The branch, v4-6-stable has been updated via 1a8f3cf VERSION: Disable GIT_SNAPSHOTS for the 4.6.1 release. via 2d44083 WHATSNEW: Add release notes for Samba 4.6.1. via d9475c9 CVE-2017-2619: s3: smbd: Use the new non_widelink_open() function. via 22a8d4e CVE-2017-2619: s3: smbd: Add the core functions to prevent symlink open races. via 86b913f CVE-2017-2619: s3: smbd: Move special handling of symlink errno's into a utility function. via 49edefe CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing. via 7a61eb2 CVE-2017-2619: s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported on system. via 16de606 CVE-2017-2619: s3: smbd: Move the reference counting and destructor setup to just before retuning success. via e558347 CVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory leak on error. via a98b3a1 CVE-2017-2619: s3: smbd: OpenDir_fsp() use early returns. via 556f7dd CVE-2017-2619: s3: smbd: Create and use open_dir_safely(). Use from OpenDir(). via a028e01 CVE-2017-2619: s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed. via 0eae801 CVE-2017-2619: s3: smbd: Create wrapper function for OpenDir in preparation for making robust. via 7609944 CVE-2017-2619: s4/torture: add SMB2_FIND tests with SMB2_CONTINUE_FLAG_REOPEN flag via d7644e3 CVE-2017-2619: s3/smbd: re-open directory after dptr_CloseDir() via 1325da1 VERSION: Bump version up to 4.6.1... from f17816a VERSION: Disable GIT_SNAPSHOTS for the 4.6.0 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log ----------------------------------------------------------------- commit 1a8f3cfb4ebc21a0889c7692591ae41a46d7dfb2 Author: Karolin Seeger <ksee...@samba.org> Date: Fri Mar 17 11:54:34 2017 +0100 VERSION: Disable GIT_SNAPSHOTS for the 4.6.1 release. CVE-2017-2619: Symlink race allows access outside share definition. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Karolin Seeger <ksee...@samba.org> commit 2d44083d28daccdf10934d6badb7a1ef55a90f4b Author: Karolin Seeger <ksee...@samba.org> Date: Fri Mar 17 11:51:42 2017 +0100 WHATSNEW: Add release notes for Samba 4.6.1. CVE-2017-2619: Symlink race allows access outside share definition. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Karolin Seeger <ksee...@samba.org> commit d9475c95d2eb452f2527f351c1b825dfe45e0fae Author: Jeremy Allison <j...@samba.org> Date: Thu Dec 15 13:06:31 2016 -0800 CVE-2017-2619: s3: smbd: Use the new non_widelink_open() function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit 22a8d4e802b50a73a78c39d12c33397808debbcd Author: Jeremy Allison <j...@samba.org> Date: Thu Dec 15 13:04:46 2016 -0800 CVE-2017-2619: s3: smbd: Add the core functions to prevent symlink open races. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit 86b913f59198d1a397f9136c221f74da0ee7f415 Author: Jeremy Allison <j...@samba.org> Date: Thu Dec 15 12:56:08 2016 -0800 CVE-2017-2619: s3: smbd: Move special handling of symlink errno's into a utility function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit 49edefe2ebd9c43e90d4ff295a3fee65c375607a Author: Jeremy Allison <j...@samba.org> Date: Thu Dec 15 12:52:13 2016 -0800 CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit 7a61eb2f964b2930dad423bf23c9697ce2503914 Author: Jeremy Allison <j...@samba.org> Date: Mon Dec 19 12:35:32 2016 -0800 CVE-2017-2619: s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported on system. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit 16de60625cdc678c5d14020a6557cbac3d3bf13d Author: Jeremy Allison <j...@samba.org> Date: Mon Dec 19 12:32:07 2016 -0800 CVE-2017-2619: s3: smbd: Move the reference counting and destructor setup to just before retuning success. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit e558347120df675fcf65bd9ddba706405d8af3e9 Author: Jeremy Allison <j...@samba.org> Date: Mon Dec 19 12:15:59 2016 -0800 CVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory leak on error. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit a98b3a162160567092773cee82e6b396c9dae2cf Author: Jeremy Allison <j...@samba.org> Date: Mon Dec 19 12:13:20 2016 -0800 CVE-2017-2619: s3: smbd: OpenDir_fsp() use early returns. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit 556f7dd4a5d245c49ef52ae639c9671245713fe7 Author: Jeremy Allison <j...@samba.org> Date: Mon Dec 19 16:35:00 2016 -0800 CVE-2017-2619: s3: smbd: Create and use open_dir_safely(). Use from OpenDir(). Hardens OpenDir against TOC/TOU races. