debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #00681
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
Performing verification for noble.
This will cover both the kernel and the cifs-utils package. both in
-proposed.
This is going to be long, as we need to test:
* patched kernel, patched cifs-utils
* patched kernel, existing cifs-utils
* existing kernel, patched cifs-utils
I started a fresh noble VM, with:
kernel 6.8.0-60-generic from -updates
cifs-utils 2:7.0-2build1 from -release
I then followed the instructions to about step 34.
root@samba-dc:/home/ubuntu# kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 39 days on Fri Jul 4 02:00:18 2025
root@samba-dc:/home/ubuntu# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
05/25/25 04:46:37 05/25/25 14:46:37 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 05/26/25 04:46:33
root@samba-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
root@samba-dc:/home/ubuntu# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
05/25/25 04:46:37 05/25/25 14:46:37 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 05/26/25 04:46:33
05/25/25 04:46:54 05/25/25 14:46:37 cifs/samba-dc.example.com@
renew until 05/26/25 04:46:33
Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
# journalctl -b0
kernel: Key type cifs.spnego registered
kernel: Key type cifs.idmap registered
kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). T>
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1860]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0>
cifs.upcall[1861]: ver=2
cifs.upcall[1861]: host=samba-dc.example.com
cifs.upcall[1861]: ip=192.168.122.124
cifs.upcall[1861]: sec=1
cifs.upcall[1861]: uid=0
cifs.upcall[1861]: creduid=0
cifs.upcall[1861]: user=root
cifs.upcall[1861]: pid=1829
cifs.upcall[1860]: get_cachename_from_process_env: pid == 0
cifs.upcall[1860]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1860]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1860]: handle_krb5_mech: using native krb5
cifs.upcall[1860]: handle_krb5_mech: obtained service ticket
cifs.upcall[1860]: Exit status 0
# stat /mnt/testshare1
File: /mnt/testshare1
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,41 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 04:29:15.755959600 +0000
Modify: 2025-04-09 02:54:45.264000000 +0000
Change: 2025-04-09 02:54:45.264000000 +0000
Birth: 2025-04-09 02:54:45.264000000 +0000
# docker run -it -v /mnt/testshare1:/mnt/shared --name cifstest ubuntu:24.04 /bin/bash
root@685c7e420afc:/# stat /mnt/shared
File: /mnt/shared
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,41 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 13:59:15.755959600 +0930
Modify: 2025-04-09 12:24:45.264000000 +0930
Change: 2025-04-09 12:24:45.264000000 +0930
Birth: 2025-04-09 12:24:45.264000000 +0930
root@fcec5b069772:/# vim /etc/krb5.conf
default_ccache_name = /tmp/krb5cc_00%{uid}
Now back on the host:
root@samba-dc:/home/ubuntu# kdestroy -c /tmp/krb5cc_0
root@samba-dc:/home/ubuntu# ss -K dport 445
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp ESTAB 0 0 192.168.122.124:58156 192.168.122.124:microsoft-ds
On the docker container:
root@fcec5b069772:/# stat /mnt/shared
stat: cannot statx '/mnt/shared': Required key not available
cifs.upcall[2003]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x7d2
cifs.upcall[2004]: ver=2
cifs.upcall[2004]: host=samba-dc.example.com
cifs.upcall[2004]: ip=192.168.122.124
cifs.upcall[2004]: sec=1
cifs.upcall[2004]: uid=0
cifs.upcall[2004]: creduid=0
cifs.upcall[2004]: user=root
cifs.upcall[2004]: pid=2002
cifs.upcall[2003]: get_cachename_from_process_env: pid == 0
cifs.upcall[2003]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000
cifs.upcall[2003]: get_tgt_time: unable to get principal
cifs.upcall[2003]: krb5_get_init_creds_keytab: -1765328228
cifs.upcall[2003]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[2003]: handle_krb5_mech: using GSS-API
cifs.upcall[2003]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
cifs.upcall[2003]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: /tmp/krb5cc_000)
cifs.upcall[2003]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
cifs.upcall[2003]: Unable to obtain service ticket
cifs.upcall[2003]: Exit status 458752
kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
Note the line:
get_existing_cc: default ccache is FILE:/tmp/krb5cc_000
and
GSS-API error init_sec_context: No Kerberos credentials available (default cache: /tmp/krb5cc_000)
In this case, cifs.upcall tried to use the kerberos credential cache from the
container namespace, instead of the host namespace where the mount was actually
first mounted in.
