Projects
openEuler:20.03:LTS:SP3
samba
_service:tar_scm_kernel_repo:backport-CVE-2020-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:backport-CVE-2020-14318.patch of Package samba
From 5dd4c789c13035b805fdd2c3a9c38721657b05b3 Mon Sep 17 00:00:00 2001 From: Jeremy Allison <jra@samba.org> Date: Tue, 7 Jul 2020 18:25:23 -0700 Subject: [PATCH] s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. Remove knownfail entry. CVE-2020-14318 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 Conflict: NA Reference: https://git.samba.org/?p=samba.git;a=patch;h=5dd4c789c13035b805fdd2c3a9c38721657b05b3 Signed-off-by: Jeremy Allison <jra@samba.org> --- source3/smbd/notify.c | 8 ++++++++ 1 files changed, 8 insertions(+) delete mode 100644 selftest/knownfail.d/smb2_notify_handle_permissions diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c index eb6317b7e8a..5f18b5cf794 100644 --- a/source3/smbd/notify.c +++ b/source3/smbd/notify.c @@ -289,6 +289,14 @@ NTSTATUS change_notify_create(struct files_struct *fsp, char fullpath[len+1]; NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED; + /* + * Setting a changenotify needs READ/LIST access + * on the directory handle. + */ + if (!(fsp->access_mask & SEC_DIR_LIST)) { + return NT_STATUS_ACCESS_DENIED; + } + if (fsp->notify != NULL) { DEBUG(1, ("change_notify_create: fsp->notify != NULL, " "fname = %s\n", fsp->fsp_name->base_name)); -- 2.29.2 From 22528b76ed6eb6251fdf01875aaa955480e7663d Mon Sep 17 00:00:00 2001 From: Jeremy Allison <jra@samba.org> Date: Fri, 10 Jul 2020 15:09:33 -0700 Subject: [PATCH] s4: torture: Add smb2.notify.handle-permissions test. Add knownfail entry. CVE-2020-14318 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 Signed-off-by: Jeremy Allison <jra@samba.org> --- source4/torture/smb2/notify.c | 80 +++++++++++++++++++ 1 files changed, 80 insertions(+) create mode 100644 selftest/knownfail.d/smb2_notify_handle_permissions diff --git a/source4/torture/smb2/notify.c b/source4/torture/smb2/notify.c index b65c116b75e..6081d394c6e 100644 --- a/source4/torture/smb2/notify.c +++ b/source4/torture/smb2/notify.c @@ -2649,6 +2649,83 @@ done: return ok; } +/* + Test asking for a change notify on a handle without permissions. +*/ + +#define BASEDIR_HPERM BASEDIR "_HPERM" + +static bool torture_smb2_notify_handle_permissions( + struct torture_context *torture, + struct smb2_tree *tree) +{ + bool ret = true; + NTSTATUS status; + union smb_notify notify; + union smb_open io; + struct smb2_handle h1 = {{0}}; + struct smb2_request *req; + + smb2_deltree(tree, BASEDIR_HPERM); + smb2_util_rmdir(tree, BASEDIR_HPERM); + + torture_comment(torture, + "TESTING CHANGE NOTIFY " + "ON A HANDLE WITHOUT PERMISSIONS\n"); + + /* + get a handle on the directory + */ + ZERO_STRUCT(io.smb2); + io.generic.level = RAW_OPEN_SMB2; + io.smb2.in.create_flags = 0; + io.smb2.in.desired_access = SEC_FILE_READ_ATTRIBUTE; + io.smb2.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; + io.smb2.in.file_attributes = FILE_ATTRIBUTE_NORMAL; + io.smb2.in.share_access = NTCREATEX_SHARE_ACCESS_READ | + NTCREATEX_SHARE_ACCESS_WRITE; + io.smb2.in.alloc_size = 0; + io.smb2.in.create_disposition = NTCREATEX_DISP_CREATE; + io.smb2.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS; + io.smb2.in.security_flags = 0; + io.smb2.in.fname = BASEDIR_HPERM; + + status = smb2_create(tree, torture, &io.smb2); + CHECK_STATUS(status, NT_STATUS_OK); + h1 = io.smb2.out.file.handle; + + /* ask for a change notify, + on file or directory name changes */ + ZERO_STRUCT(notify.smb2); + notify.smb2.level = RAW_NOTIFY_SMB2; + notify.smb2.in.buffer_size = 1000; + notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME; + notify.smb2.in.file.handle = h1; + notify.smb2.in.recursive = true; + + req = smb2_notify_send(tree, ¬ify.smb2); + torture_assert_goto(torture, + req != NULL, + ret, + done, + "smb2_notify_send failed\n"); + + /* + * Cancel it, we don't really want to wait. + */ + smb2_cancel(req); + status = smb2_notify_recv(req, torture, ¬ify.smb2); + /* Handle h1 doesn't have permissions for ChangeNotify. */ + CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); + +done: + if (!smb2_util_handle_empty(h1)) { + smb2_util_close(tree, h1); + } + smb2_deltree(tree, BASEDIR_HPERM); + return ret; +} + /* basic testing of SMB2 change notify */ @@ -2682,6 +2759,9 @@ struct torture_suite *torture_smb2_notify_init(TALLOC_CTX *ctx) torture_smb2_notify_rmdir3); torture_suite_add_2smb2_test(suite, "rmdir4", torture_smb2_notify_rmdir4); + torture_suite_add_1smb2_test(suite, + "handle-permissions", + torture_smb2_notify_handle_permissions); suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests"); -- 2.29.2
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.