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit a028e01a2b0126dd61606aa16d98ed4696ccfbab Author: Jeremy Allison <j...@samba.org> Date: Mon Dec 19 16:25:26 2016 -0800 CVE-2017-2619: s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit 0eae80125b456419075c6c358f38079402add156 Author: Jeremy Allison <j...@samba.org> Date: Mon Dec 19 11:55:56 2016 -0800 CVE-2017-2619: s3: smbd: Create wrapper function for OpenDir in preparation for making robust. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit 76099445c87fabc8741ee0e3f538452caf67e474 Author: Ralph Boehme <s...@samba.org> Date: Sun Mar 19 18:52:10 2017 +0100 CVE-2017-2619: s4/torture: add SMB2_FIND tests with SMB2_CONTINUE_FLAG_REOPEN flag Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit d7644e3588511dbc3ee2a39a019ab898324c3ae5 Author: Ralph Boehme <s...@samba.org> Date: Sun Mar 19 15:58:17 2017 +0100 CVE-2017-2619: s3/smbd: re-open directory after dptr_CloseDir() dptr_CloseDir() will close and invalidate the fsp's file descriptor, we have to reopen it. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit 1325da1899fbdce022143558caa86685e45ca91a Author: Karolin Seeger <ksee...@samba.org> Date: Tue Mar 7 10:06:53 2017 +0100 VERSION: Bump version up to 4.6.1... and re-enable GIT_SNAPSHOTS. Signed-off-by: Karolin Seeger <ksee...@samba.org> (cherry picked from commit 074aaeb61ea2f48965becc66df9083628b9a2508) ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 78 ++++++++- source3/smbd/dir.c | 161 ++++++++++++++----- source3/smbd/open.c | 310 +++++++++++++++++++++++++++++++++--- source3/smbd/smb2_query_directory.c | 17 ++ source4/torture/smb2/dir.c | 12 +- 6 files changed, 511 insertions(+), 69 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 28167de..8632851 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=6 -SAMBA_VERSION_RELEASE=0 +SAMBA_VERSION_RELEASE=1 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 66597bf..02935d7 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,5 +1,79 @@ -Release Announcements -===================== + ============================= + Release Notes for Samba 4.6.1 + March 23, 2017 + ============================= + + +This is a security release in order to address the following defect: + +o CVE-2017-2619 (Symlink race allows access outside share definition) + +======= +Details +======= + +o CVE-2017-2619: + All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are vulnerable to + a malicious client using a symlink race to allow access to areas of + the server file system not exported under the share definition. + + Samba uses the realpath() system call to ensure when a client requests + access to a pathname that it is under the exported share path on the + server file system. + + Clients that have write access to the exported part of the file system + via SMB1 unix extensions or NFS to create symlinks can race the server + by renaming a realpath() checked path and then creating a symlink. If + the client wins the race it can cause the server to access the new + symlink target after the exported share path check has been done. This + new symlink target can point to anywhere on the server file system. + + This is a difficult race to win, but theoretically possible. Note that + the proof of concept code supplied wins the race reliably only when + the server is slowed down using the strace utility running on the + server. Exploitation of this bug has not been seen in the wild. + + +Changes since 4.6.0: +-------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share + directory. + +o Ralph Boehme <s...@samba.org> + * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share + directory. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================== + Release Notes for Samba 4.6.0 + March 7, 2017 + ============================== + This is the first stable release of Samba 4.6. Please read the release notes carefully before upgrading. diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c index 3c6f000..1348d12 100644 --- a/source3/smbd/dir.c +++ b/source3/smbd/dir.c @@ -1630,7 +1630,8 @@ static int smb_Dir_destructor(struct smb_Dir *dirp) Open a directory. ********************************************************************/ -struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn, +static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx, + connection_struct *conn, const struct smb_filename *smb_dname, const char *mask, uint32_t attr) @@ -1642,29 +1643,23 @@ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn, return NULL; } - dirp->conn = conn; - dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn)); + dirp->dir = SMB_VFS_OPENDIR(conn, smb_dname, mask, attr); - dirp->dir_smb_fname = cp_smb_filename(dirp, smb_dname); - if (!dirp->dir_smb_fname) { - errno = ENOMEM; + if (!dirp->dir) { + DEBUG(5,("OpenDir: Can't open %s. %s\n", + smb_dname->base_name, + strerror(errno) )); goto fail; } + dirp->conn = conn; + dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn)); + if (sconn && !sconn->using_smb2) { sconn->searches.dirhandles_open++; } talloc_set_destructor(dirp, smb_Dir_destructor); - dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_smb_fname, mask, attr); - - if (!dirp->dir) { - DEBUG(5,("OpenDir: Can't open %s. %s\n", - dirp->dir_smb_fname->base_name, - strerror(errno) )); - goto fail; - } - return dirp; fail: @@ -1672,6 +1667,87 @@ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn, return NULL; } +/**************************************************************************** + Open a directory handle by pathname, ensuring it's under the share path. +****************************************************************************/ + +static struct smb_Dir *open_dir_safely(TALLOC_CTX *ctx, + connection_struct *conn, + const struct smb_filename *smb_dname, + const char *wcard, + uint32_t attr) +{ + struct smb_Dir *dir_hnd = NULL; + struct smb_filename *smb_fname_cwd = NULL; + char *saved_dir = vfs_GetWd(ctx, conn); + NTSTATUS status; + + if (saved_dir == NULL) { + return NULL; + } + + if (vfs_ChDir(conn, smb_dname->base_name) == -1) { + goto out; + } + + smb_fname_cwd = synthetic_smb_fname(talloc_tos(), + ".", + NULL, + NULL, + smb_dname->flags); + if (smb_fname_cwd == NULL) { + goto out; + } + + /* + * Now the directory is pinned, use + * REALPATH to ensure we can access it. + */ + status = check_name(conn, "."); + if (!NT_STATUS_IS_OK(status)) { + goto out; + } + + dir_hnd = OpenDir_internal(ctx, + conn, + smb_fname_cwd, + wcard, + attr); + + if (dir_hnd == NULL) { + goto out; + } + + /* + * OpenDir_internal only gets "." as the dir name. + * Store the real dir name here. + */ + + dir_hnd->dir_smb_fname = cp_smb_filename(dir_hnd, smb_dname); + if (!dir_hnd->dir_smb_fname) { + TALLOC_FREE(dir_hnd); + errno = ENOMEM; + } + + out: + + vfs_ChDir(conn, saved_dir); + TALLOC_FREE(saved_dir); + return dir_hnd; +} + +struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn, + const struct smb_filename *smb_dname, + const char *mask, + uint32_t attr) +{ + return open_dir_safely(mem_ctx, + conn, + smb_dname, + mask, + attr); +} + /******************************************************************* Open a directory from an fsp. ********************************************************************/ @@ -1685,7 +1761,17 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, struct smbd_server_connection *sconn = conn->sconn; if (!dirp) { - return NULL; + goto fail; + } + + if (!fsp->is_directory) { + errno = EBADF; + goto fail; + } + + if (fsp->fh->fd == -1) { + errno = EBADF; + goto fail; } dirp->conn = conn; @@ -1697,40 +1783,33 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, goto fail; } - if (sconn && !sconn->using_smb2) { - sconn->searches.dirhandles_open++; - } - talloc_set_destructor(dirp, smb_Dir_destructor); - - if (fsp->is_directory && fsp->fh->fd != -1) { - dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr); - if (dirp->dir != NULL) { - dirp->fsp = fsp; - } else { - DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned " - "NULL (%s)\n", - dirp->dir_smb_fname->base_name, - strerror(errno))); - if (errno != ENOSYS) { - return NULL; - } + dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr); + if (dirp->dir != NULL) { + dirp->fsp = fsp; + } else { + DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned " + "NULL (%s)\n", + dirp->dir_smb_fname->base_name, + strerror(errno))); + if (errno != ENOSYS) { + goto fail; } } if (dirp->dir == NULL) { - /* FDOPENDIR didn't work. Use OPENDIR instead. */ - dirp->dir = SMB_VFS_OPENDIR(conn, - dirp->dir_smb_fname, + /* FDOPENDIR is not supported. Use OPENDIR instead. */ + TALLOC_FREE(dirp); + return open_dir_safely(mem_ctx, + conn, + fsp->fsp_name, mask, attr); } - if (!dirp->dir) { - DEBUG(5,("OpenDir_fsp: Can't open %s. %s\n", - dirp->dir_smb_fname->base_name, - strerror(errno) )); - goto