So we can reproduce the issue.
Next we will test:
* patched kernel, patched cifs-utils
====================================
kernel: 6.8.0-62-generic from -proposed
cifs-utils: 2:7.0-2ubuntu0.1 from -security-proposed
First, we make sure existing behaviour is maintained with the default
option:
root@samba-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
root@samba-dc:/home/ubuntu# stat /mnt/testshare1
File: /mnt/testshare1
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,43 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 04:29:15.755959600 +0000
Modify: 2025-04-09 02:54:45.264000000 +0000
Change: 2025-04-09 02:54:45.264000000 +0000
Birth: 2025-04-09 02:54:45.264000000 +0000
# journalctl -b0
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1695]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0>
cifs.upcall[1696]: ver=2
cifs.upcall[1696]: host=samba-dc.example.com
cifs.upcall[1696]: ip=192.168.122.124
cifs.upcall[1696]: sec=1
cifs.upcall[1696]: uid=0
cifs.upcall[1696]: creduid=0
cifs.upcall[1696]: user=root
cifs.upcall[1696]: pid=1691
cifs.upcall[1696]: upcall_target=app
cifs.upcall[1695]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1695]: get_cachename_from_process_env: pid == 0
cifs.upcall[1695]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1695]: main: valid service ticket exists in credential cache
cifs.upcall[1695]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1695]: handle_krb5_mech: using native krb5
cifs.upcall[1695]: handle_krb5_mech: obtained service ticket
cifs.upcall[1695]: Exit status 0
Note, upcall_target=app is enabled by default.
In the docker container:
root@samba-dc:/home/ubuntu# docker start 685c7e420afc
685c7e420afc
root@samba-dc:/home/ubuntu# docker exec -it 685c7e420afc bash
root@685c7e420afc:/# stat /mnt/shared
File: /mnt/shared
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,43 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 13:59:15.755959600 +0930
Modify: 2025-04-09 12:24:45.264000000 +0930
Change: 2025-04-09 12:24:45.264000000 +0930
Birth: 2025-04-09 12:24:45.264000000 +0930
On the host:
root@samba-dc:/home/ubuntu# kdestroy -c /tmp/krb5cc_0
root@samba-dc:/home/ubuntu# ss -K dport 445
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp ESTAB 0 0 192.168.122.124:35920 192.168.122.124:microsoft-ds
On the container:
root@fcec5b069772:/# stat /mnt/shared
stat: cannot statx '/mnt/shared': Required key not available
On the host:
# journalctl -f
cifs.upcall[1847]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x736;upcall_target=app
cifs.upcall[1848]: ver=2
cifs.upcall[1848]: host=samba-dc.example.com
cifs.upcall[1848]: ip=192.168.122.124
cifs.upcall[1848]: sec=1
cifs.upcall[1848]: uid=0
cifs.upcall[1848]: creduid=0
cifs.upcall[1848]: user=root
cifs.upcall[1848]: pid=1846
cifs.upcall[1848]: upcall_target=app
cifs.upcall[1847]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1847]: get_cachename_from_process_env: pid == 0
cifs.upcall[1847]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000
cifs.upcall[1847]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_000)
cifs.upcall[1847]: get_tgt_time: unable to get principal
cifs.upcall[1847]: main: valid TGT is not present in credential cache
cifs.upcall[1847]: krb5_get_init_creds_keytab: -1765328228
cifs.upcall[1847]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1847]: handle_krb5_mech: using GSS-API
cifs.upcall[1847]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
cifs.upcall[1847]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: /tmp/krb5cc_000)
cifs.upcall[1847]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
cifs.upcall[1847]: Unable to obtain service ticket
cifs.upcall[1847]: Exit status 458752
kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
We still have existing behaviour by default:
cifs.upcall[1847]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000
which means we will not cause any regressions.
