debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #02450
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug was fixed in the package linux - 6.8.0-62.65
---------------
linux (6.8.0-62.65) noble; urgency=medium
* noble/linux: 6.8.0-62.65 -proposed tracker (LP: #2110737)
* Rotate the Canonical Livepatch key (LP: #2111244)
- [Config] Prepare for Canonical Livepatch key rotation
* KVM bug causes Firecracker crash when it runs the vCPU for the first time
(LP: #2109859)
- vhost: return task creation error instead of NULL
- kvm: retry nx_huge_page_recovery_thread creation
* CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
(LP: #2099914) // CVE-2025-2312
- CIFS: New mount option for cifs.upcall namespace resolution
* Noble update: upstream stable patchset 2025-04-29 (LP: #2109640)
- ASoC: wm8994: Add depends on MFD core
- ASoC: samsung: Add missing selects for MFD_WM8994
- seccomp: Stub for !CONFIG_SECCOMP
- scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request
- of/unittest: Add test that of_address_to_resource() fails on non-
translatable address
- irqchip/sunxi-nmi: Add missing SKIP_WAKE flag
- hwmon: (drivetemp) Set scsi command timeout to 10s
- ASoC: samsung: Add missing depends on I2C
- ata: libata-core: Set ATA_QCFLAG_RTF_FILLED in fill_result_tf()
- Revert "libfs: fix infinite directory reads for offset dir"
- libfs: Replace simple_offset end-of-directory detection
- Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad"
- ALSA: usb-audio: Add delay quirk for USB Audio Device
- Input: xpad - add support for Nacon Pro Compact
- Input: atkbd - map F23 key to support default copilot shortcut
- Input: xpad - add unofficial Xbox 360 wireless receiver clone
- Input: xpad - add QH Electronics VID/PID
- Input: xpad - improve name of 8BitDo controller 2dc8:3106
- Input: xpad - add support for Nacon Evol-X Xbox One Controller
- Input: xpad - add support for wooting two he (arm)
- ASoC: codecs: es8316: Fix HW rate calculation for 48Mhz MCLK
- ASoC: cs42l43: Add codec force suspend/resume ops
- ALSA: hda/realtek: Fix volume adjustment issue on Lenovo ThinkBook 16P Gen5
- libfs: Return ENOSPC when the directory offset range is exhausted
- Revert "libfs: Add simple_offset_empty()"
- libfs: Use d_children list to iterate simple_offset directories
- wifi: rtl8xxxu: add more missing rtl8192cu USB IDs
- HID: wacom: Initialize brightness of LED trigger
- Upstream stable to v6.6.75, v6.12.12
* Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //
CVE-2025-21689
- USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()
* Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //
CVE-2025-21690
- scsi: storvsc: Ratelimit warning logs to prevent VM denial of service
* Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //
CVE-2025-21691
- cachestat: fix page cache statistics permission checking
* Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //
CVE-2025-21692
- net: sched: fix ets qdisc OOB Indexing
* Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //
CVE-2025-21699
- gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
* Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //
CVE-2024-50157
- RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop
* rtw89: Support hardware rfkill (LP: #2077384)
- wifi: rtw89: add support for hardware rfkill
* Introduce configfs-based interface for gpio-aggregator (LP: #2103496)
- gpio: introduce utilities for synchronous fake device creation
- bitmap: Define a cleanup function for bitmaps
- gpio: aggregator: simplify aggr_parse() with scoped bitmap
- gpio: aggregator: protect driver attr handlers against module unload
- gpio: aggregator: reorder functions to prepare for configfs introduction
- gpio: aggregator: unify function naming
- gpio: aggregator: add gpio_aggregator_{alloc, free}()
- gpio: aggregator: introduce basic configfs interface
- [Config] Enable DEV_SYNC_PROBE as module
- SAUCE: gpio: aggregator: Fix error code in gpio_aggregator_activate()
- gpio: aggregator: rename 'name' to 'key' in gpio_aggregator_parse()
- gpio: aggregator: expose aggregator created via legacy sysfs to configfs
- SAUCE: gpio: aggregator: fix "_sysfs" prefix check in
gpio_aggregator_make_group()
- SAUCE: gpio: aggregator: Fix gpio_aggregator_line_alloc() checking
- SAUCE: gpio: aggregator: Return an error if there are no GPIOs in
gpio_aggregator_parse()
- SAUCE: gpio: aggregator: Fix leak in gpio_aggregator_parse()
- gpio: aggregator: cancel deferred probe for devices created via configfs
- Documentation: gpio: document configfs interface for gpio-aggregator
- selftests: gpio: add test cases for gpio-aggregator
- SAUCE: selftests: gpio: gpio-aggregator: add a test case for _sysfs prefix
reservation
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449)
- net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()
- net: add exit_batch_rtnl() method
- gtp: use exit_batch_rtnl() method
- gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp().
- gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().
- nfp: bpf: prevent integer overflow in nfp_bpf_event_output()
- net: xilinx: axienet: Fix IRQ coalescing packet count overflow
- net/mlx5: Fix RDMA TX steering prio
- net/mlx5e: Rely on reqid in IPsec tunnel mode
- net/mlx5e: Always start IPsec sequence number from 1
- drm/vmwgfx: Add new keep_resv BO param
- drm/v3d: Assign job pointer to NULL before signaling the fence
- soc: ti: pruss: Fix pruss APIs
- hwmon: (tmp513) Fix division of negative numbers
- i2c: mux: demux-pinctrl: check initial mux selection, too
- i2c: rcar: fix NACK handling when being a target
- hfs: Sanity check the root record
- fs: fix missing declaration of init_files
- kheaders: Ignore silly-rename files
- cachefiles: Parse the "secctx" immediately
- scsi: ufs: core: Honor runtime/system PM levels if set by host controller
drivers
- selftests: tc-testing: reduce rshift value
- ACPI: resource: acpi_dev_irq_override(): Check DMI match last
- poll_wait: add mb() to fix theoretical race between waitqueue_active() and
.poll()
- RDMA/bnxt_re: Fix to export port num to ib_query_qp
- nvmet: propagate npwg topology
- ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA
- i2c: atr: Fix client detach
- mptcp: be sure to send ack when mptcp-level window re-opens
- mptcp: fix spurious wake-up on under memory pressure
- selftests: mptcp: avoid spurious errors on disconnect
- net: ethernet: xgbe: re-add aneg to supported features in PHY quirks
- vsock/virtio: cancel close work in the destructor
- vsock: reset socket state when de-assigning the transport
- nouveau/fence: handle cross device fences properly
- irqchip: Plug a OF node reference leak in platform_irqchip_probe()
- irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly
- drm/i915/fb: Relax clear color alignment to 64 bytes
- drm/amdgpu: always sync the GFX pipe on ctx switch
- ocfs2: fix deadlock in ocfs2_get_system_file_inode
- nfsd: add list_head nf_gc to struct nfsd_file
- x86/xen: fix SLS mitigation in xen_hypercall_iret()
- efi/zboot: Limit compression options to GZIP and ZSTD
- [Config] updateconfigs for HAVE_KERNEL_(LZ4|LZMA|LZO|XZ)
- net: ravb: Fix max TX frame size for RZ/V2M
- net/mlx5: SF, Fix add port error handling
- drm/vmwgfx: Unreserve BO on error
- i2c: testunit: on errors, repeat NACK until STOP
- hwmon: (ltc2991) Fix mixed signed/unsigned in DIV_ROUND_CLOSEST
- fs/qnx6: Fix building with GCC 15
- gpio: sim: lock up configfs that an instantiated device depends on
- gpio: sim: lock hog configfs items if present
- platform/x86: ISST: Add Clearwater Forest to support list
- drm/nouveau/disp: Fix missing backlight control on Macbook 5,1
- net/ncsi: fix locking in Get MAC Address handling
- drm/amd/display: Do not elevate mem_type change to full update
- drm/xe: Mark ComputeCS read mode as UC on iGPU
- drm/amdgpu/smu13: update powersave optimizations
- drm/amdgpu: fix fw attestation for MP0_14_0_{2/3}
- drm/amdgpu: disable gfxoff with the compute workload on gfx12
- drm/amd/display: Fix PSR-SU not support but still call the
amdgpu_dm_psr_enable
- Upstream stable to v6.6.73, v6.6.74, v6.12.11
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21672
- afs: Fix merge preference rule failure condition
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21682
- eth: bnxt: always recalculate features after XDP clearing, fix null-deref
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2024-53124
- net: fix data-races around sk->sk_forward_alloc
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2024-57924
- fs: relax assertions on failure to encode file handles
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2024-57951
- hrtimers: Handle CPU state correctly on hotplug
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2024-57949
- irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity()
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21668
- pmdomain: imx8mp-blk-ctrl: add missing loop break condition
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21684
- gpio: xilinx: Convert gpio_lock to raw spinlock
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21694
- fs/proc: fix softlockup in __read_vmcore (part 2)
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21665
- filemap: avoid truncating 64-bit offset to 32 bits
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21666
- vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21669
- vsock/virtio: discard packets if the transport changes
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21670
- vsock/bpf: return early if transport is not assigned
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21667
- iomap: avoid avoid truncating 64-bit offset to 32 bits
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2024-57948
- mac802154: check local interfaces before deleting sdata list
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21673
- smb: client: fix double free of TCP_Server_Info::hostname
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21697
- drm/v3d: Ensure job pointer is set to NULL after job completion
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21674
- net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21675
- net/mlx5: Clear port select structure when fail to create
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21676
- net: fec: handle page_pool_dev_alloc_pages error
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21678
- gtp: Destroy device along with udp socket's netns dismantle.
