samba: CVE-2020-14318 Security Advisory

References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14318 Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> 2020-12-15 15:31:36 +0800
committer: Khem Raj <raj.khem@gmail.com> 2020-12-15 00:52:55 -0800
commit: 1d44b4c03d51e91ce01cf5fd0b33155ce36f1862 (patch)
tree: c5ead3b93a2a2a55266489b9398319867808570a
parent: d259144422bb44af9dbc7397fc4077d0bf3fc83f (diff)
download: meta-openembedded-1d44b4c03d51e91ce01cf5fd0b33155ce36f1862.tar.gz
2 files changed, 143 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch
new file mode 100644
index 0000000000..ff1225db07
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch
@@ -0,0 +1,142 @@
+From ccf53dfdcd39f3526dbc2f20e1245674155380ff Mon Sep 17 00:00:00 2001
+From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+Date: Fri, 11 Dec 2020 11:32:44 +0900
+Subject: [PATCH] s4: torture: Add smb2.notify.handle-permissions test.
+s3: smbd: Ensure change notifies can't get set unless the
+ directory handle is open for SEC_DIR_LIST.
+CVE-2020-14318
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+---
+ source3/smbd/notify.c         |  8 ++++
+ source4/torture/smb2/notify.c | 82 ++++++++++++++++++++++++++++++++++-
+ 2 files changed, 89 insertions(+), 1 deletion(-)
+diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c
+index 44c0b09..d23c03b 100644
+--- a/source3/smbd/notify.c
+++ b/source3/smbd/notify.c
+@@ -283,6 +283,14 @@ NTSTATUS change_notify_create(struct files_struct *fsp, uint32_t filter,
+        char fullpath[len+1];
+        NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED;
+ 
+       /*
+        * Setting a changenotify needs READ/LIST access
+        * on the directory handle.
+        */
+       if (!(fsp->access_mask & SEC_DIR_LIST)) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+        if (fsp->notify != NULL) {
+                DEBUG(1, ("change_notify_create: fsp->notify != NULL, "
+                          "fname = %s\n", fsp->fsp_name->base_name));
+diff --git a/source4/torture/smb2/notify.c b/source4/torture/smb2/notify.c
+index ebb4f8a..a5c9b94 100644
+--- a/source4/torture/smb2/notify.c
+++ b/source4/torture/smb2/notify.c
+@@ -2569,6 +2569,83 @@ done:
+        return ok;
+ }
+ 
+/*
+  Test asking for a change notify on a handle without permissions.
+*/
+
+#define BASEDIR_HPERM BASEDIR "_HPERM"
+
+static bool torture_smb2_notify_handle_permissions(
+               struct torture_context *torture,
+               struct smb2_tree *tree)
+{
+       bool ret = true;
+       NTSTATUS status;
+       union smb_notify notify;
+       union smb_open io;
+       struct smb2_handle h1 = {{0}};
+       struct smb2_request *req;
+
+       smb2_deltree(tree, BASEDIR_HPERM);
+       smb2_util_rmdir(tree, BASEDIR_HPERM);
+
+       torture_comment(torture,
+               "TESTING CHANGE NOTIFY "
+               "ON A HANDLE WITHOUT PERMISSIONS\n");
+
+       /*
+         get a handle on the directory
+       */
+       ZERO_STRUCT(io.smb2);
+       io.generic.level = RAW_OPEN_SMB2;
+       io.smb2.in.create_flags = 0;
+       io.smb2.in.desired_access = SEC_FILE_READ_ATTRIBUTE;
+       io.smb2.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
+       io.smb2.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
+       io.smb2.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
+                               NTCREATEX_SHARE_ACCESS_WRITE;
+       io.smb2.in.alloc_size = 0;
+       io.smb2.in.create_disposition = NTCREATEX_DISP_CREATE;
+       io.smb2.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS;
+       io.smb2.in.security_flags = 0;
+       io.smb2.in.fname = BASEDIR_HPERM;
+
+       status = smb2_create(tree, torture, &io.smb2);
+       CHECK_STATUS(status, NT_STATUS_OK);
+       h1 = io.smb2.out.file.handle;
+
+       /* ask for a change notify,
+          on file or directory name changes */
+       ZERO_STRUCT(notify.smb2);
+       notify.smb2.level = RAW_NOTIFY_SMB2;
+       notify.smb2.in.buffer_size = 1000;
+       notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME;
+       notify.smb2.in.file.handle = h1;
+       notify.smb2.in.recursive = true;
+
+       req = smb2_notify_send(tree, &notify.smb2);
+       torture_assert_goto(torture,
+                       req != NULL,
+                       ret,
+                       done,
+                       "smb2_notify_send failed\n");
+
+       /*
+        * Cancel it, we don't really want to wait.
