -1 +0,0 @@ | ||
34 | -^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE | ||
35 | diff --git a/source3/smbd/open.c b/source3/smbd/open.c | ||
36 | index 2c3bf9e..4bec5cb 100644 | ||
37 | --- a/source3/smbd/open.c | ||
38 | +++ b/source3/smbd/open.c | ||
39 | @@ -1402,7 +1402,7 @@ static NTSTATUS open_file(files_struct *fsp, | ||
40 | conn->cwd_fsp, | ||
41 | smb_fname, | ||
42 | false, | ||
43 | - access_mask); | ||
44 | + open_access_mask); | ||
45 | |||
46 | if (!NT_STATUS_IS_OK(status)) { | ||
47 | DEBUG(10, ("open_file: " | ||
48 | @@ -1585,7 +1585,7 @@ static NTSTATUS open_file(files_struct *fsp, | ||
49 | conn->cwd_fsp, | ||
50 | smb_fname, | ||
51 | false, | ||
52 | - access_mask); | ||
53 | + open_access_mask); | ||
54 | |||
55 | if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) && | ||
56 | (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) && | ||
57 | -- | ||
58 | 2.40.0 | ||
59 | |||
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb index aa27592cb..dcb4d8137 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb | |||
@@ -49,6 +49,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \ | |||
49 | file://CVE-2023-34968_0009.patch \ | 49 | file://CVE-2023-34968_0009.patch \ |
50 | file://CVE-2023-34968_0010.patch \ | 50 | file://CVE-2023-34968_0010.patch \ |
51 | file://CVE-2023-34968_0011.patch \ | 51 | file://CVE-2023-34968_0011.patch \ |
52 | file://CVE-2023-4091-0001.patch \ | ||
53 | file://CVE-2023-4091-0002.patch \ | ||
52 | " | 54 | " |
53 | 55 | ||
54 | SRC_URI:append:libc-musl = " \ | 56 | SRC_URI:append:libc-musl = " \ |