[PATCH resend] smbfs chroot issue (CVE-2006-1864)

From: Chris Wright
Date: Tue May 09 2006 - 16:27:05 EST

Next message: Chris Wright: "Re: [RFC PATCH 34/35] Add the Xen virtual network device driver."
Previous message: Chris Wright: "Re: Linux 2.6.16.15"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Olaf Kirch <okir@xxxxxxx>

Mark Moseley reported that a chroot environment on a SMB share can be
left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix
is for smbfs.

Steven French <sfrench@xxxxxxxxxx> wrote:

Looks fine to me. This should catch the slash on lookup or equivalent,
which will be all obvious paths of interest.

Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
---
This fix is in -stable, but doesn't appear to be in your tree yet.

fs/smbfs/dir.c | 5 +++++
1 file changed, 5 insertions(+)

--- linus-2.6.orig/fs/smbfs/dir.c
+++ linus-2.6/fs/smbfs/dir.c
@@ -434,6 +434,11 @@ smb_lookup(struct inode *dir, struct den
if (dentry->d_name.len > SMB_MAXNAMELEN)
goto out;

+ /* Do not allow lookup of names with backslashes in */
+ error = -EINVAL;
+ if (memchr(dentry->d_name.name, '\\', dentry->d_name.len))
+ goto out;
+
lock_kernel();
error = smb_proc_getattr(dentry, &finfo);
#ifdef SMBFS_PARANOIA

_______________________________________________
stable mailing list
stable@xxxxxxxxxxxxxxxx
http://linux.kernel.org/mailman/listinfo/stable
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Wright: "Re: [RFC PATCH 34/35] Add the Xen virtual network device driver."
Previous message: Chris Wright: "Re: Linux 2.6.16.15"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]