Next, we will use the new mount option, "upcall_target=mount":
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=mount //samba-dc.example.com/demo /mnt/testshare1
# journalctl -b0
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1930]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x786;upcall_target=mount
cifs.upcall[1931]: ver=2
cifs.upcall[1931]: host=samba-dc.example.com
cifs.upcall[1931]: ip=192.168.122.124
cifs.upcall[1931]: sec=1
cifs.upcall[1931]: uid=0
cifs.upcall[1931]: creduid=0
cifs.upcall[1931]: user=root
cifs.upcall[1931]: pid=1926
cifs.upcall[1931]: upcall_target=mount
cifs.upcall[1930]: upcall_target=mount, not switching namespaces to application thread
cifs.upcall[1930]: get_cachename_from_process_env: pid == 0
cifs.upcall[1930]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1930]: main: valid service ticket exists in credential cache
cifs.upcall[1930]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1930]: handle_krb5_mech: using native krb5
cifs.upcall[1930]: handle_krb5_mech: obtained service ticket
cifs.upcall[1930]: Exit status 0
Now we have upcall_target=mount set.
In the container:
root@samba-dc:/home/ubuntu# docker start 685c7e420afc
685c7e420afc
root@samba-dc:/home/ubuntu# docker exec -it 685c7e420afc bash
root@685c7e420afc:/# stat /mnt/shared
File: /mnt/shared
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,43 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 13:59:15.755959600 +0930
Modify: 2025-04-09 12:24:45.264000000 +0930
Change: 2025-04-09 12:24:45.264000000 +0930
Birth: 2025-04-09 12:24:45.264000000 +0930
On the host:
root@samba-dc:/home/ubuntu# kdestroy -c /tmp/krb5cc_0
root@samba-dc:/home/ubuntu# ss -K dport 445
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp ESTAB 0 0 192.168.122.124:37264 192.168.122.124:microsoft-ds
On the container:
root@685c7e420afc:/# stat /mnt/shared
stat: cannot statx '/mnt/shared': Required key not available
On the host:
# journalctl -f
cifs.upcall[2065]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x810;upcall_target=mount
cifs.upcall[2066]: ver=2
cifs.upcall[2066]: host=samba-dc.example.com
cifs.upcall[2066]: ip=192.168.122.124
cifs.upcall[2066]: sec=1
cifs.upcall[2066]: uid=0
cifs.upcall[2066]: creduid=0
cifs.upcall[2066]: user=root
cifs.upcall[2066]: pid=2064
cifs.upcall[2066]: upcall_target=mount
cifs.upcall[2065]: upcall_target=mount, not switching namespaces to application thread
cifs.upcall[2065]: get_cachename_from_process_env: pid == 0
cifs.upcall[2065]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[2065]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_0)
cifs.upcall[2065]: get_tgt_time: unable to get principal
cifs.upcall[2065]: main: valid TGT is not present in credential cache
cifs.upcall[2065]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[2065]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[2065]: handle_krb5_mech: using GSS-API
cifs.upcall[2065]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
cifs.upcall[2065]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0)
cifs.upcall[2065]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
cifs.upcall[2065]: Unable to obtain service ticket
cifs.upcall[2065]: Exit status 458752
kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
Now that "mount" is used, we correctly only use the credential cache from the
host namespace, which is FILE:/tmp/krb5cc_0, and we don't leak any data between
the container or the host, fixing the security issue.