+        */
+       smb2_cancel(req);
+       status = smb2_notify_recv(req, torture, &notify.smb2);
+       /* Handle h1 doesn't have permissions for ChangeNotify. */
+       CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+
+done:
+       if (!smb2_util_handle_empty(h1)) {
+               smb2_util_close(tree, h1);
+       }
+       smb2_deltree(tree, BASEDIR_HPERM);
+       return ret;
+}
+
+ /*
+    basic testing of SMB2 change notify
+ */
+@@ -2602,7 +2679,10 @@ struct torture_suite *torture_smb2_notify_init(TALLOC_CTX *ctx)
+                                     torture_smb2_notify_rmdir3);
+        torture_suite_add_2smb2_test(suite, "rmdir4",
+                                     torture_smb2_notify_rmdir4);
+-
+       torture_suite_add_1smb2_test(suite,
+                                   "handle-permissions",
+                                   torture_smb2_notify_handle_permissions);
+ 
+        suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests");
+ 
+        return suite;
+-- 
+2.25.1
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
index b5085c913b..923b2ddf16 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
@@ -28,6 +28,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
           file://0002-util_sec.c-Move-__thread-variable-to-global-scope.patch \
           file://0001-Add-options-to-configure-the-use-of-libbsd.patch \
           file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \
+           file://CVE-2020-14318.patch \
           "
 SRC_URI_append_libc-musl = " \
           file://samba-pam.patch \
author	Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>	2020-12-15 15:31:36 +0800
committer	Khem Raj <raj.khem@gmail.com>	2020-12-15 00:52:55 -0800
commit	1d44b4c03d51e91ce01cf5fd0b33155ce36f1862 (patch)
tree	c5ead3b93a2a2a55266489b9398319867808570a
parent	d259144422bb44af9dbc7397fc4077d0bf3fc83f (diff)
download	meta-openembedded-1d44b4c03d51e91ce01cf5fd0b33155ce36f1862.tar.gz

diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch new file mode 100644 index 0000000000..ff1225db07 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch
@@ -0,0 +1,142 @@
		1	From ccf53dfdcd39f3526dbc2f20e1245674155380ff Mon Sep 17 00:00:00 2001
		2	From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
		3	Date: Fri, 11 Dec 2020 11:32:44 +0900
		4	Subject: [PATCH] s4: torture: Add smb2.notify.handle-permissions test.
		5
		6	s3: smbd: Ensure change notifies can't get set unless the
		7	directory handle is open for SEC_DIR_LIST.
		8
		9	CVE-2020-14318
		10
		11	BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
		12
		13	Signed-off-by: Jeremy Allison <jra@samba.org>
		14
		15	Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
		16	---
		17	source3/smbd/notify.c \| 8 ++++
		18	source4/torture/smb2/notify.c \| 82 ++++++++++++++++++++++++++++++++++-
		19	2 files changed, 89 insertions(+), 1 deletion(-)
		20
		21	diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c
		22	index 44c0b09..d23c03b 100644
		23	--- a/source3/smbd/notify.c
		24	+++ b/source3/smbd/notify.c
		25	@@ -283,6 +283,14 @@ NTSTATUS change_notify_create(struct files_struct *fsp, uint32_t filter,
		26	char fullpath[len+1];
		27	NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED;
		28
		29	+ /*
		30	+ * Setting a changenotify needs READ/LIST access
		31	+ * on the directory handle.
		32	+ */
		33	+ if (!(fsp->access_mask & SEC_DIR_LIST)) {
		34	+ return NT_STATUS_ACCESS_DENIED;
		35	+ }
		36	+
		37	if (fsp->notify != NULL) {
		38	DEBUG(1, ("change_notify_create: fsp->notify != NULL, "
		39	"fname = %s\n", fsp->fsp_name->base_name));
		40	diff --git a/source4/torture/smb2/notify.c b/source4/torture/smb2/notify.c
		41	index ebb4f8a..a5c9b94 100644
		42	--- a/source4/torture/smb2/notify.c
		43	+++ b/source4/torture/smb2/notify.c
		44	@@ -2569,6 +2569,83 @@ done:
		45	return ok;
		46	}
		47
		48	+/*
		49	+ Test asking for a change notify on a handle without permissions.