fail; + if (sconn && !sconn->using_smb2) { + sconn->searches.dirhandles_open++; } + talloc_set_destructor(dirp, smb_Dir_destructor); return dirp; diff --git a/source3/smbd/open.c b/source3/smbd/open.c index e0e4705..08d14cb 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -355,6 +355,269 @@ static NTSTATUS check_base_file_access(struct connection_struct *conn, } /**************************************************************************** + Handle differing symlink errno's +****************************************************************************/ + +static int link_errno_convert(int err) +{ +#if defined(ENOTSUP) && defined(OSF1) + /* handle special Tru64 errno */ + if (err == ENOTSUP) { + err = ELOOP; + } +#endif /* ENOTSUP */ +#ifdef EFTYPE + /* fix broken NetBSD errno */ + if (err == EFTYPE) { + err = ELOOP; + } +#endif /* EFTYPE */ + /* fix broken FreeBSD errno */ + if (err == EMLINK) { + err = ELOOP; + } + return err; +} + +static int non_widelink_open(struct connection_struct *conn, + const char *conn_rootdir, + files_struct *fsp, + struct smb_filename *smb_fname, + int flags, + mode_t mode, + unsigned int link_depth); + +/**************************************************************************** + Follow a symlink in userspace. +****************************************************************************/ + +static int process_symlink_open(struct connection_struct *conn, + const char *conn_rootdir, + files_struct *fsp, + struct smb_filename *smb_fname, + int flags, + mode_t mode, + unsigned int link_depth) +{ + int fd = -1; + char *link_target = NULL; + int link_len = -1; + char *oldwd = NULL; + size_t rootdir_len = 0; + char *resolved_name = NULL; + bool matched = false; + int saved_errno = 0; + + /* + * Ensure we don't get stuck in a symlink loop. + */ + link_depth++; + if (link_depth >= 20) { + errno = ELOOP; + goto out; + } + + /* Allocate space for the link target. */ + link_target = talloc_array(talloc_tos(), char, PATH_MAX); + if (link_target == NULL) { + errno = ENOMEM; + goto out; + } + + /* Read the link target. */ + link_len = SMB_VFS_READLINK(conn, + smb_fname->base_name, + link_target, + PATH_MAX - 1); + if (link_len == -1) { + goto out; + } + + /* Ensure it's at least null terminated. */ + link_target[link_len] = '\0'; + + /* Convert to an absolute path. */ + resolved_name = SMB_VFS_REALPATH(conn, link_target); + if (resolved_name == NULL) { + goto out; + } + + /* + * We know conn_rootdir starts with '/' and + * does not end in '/'. FIXME ! Should we + * smb_assert this ? + */ + rootdir_len = strlen(conn_rootdir); + + matched = (strncmp(conn_rootdir, resolved_name, rootdir_len) == 0); + if (!matched) { + errno = EACCES; + goto out; + } + + /* + * Turn into a path relative to the share root. + */ + if (resolved_name[rootdir_len] == '\0') { + /* Link to the root of the share. */ + smb_fname->base_name = talloc_strdup(talloc_tos(), "."); + if (smb_fname->base_name == NULL) { + errno = ENOMEM; + goto out; + } + } else if (resolved_name[rootdir_len] == '/') { + smb_fname->base_name = &resolved_name[rootdir_len+1]; + } else { + errno = EACCES; + goto out; + } + + oldwd = vfs_GetWd(talloc_tos(), conn); + if (oldwd == NULL) { + goto out; + } + + /* Ensure we operate from the root of the share. */ + if (vfs_ChDir(conn, conn_rootdir) == -1) { + goto out; + } + + /* And do it all again.. */ + fd = non_widelink_open(conn, + conn_rootdir, + fsp, + smb_fname, + flags, + mode, + link_depth); + if (fd == -1) { + saved_errno = errno; + } + + out: + + SAFE_FREE(resolved_name); + TALLOC_FREE(link_target); + if (oldwd != NULL) { + int ret = vfs_ChDir(conn, oldwd); + if (ret == -1) { + smb_panic("unable to get back to old directory\n"); + } + TALLOC_FREE(oldwd); + } + if (saved_errno != 0) { + errno = saved_errno; + } + return fd; +} + +/**************************************************************************** + Non-widelink open. +****************************************************************************/ + +static int non_widelink_open(struct connection_struct *conn, + const char *conn_rootdir, + files_struct *fsp, + struct smb_filename *smb_fname, + int flags, + mode_t mode, + unsigned int link_depth) +{ + NTSTATUS status; + int fd = -1; + struct smb_filename *smb_fname_rel = NULL; + int saved_errno = 0; + char *oldwd = NULL; + char *parent_dir = NULL; + const char *final_component = NULL; -- Samba Shared Repository