Next we will test:
* patched kernel, existing cifs-utils
=====================================
kernel: 6.8.0-62-generic from -proposed
cifs-utils: 2:7.0-2.1 from -release
If we were to manually specify upcall_target=app on the mount command
line:
root@samba-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1
# journalctl -f
kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). T>
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1531]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x5df;upcall_target=app
cifs.upcall[1532]: ver=2
cifs.upcall[1532]: host=samba-dc.example.com
cifs.upcall[1532]: ip=192.168.122.124
cifs.upcall[1532]: sec=1
cifs.upcall[1532]: uid=0
cifs.upcall[1532]: creduid=0
cifs.upcall[1532]: user=root
cifs.upcall[1532]: pid=1503
cifs.upcall[1531]: get_cachename_from_process_env: pid == 0
cifs.upcall[1531]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1531]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1531]: handle_krb5_mech: using native krb5
cifs.upcall[1531]: handle_krb5_mech: obtained service ticket
cifs.upcall[1531]: Exit status 0
The mount continues successfully. The existing cifs-utils does not complain
about it.
Test with no "upcall_target". e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
# journalctl -b0
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1542]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x602;upcall_target=app
cifs.upcall[1543]: ver=2
cifs.upcall[1543]: host=samba-dc.example.com
cifs.upcall[1543]: ip=192.168.122.124
cifs.upcall[1543]: sec=1
cifs.upcall[1543]: uid=0
cifs.upcall[1543]: creduid=0
cifs.upcall[1543]: user=root
cifs.upcall[1543]: pid=1538
cifs.upcall[1542]: get_cachename_from_process_env: pid == 0
cifs.upcall[1542]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1542]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1542]: handle_krb5_mech: using native krb5
cifs.upcall[1542]: handle_krb5_mech: obtained service ticket
cifs.upcall[1542]: Exit status 0
Note, that we still see "upcall_target=app" appended to key description even
though this is with existing cifs-utils. The mount still succeeds as normal.
Next we will test:
* existing kernel, patched cifs-utils
=====================================
Kernel: 6.8.0-60-generic
cifs-utils: 2:7.0-2ubuntu0.1 from -security-proposed
If we were to manually specify upcall_target=app on the mount command
line:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1
mount error(22): Invalid argument
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
# journalctl -b0
May 25 04:52:25 samba-dc kernel: cifs: Unknown parameter 'upcall_target'
cifs-utils accepts it, but the kernel does not, and fails with an unknown
parameter. This is okay, because the existing kernel does not have support for
the new parameter, and users would be manually be adding it to their mount
parameters anyway. If they went to this effort, they would notice their kernel
is out of date and would upgrade their kernel to get support.
Testing with no "upcall_target":
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
# mount -l
//samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.124,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1)
# journalctl -f
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[2275]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x8dd
cifs.upcall[2276]: ver=2
cifs.upcall[2276]: host=samba-dc.example.com
cifs.upcall[2276]: ip=192.168.122.124
cifs.upcall[2276]: sec=1
cifs.upcall[2276]: uid=0
cifs.upcall[2276]: creduid=0
cifs.upcall[2276]: user=root
cifs.upcall[2276]: pid=2269
cifs.upcall[2275]: upcall_target=app, switching namespaces to application thread
cifs.upcall[2275]: get_cachename_from_process_env: pid == 0
cifs.upcall[2275]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[2275]: main: valid service ticket exists in credential cache
cifs.upcall[2275]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[2275]: handle_krb5_mech: using native krb5
cifs.upcall[2275]: handle_krb5_mech: obtained service ticket
cifs.upcall[2275]: Exit status 0
Mounting shares without any additional mount parameters still works correctly.
cifs-utils does not append upcall_target=app to the mount command line, so
existing kernel continues to work correctly. Note, it does now mention:
cifs.upcall[2275]: upcall_target=app, switching namespaces to
application thread
to say that it uses the current process namespace, which is the same as
existing behaviour.