		50	+*/
		51	+
		52	+#define BASEDIR_HPERM BASEDIR "_HPERM"
		53	+
		54	+static bool torture_smb2_notify_handle_permissions(
		55	+ struct torture_context *torture,
		56	+ struct smb2_tree *tree)
		57	+{
		58	+ bool ret = true;
		59	+ NTSTATUS status;
		60	+ union smb_notify notify;
		61	+ union smb_open io;
		62	+ struct smb2_handle h1 = {{0}};
		63	+ struct smb2_request *req;
		64	+
		65	+ smb2_deltree(tree, BASEDIR_HPERM);
		66	+ smb2_util_rmdir(tree, BASEDIR_HPERM);
		67	+
		68	+ torture_comment(torture,
		69	+ "TESTING CHANGE NOTIFY "
		70	+ "ON A HANDLE WITHOUT PERMISSIONS\n");
		71	+
		72	+ /*
		73	+ get a handle on the directory
		74	+ */
		75	+ ZERO_STRUCT(io.smb2);
		76	+ io.generic.level = RAW_OPEN_SMB2;
		77	+ io.smb2.in.create_flags = 0;
		78	+ io.smb2.in.desired_access = SEC_FILE_READ_ATTRIBUTE;
		79	+ io.smb2.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
		80	+ io.smb2.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
		81	+ io.smb2.in.share_access = NTCREATEX_SHARE_ACCESS_READ \|
		82	+ NTCREATEX_SHARE_ACCESS_WRITE;
		83	+ io.smb2.in.alloc_size = 0;
		84	+ io.smb2.in.create_disposition = NTCREATEX_DISP_CREATE;
		85	+ io.smb2.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS;
		86	+ io.smb2.in.security_flags = 0;
		87	+ io.smb2.in.fname = BASEDIR_HPERM;
		88	+
		89	+ status = smb2_create(tree, torture, &io.smb2);
		90	+ CHECK_STATUS(status, NT_STATUS_OK);
		91	+ h1 = io.smb2.out.file.handle;
		92	+
		93	+ /* ask for a change notify,
		94	+ on file or directory name changes */
		95	+ ZERO_STRUCT(notify.smb2);
		96	+ notify.smb2.level = RAW_NOTIFY_SMB2;
		97	+ notify.smb2.in.buffer_size = 1000;
		98	+ notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME;
		99	+ notify.smb2.in.file.handle = h1;
		100	+ notify.smb2.in.recursive = true;
		101	+
		102	+ req = smb2_notify_send(tree, &notify.smb2);
		103	+ torture_assert_goto(torture,
		104	+ req != NULL,
		105	+ ret,
		106	+ done,
		107	+ "smb2_notify_send failed\n");
		108	+
		109	+ /*
		110	+ * Cancel it, we don't really want to wait.
		111	+ */
		112	+ smb2_cancel(req);
		113	+ status = smb2_notify_recv(req, torture, &notify.smb2);
		114	+ /* Handle h1 doesn't have permissions for ChangeNotify. */
		115	+ CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
		116	+
		117	+done:
		118	+ if (!smb2_util_handle_empty(h1)) {
		119	+ smb2_util_close(tree, h1);
		120	+ }
		121	+ smb2_deltree(tree, BASEDIR_HPERM);
		122	+ return ret;
		123	+}
		124	+
		125	/*
		126	basic testing of SMB2 change notify
		127	*/
		128	@@ -2602,7 +2679,10 @@ struct torture_suite torture_smb2_notify_init(TALLOC_CTX ctx)
		129	torture_smb2_notify_rmdir3);
		130	torture_suite_add_2smb2_test(suite, "rmdir4",
		131	torture_smb2_notify_rmdir4);
		132	-
		133	+ torture_suite_add_1smb2_test(suite,
		134	+ "handle-permissions",
		135	+ torture_smb2_notify_handle_permissions);
		136	+
		137	suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests");
		138
		139	return suite;
		140	--
		141	2.25.1
		142


diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb index b5085c913b..923b2ddf16 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
@@ -28,6 +28,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
28	file://0002-util_sec.c-Move-__thread-variable-to-global-scope.patch \	28	file://0002-util_sec.c-Move-__thread-variable-to-global-scope.patch \
29	file://0001-Add-options-to-configure-the-use-of-libbsd.patch \	29	file://0001-Add-options-to-configure-the-use-of-libbsd.patch \
30	file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \	30	file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \
		31	file://CVE-2020-14318.patch \
31	"	32	"
32	SRC_URI_append_libc-musl = " \	33	SRC_URI_append_libc-musl = " \
33	file://samba-pam.patch \	34	file://samba-pam.patch \