We have covered all situations of the testing matrix. Both the kernel in
-proposed and cifs-utils in -security-proposed fix the issue, and don't cause
any issues being installed independently with or without each other.
Happy to mark verified for noble.
** Tags removed: verification-needed-noble-linux
** Tags added: verification-done-noble verification-done-noble-linux
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2099914
Title:
CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials
cache
Status in cifs-utils package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Released
Status in cifs-utils source package in Focal:
In Progress
Status in linux source package in Focal:
Fix Committed
Status in cifs-utils source package in Jammy:
In Progress
Status in linux source package in Jammy:
Fix Committed
Status in cifs-utils source package in Noble:
In Progress
Status in linux source package in Noble:
Fix Committed
Status in cifs-utils source package in Oracular:
In Progress
Status in linux source package in Oracular:
Fix Committed
Status in cifs-utils source package in Plucky:
Fix Released
Status in linux source package in Plucky:
Fix Released
Bug description:
BugLink: https://bugs.launchpad.net/bugs/2099914
[Impact]
This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to
disclosing sensitive data from the host or container Kerberos credentials cache
by accessing the wrong credential cache that doesn't belong to the current user.
Consider the following scenario:
A CIFS/SMB file share is mounted on a host node using Kerberos
authentication.
During the session setup phase, the Linux kernel's cifs.ko module makes an
upcall to user space to retrieve the Kerberos service ticket from the credential
cache.
In typical (non-container) environments, this process works correctly, but in
containerized environments, the upcall may be directed to a different namespace
than intended, leading to issues. For example:
a) The file share is mounted on the host node at /mnt/testshare1, meaning the
Kerberos credential cache is stored in the host's namespace.
b) A Docker container is created, and the file share path /mnt/testshare1 is
exported to the container at /sharedpath.
c) When the service ticket expires and the SMB connection is lost, before the
ticket is refreshed in the credential cache, an application inside the container
performs a file operation. This triggers the kernel to attempt a session
reconnect.
d) During the session setup, a Kerberos ticket is needed, so the kernel invokes
the cifs.upcall binary using the request_key function. However, cifs.upcall
switches to the namespace of the caller (i.e., the container), causing it to
attempt to read the credential cache from the container's namespace. But since
the original mount happened in the host namespace, the credential cache is
located on the host, not in the container. This results in the upcall failing
to access the correct credential cache or accessinng credential cache which
doesn't belong to correct user.
[Fix]
The fix adds a "upcall_target" mount parameter that needs to be present in both
the kernel and cifs-utils. "upcall_target" specifies what namespace to find the
kerberos credential cache, and takes options "mount" being the host namespace,
or "app", being the container namespace. The language is intended to suit
Kubernetes based usecases.
The kernel requires the following commit:
commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
Author: Ritvik Budhiraja <rbudhiraja@xxxxxxxxxxxxx>
Date: Mon Nov 11 11:43:51 2024 +0000
Subject: CIFS: New mount option for cifs.upcall namespace resolution
Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
This landed in 6.13 mainline, and is already in plucky. Oracular is a clean
cherry pick, noble and jammy requires a context adjustment backport and focal
needed a heavy backport.
Test packages are available in the following ppa:
https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport
In addition, a userspace fix is also needed in cifs-utils, with the following
commits:
commit 89b679228cc1be9739d54203d28289b03352c174
From: Ritvik Budhiraja <rbudhiraja@xxxxxxxxxxxxx>
Date: Tue, 19 Nov 2024 06:07:58 +0000
Subject: CIFS.upcall to accomodate new namespace mount opt
Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174
commit cf63240489431e98033e599a7c9437b59494a2e4
From: Ritvik Budhiraja <rbudhiraja@xxxxxxxxxxxxx>
Date: Thu, 30 Jan 2025 14:13:10 +0000
Subject: cifs-utils: add documentation for upcall_target
Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4
These were a part of 7.2 upstream. Plucky already has this release, so we just
need to fix oracular, noble, jammy and focal.
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test
If you install the test packages, you can now use the upcall_target argument
with either "mount" or "app" options.
[Testcase]
Some knowledge of kerberos will go a long way to help you make this
all work.
We should be able to do all testing on the same VM.
1) Create a fresh VM
2) sudo apt update
3) sudo apt upgrade
4) sudo hostnamectl set-hostname samba-dc
5) sudo vim /etc/hosts
Add an entry with its IP address, e.g.:
192.168.122.124 samba-dc samba-dc.example.com
6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils
Focal:
sudo apt install keyutils
Oracular:
sudo apt install samba-ad-dc
Note: skip config of kerberos KDC.
7) sudo rm /etc/krb5.conf
8) sudo rm /etc/samba/smb.conf
9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1
10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
11) sudo systemctl mask smbd nmbd winbind
12) sudo systemctl disable smbd nmbd winbind
13) sudo systemctl stop smbd nmbd winbind
14) sudo systemctl unmask samba-ad-dc
15) sudo systemctl start samba-ad-dc
16) sudo systemctl enable samba-ad-dc
17) sudo reboot
18) sudo systemctl stop systemd-resolved
19) sudo systemctl disable systemd-resolved
20) cat << EOF >> /etc/resolv.conf
nameserver 192.168.122.124
search SAMBA
EOF
sudo vim /etc/samba/smb.conf
Change forwarder to 8.8.8.8
21) sudo reboot
22) host -t SRV _ldap._tcp.samba-dc.example.com
_ldap._tcp.samba-dc.example.com has SRV record 0 100 389 samba-dc.samba-dc.example.com.
23) $ smbclient -L localhost -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.13.17-Ubuntu)
SMB1 disabled -- no workgroup available
24) $ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter SAMBA\Administrator's password:
. D 0 Mon Feb 28 04:23:22 2022
.. D 0 Mon Feb 28 04:23:27 2022
9983232 blocks of size 1024. 7995324 blocks available
25) kinit administrator
Password for administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
26) klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 02:53:22
27) Create a share:
28) sudo mkdir -p /srv/samba/Demo/
29) sudo vim /etc/samba/smb.conf
[Demo]
path = /srv/samba/Demo/
read only = no
30) sudo chmod 0770 /srv/samba/Demo/
31) smbclient -U Administrator //samba-dc.example.com/demo
Password for [SAMBA\Administrator]:
Try "help" to get a list of possible commands.
smb: \>
32) smbclient -U Administrator --use-krb5-ccache=/tmp/krb5cc_1000 //samba-dc.example.com/demo
Try "help" to get a list of possible commands.
smb: \>
33) klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 02:53:22
04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example.com@xxxxxxxxxxx
renew until 04/10/25 02:53:22
Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 02:53:22
34) sudo -s
35) # kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 03:26:06
36) # mkdir /mnt/testshare1
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
37) # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 03:26:06
04/09/25 03:30:26 04/09/25 13:26:10 cifs/samba-dc.example.com@
renew until 04/10/25 03:26:06
Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
38) journalctl
kernel: netfs: FS-Cache loaded
kernel: Key type cifs.spnego registered
kernel: Key type cifs.idmap registered
kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). T>
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1805]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6ee
cifs.upcall[1806]: ver=2
cifs.upcall[1806]: host=samba-dc.example.com
cifs.upcall[1806]: ip=192.168.122.124
cifs.upcall[1806]: sec=1
cifs.upcall[1806]: uid=0
cifs.upcall[1806]: creduid=0
cifs.upcall[1806]: user=root
cifs.upcall[1806]: pid=1774
cifs.upcall[1805]: get_cachename_from_process_env: pid == 0
cifs.upcall[1805]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1805]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1805]: handle_krb5_mech: using native krb5
cifs.upcall[1805]: handle_krb5_mech: obtained service ticket
cifs.upcall[1805]: Exit status 0
Take note of the line:
get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
39) # stat /mnt/testshare1
File: /mnt/testshare1
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,41 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 02:54:45.264000000 +0000
Modify: 2025-04-09 02:54:45.264000000 +0000
Change: 2025-04-09 02:54:45.264000000 +0000
Birth: 2025-04-09 02:54:45.264000000 +0000
40) sudo apt install docker.io
41) docker pull ubuntu:24.04
42) docker run -it -v /mnt/testshare1:/mnt/shared --name cifstest ubuntu:24.04 /bin/bash
43) root@685c7e420afc:/# stat /mnt/shared
File: /mnt/shared
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,41 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 02:54:45.264000000 +0000
Modify: 2025-04-09 02:54:45.264000000 +0000
Change: 2025-04-09 02:54:45.264000000 +0000
Birth: 2025-04-09 02:54:45.264000000 +0000
root@685c7e420afc:/# ls /mnt/shared
44) root@685c7e420afc:/# apt install krb5-user vim
45) root@685c7e420afc:/# vim /etc/krb5.conf
Under libdefaults, add default_ccache_name = /tmp/krb5cc_00%{uid} save and exit.
46) Back on the host in root, clear initial kerberos crediental cache and disconnect cifs connections.
# kdestroy -c /tmp/krb5cc_0
# ss -K dport 445
47) Back in the container:
root@685c7e420afc:/# stat /mnt/shared
48) Back on the host in root:
# journalctl
kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
cifs.upcall[2804]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0xaf3
cifs.upcall[2805]: ver=2
cifs.upcall[2805]: host=samba-dc.example.com
cifs.upcall[2805]: ip=192.168.122.124
cifs.upcall[2805]: sec=1
cifs.upcall[2805]: uid=0
cifs.upcall[2805]: creduid=0
cifs.upcall[2805]: user=root
cifs.upcall[2805]: pid=2803
cifs.upcall[2804]: get_cachename_from_process_env: pid == 0
cifs.upcall[2804]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000
cifs.upcall[2804]: get_tgt_time: unable to get principal
cifs.upcall[2804]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[2804]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[2804]: handle_krb5_mech: using GSS-API
cifs.upcall[2804]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
cifs.upcall[2804]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: /tmp/krb5cc_000)
cifs.upcall[2804]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
cifs.upcall[2804]: Unable to obtain service ticket
cifs.upcall[2804]: Exit status 458752
Note that it now tries to read /tmp/krb5cc_000 from container namespace instead
of /tmp/krb5cc_0 from host namespace.
If you install the test packages from the following ppas:
https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport
https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test
When you initially mount the cifs filesystem, use the new mount option
upcall_target=mount.
# mount -t cifs -o
cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=mount
//samba-dc.example.com/demo /mnt/testshare1
Repeat the testcase. When we disconnect the cifs connection and try stat inside
the container, the kerberos crediental cache should be /tmp/krb5cc_0 in the
host namespace.
get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
A successful run with upcall_target=mount and fixed cifs-utils should
look like:
cifs.upcall[2122]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x849;upcall_target=mount
cifs.upcall[2123]: ver=2
cifs.upcall[2123]: host=samba-dc.example.com
cifs.upcall[2123]: ip=192.168.122.124
cifs.upcall[2123]: sec=1
cifs.upcall[2123]: uid=0
cifs.upcall[2123]: creduid=0
cifs.upcall[2123]: user=root
cifs.upcall[2123]: pid=2121
cifs.upcall[2123]: upcall_target=mount
cifs.upcall[2122]: upcall_target=mount, not switching namespaces to application thread
cifs.upcall[2122]: get_cachename_from_process_env: pid == 0
cifs.upcall[2122]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[2122]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[2122]: handle_krb5_mech: using native krb5
cifs.upcall[2122]: handle_krb5_mech: obtained service ticket
cifs.upcall[2122]: Exit status 0
Specific Testcases Of Existing / Patched Packages:
patched kernel, existing cifs-utils
-----------------------------------
When specifying "upcall_target" on mount command line, e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1
# journalctl -f
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1540]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x600;upcall_target=app
cifs.upcall[1541]: ver=2
cifs.upcall[1541]: host=samba-dc.example.com
cifs.upcall[1541]: ip=192.168.122.124
cifs.upcall[1541]: sec=1
cifs.upcall[1541]: uid=0
cifs.upcall[1541]: creduid=0
cifs.upcall[1541]: user=root
cifs.upcall[1541]: pid=1536
cifs.upcall[1540]: get_cachename_from_process_env: pid == 0
cifs.upcall[1540]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1540]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1540]: handle_krb5_mech: using native krb5
cifs.upcall[1540]: handle_krb5_mech: obtained service ticket
cifs.upcall[1540]: Exit status 0
Test with no "upcall_target". e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
# journalctl -f
Apr 30 04:23:35 samba-dc kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x614;upcall_target=app
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: ver=2
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: host=samba-dc.example.com
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: ip=192.168.122.124
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: sec=1
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: uid=0
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: creduid=0
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: user=root
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: pid=1556
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: get_cachename_from_process_env: pid == 0
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: handle_krb5_mech: getting service ticket for samba-dc.example.com
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: handle_krb5_mech: using native krb5
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: handle_krb5_mech: obtained service ticket
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: Exit status 0
existing kernel, patched cifs-utils
-----------------------------------
When specifying "upcall_target" on mount command line, e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1
mount error(22): Invalid argument
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
# journalctl -f
kernel: cifs: Unknown parameter 'upcall_target'
Test with no "upcall_target". e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
# journalctl -f
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[10899]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x2a8d
cifs.upcall[10900]: ver=2
cifs.upcall[10900]: host=samba-dc.example.com
cifs.upcall[10900]: ip=192.168.122.124
cifs.upcall[10900]: sec=1
cifs.upcall[10900]: uid=0
cifs.upcall[10900]: creduid=0
cifs.upcall[10900]: user=root
cifs.upcall[10900]: pid=10893
cifs.upcall[10899]: upcall_target=app, switching namespaces to application thread
cifs.upcall[10899]: get_cachename_from_process_env: pid == 0
cifs.upcall[10899]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[10899]: main: valid service ticket exists in credential cache
cifs.upcall[10899]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[10899]: handle_krb5_mech: using native krb5
cifs.upcall[10899]: handle_krb5_mech: obtained service ticket
cifs.upcall[10899]: Exit status 0
Note the line:
cifs.upcall[10899]: upcall_target=app, switching namespaces to application thread
[Where problems can occur]
We are adding a new mount option to cifs in both the kernel and in
cifs-utils.
Existing cifs-utils packages need to not break when making upcalls to kernels
that have this new upcall_target option, and existing kernels need to not break
when using new cifs-utils packages that set upcall_target without the necessary
in kernel support.
We need to be careful to test three scenarios:
* patched kernel, patched cifs-utils
* patched kernel, existing cifs-utils
* existing kernel, patched cifs-utils
The default option is "app" and "app" has the same behaviour of pre-
patch, that is, to use the credential cache of the calling process
namespace. This should not introduce any behaviour change to existing
setups. Not specifying any option at mount time defaults to "app"
automatically. Users must opt into using "mount" themselves.
If a regression were to occur, it could affect mounting of cifs / smb shares and
users would not be able to access their data.
Additionally, if a regression were to occur, we could also further confuse what
namespace is to be used for accessing the user's kerberos credentials cache,
which could disclose data from the host or container namespace to the incorrect
namespace.
[Other info]
CVE-2025-2312
https://ubuntu.com/security/CVE-2025-2312
https://nvd.nist.gov/vuln/detail/CVE-2025-2312
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions