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21680
- pktgen: Avoid out-of-bounds access in get_imix_entries
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21681
- openvswitch: fix lockup on tx to unregistering netdev with carrier
* Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //
CVE-2025-21683
- bpf: Fix bpf_sk_select_reuseport() memory leak
* Packaging resync (LP: #1786013)
- [Packaging] update annotations scripts
-- Stefan Bader <stefan.bader@xxxxxxxxxxxxx> Mon, 19 May 2025 12:55:33
+0200
** Changed in: linux (Ubuntu Noble)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-50157
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-53124
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-57924
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-57948
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-57949
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-57951
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21665
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21666
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21667
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21668
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21669
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21670
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21672
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21673
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21674
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21675
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21676
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21678
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21680
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21681
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21682
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21683
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21684
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21689
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21690
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21691
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21692
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21694
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21697
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21699
** Changed in: linux (Ubuntu Jammy)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-49636
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-49728
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-53034
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-36945
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-46753
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-46812
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-46821
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-53144
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-53168
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-56551
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-56608
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-56664
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-58093
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-8805
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21941
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21956
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21957
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21959
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21962
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21963
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21964
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21968
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21970
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21975
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21981
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21991
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21992
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21994
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21996
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21999
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22004
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22005
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22007
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22008
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22010
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22014
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22018
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22020
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22021
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22025
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22035
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22044
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22045
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22050
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22054
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22055
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22056
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22060
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22063
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22066
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22071
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22073
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22075
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22079
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22081
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22086
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22089
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22097
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-23136
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-23138
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37785
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-38152
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-38575
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-38637
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-39728
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-39735
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2099914
Title:
CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials
cache
Status in cifs-utils package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Released
Status in cifs-utils source package in Focal:
Fix Released
Status in linux source package in Focal:
Fix Committed
Status in cifs-utils source package in Jammy:
Fix Released
Status in linux source package in Jammy:
Fix Released
Status in cifs-utils source package in Noble:
Fix Released
Status in linux source package in Noble:
Fix Released
Status in cifs-utils source package in Oracular:
Fix Released
Status in linux source package in Oracular:
Fix Committed
Status in cifs-utils source package in Plucky:
Fix Released
Status in linux source package in Plucky:
Fix Released
Bug description:
BugLink: https://bugs.launchpad.net/bugs/2099914
[Impact]
This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to
disclosing sensitive data from the host or container Kerberos credentials cache
by accessing the wrong credential cache that doesn't belong to the current user.
Consider the following scenario:
A CIFS/SMB file share is mounted on a host node using Kerberos
authentication.
During the session setup phase, the Linux kernel's cifs.ko module makes an
upcall to user space to retrieve the Kerberos service ticket from the credential
cache.
In typical (non-container) environments, this process works correctly, but in
containerized environments, the upcall may be directed to a different namespace
than intended, leading to issues. For example:
a) The file share is mounted on the host node at /mnt/testshare1, meaning the
Kerberos credential cache is stored in the host's namespace.
b) A Docker container is created, and the file share path /mnt/testshare1 is
exported to the container at /sharedpath.
c) When the service ticket expires and the SMB connection is lost, before the
ticket is refreshed in the credential cache, an application inside the container
performs a file operation. This triggers the kernel to attempt a session
reconnect.
d) During the session setup, a Kerberos ticket is needed, so the kernel invokes
the cifs.upcall binary using the request_key function. However, cifs.upcall
switches to the namespace of the caller (i.e., the container), causing it to
attempt to read the credential cache from the container's namespace. But since
the original mount happened in the host namespace, the credential cache is
located on the host, not in the container. This results in the upcall failing
to access the correct credential cache or accessinng credential cache which
doesn't belong to correct user.
[Fix]
The fix adds a "upcall_target" mount parameter that needs to be present in both
the kernel and cifs-utils. "upcall_target" specifies what namespace to find the
kerberos credential cache, and takes options "mount" being the host namespace,
or "app", being the container namespace. The language is intended to suit
Kubernetes based usecases.
The kernel requires the following commit:
commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
Author: Ritvik Budhiraja <rbudhiraja@xxxxxxxxxxxxx>
Date: Mon Nov 11 11:43:51 2024 +0000
Subject: CIFS: New mount option for cifs.upcall namespace resolution
Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
This landed in 6.13 mainline, and is already in plucky. Oracular is a clean
cherry pick, noble and jammy requires a context adjustment backport and focal
needed a heavy backport.
Test packages are available in the following ppa:
https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport
In addition, a userspace fix is also needed in cifs-utils, with the following
commits:
commit 89b679228cc1be9739d54203d28289b03352c174
From: Ritvik Budhiraja <rbudhiraja@xxxxxxxxxxxxx>
Date: Tue, 19 Nov 2024 06:07:58 +0000
Subject: CIFS.upcall to accomodate new namespace mount opt
Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174
commit cf63240489431e98033e599a7c9437b59494a2e4
From: Ritvik Budhiraja <rbudhiraja@xxxxxxxxxxxxx>
Date: Thu, 30 Jan 2025 14:13:10 +0000
Subject: cifs-utils: add documentation for upcall_target
Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4
These were a part of 7.2 upstream. Plucky already has this release, so we just
need to fix oracular, noble, jammy and focal.
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test
If you install the test packages, you can now use the upcall_target argument
with either "mount" or "app" options.
[Testcase]
Some knowledge of kerberos will go a long way to help you make this
all work.
We should be able to do all testing on the same VM.
1) Create a fresh VM
2) sudo apt update
3) sudo apt upgrade
4) sudo hostnamectl set-hostname samba-dc
5) sudo vim /etc/hosts
Add an entry with its IP address, e.g.:
192.168.122.124 samba-dc samba-dc.example.com
6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils
Focal:
sudo apt install keyutils
Oracular:
sudo apt install samba-ad-dc
Note: skip config of kerberos KDC.
7) sudo rm /etc/krb5.conf
8) sudo rm /etc/samba/smb.conf
9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1
10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
11) sudo systemctl mask smbd nmbd winbind
12) sudo systemctl disable smbd nmbd winbind
13) sudo systemctl stop smbd nmbd winbind
14) sudo systemctl unmask samba-ad-dc
15) sudo systemctl start samba-ad-dc
16) sudo systemctl enable samba-ad-dc
17) sudo reboot
18) sudo systemctl stop systemd-resolved
19) sudo systemctl disable systemd-resolved
20) cat << EOF >> /etc/resolv.conf
nameserver 192.168.122.124
search SAMBA
EOF
sudo vim /etc/samba/smb.conf
Change forwarder to 8.8.8.8
21) sudo reboot
22) host -t SRV _ldap._tcp.samba-dc.example.com
_ldap._tcp.samba-dc.example.com has SRV record 0 100 389 samba-dc.samba-dc.example.com.
23) $ smbclient -L localhost -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.13.17-Ubuntu)
SMB1 disabled -- no workgroup available
24) $ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter SAMBA\Administrator's password:
. D 0 Mon Feb 28 04:23:22 2022
.. D 0 Mon Feb 28 04:23:27 2022
9983232 blocks of size 1024. 7995324 blocks available
25) kinit administrator
Password for administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
26) klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 02:53:22
27) Create a share:
28) sudo mkdir -p /srv/samba/Demo/
29) sudo vim /etc/samba/smb.conf
[Demo]
path = /srv/samba/Demo/
read only = no
30) sudo chmod 0770 /srv/samba/Demo/
31) smbclient -U Administrator //samba-dc.example.com/demo
Password for [SAMBA\Administrator]:
Try "help" to get a list of possible commands.
smb: \>
32) smbclient -U Administrator --use-krb5-ccache=/tmp/krb5cc_1000 //samba-dc.example.com/demo
Try "help" to get a list of possible commands.
smb: \>
33) klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 02:53:22
04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example.com@xxxxxxxxxxx
renew until 04/10/25 02:53:22
Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 02:53:22
34) sudo -s
35) # kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 03:26:06
36) # mkdir /mnt/testshare1
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
37) # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 03:26:06
04/09/25 03:30:26 04/09/25 13:26:10 cifs/samba-dc.example.com@
renew until 04/10/25 03:26:06
Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
38) journalctl
kernel: netfs: FS-Cache loaded
kernel: Key type cifs.spnego registered
kernel: Key type cifs.idmap registered
kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). T>
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1805]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6ee
cifs.upcall[1806]: ver=2
cifs.upcall[1806]: host=samba-dc.example.com
cifs.upcall[1806]: ip=192.168.122.124
cifs.upcall[1806]: sec=1
cifs.upcall[1806]: uid=0
cifs.upcall[1806]: creduid=0
cifs.upcall[1806]: user=root
cifs.upcall[1806]: pid=1774
cifs.upcall[1805]: get_cachename_from_process_env: pid == 0
cifs.upcall[1805]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1805]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1805]: handle_krb5_mech: using native krb5
cifs.upcall[1805]: handle_krb5_mech: obtained service ticket
cifs.upcall[1805]: Exit status 0
Take note of the line:
get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
39) # stat /mnt/testshare1
File: /mnt/testshare1
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,41 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 02:54:45.264000000 +0000
Modify: 2025-04-09 02:54:45.264000000 +0000
Change: 2025-04-09 02:54:45.264000000 +0000
Birth: 2025-04-09 02:54:45.264000000 +0000
40) sudo apt install docker.io
41) docker pull ubuntu:24.04
42) docker run -it -v /mnt/testshare1:/mnt/shared --name cifstest ubuntu:24.04 /bin/bash
43) root@685c7e420afc:/# stat /mnt/shared
File: /mnt/shared
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,41 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 02:54:45.264000000 +0000
Modify: 2025-04-09 02:54:45.264000000 +0000
Change: 2025-04-09 02:54:45.264000000 +0000
Birth: 2025-04-09 02:54:45.264000000 +0000
root@685c7e420afc:/# ls /mnt/shared
44) root@685c7e420afc:/# apt install krb5-user vim
45) root@685c7e420afc:/# vim /etc/krb5.conf
Under libdefaults, add default_ccache_name = /tmp/krb5cc_00%{uid} save and exit.
46) Back on the host in root, clear initial kerberos crediental cache and disconnect cifs connections.
# kdestroy -c /tmp/krb5cc_0
# ss -K dport 445
47) Back in the container:
root@685c7e420afc:/# stat /mnt/shared
48) Back on the host in root:
# journalctl
kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
cifs.upcall[2804]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0xaf3
cifs.upcall[2805]: ver=2
cifs.upcall[2805]: host=samba-dc.example.com
cifs.upcall[2805]: ip=192.168.122.124
cifs.upcall[2805]: sec=1
cifs.upcall[2805]: uid=0
cifs.upcall[2805]: creduid=0
cifs.upcall[2805]: user=root
cifs.upcall[2805]: pid=2803
cifs.upcall[2804]: get_cachename_from_process_env: pid == 0
cifs.upcall[2804]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000
cifs.upcall[2804]: get_tgt_time: unable to get principal
cifs.upcall[2804]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[2804]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[2804]: handle_krb5_mech: using GSS-API
cifs.upcall[2804]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
cifs.upcall[2804]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: /tmp/krb5cc_000)
cifs.upcall[2804]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
cifs.upcall[2804]: Unable to obtain service ticket
cifs.upcall[2804]: Exit status 458752
Note that it now tries to read /tmp/krb5cc_000 from container namespace instead
of /tmp/krb5cc_0 from host namespace.
If you install the test packages from the following ppas:
https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport
https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test
When you initially mount the cifs filesystem, use the new mount option
upcall_target=mount.
# mount -t cifs -o
cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=mount
//samba-dc.example.com/demo /mnt/testshare1
Repeat the testcase. When we disconnect the cifs connection and try stat inside
the container, the kerberos crediental cache should be /tmp/krb5cc_0 in the
host namespace.
get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
A successful run with upcall_target=mount and fixed cifs-utils should
look like:
cifs.upcall[2122]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x849;upcall_target=mount
cifs.upcall[2123]: ver=2
cifs.upcall[2123]: host=samba-dc.example.com
cifs.upcall[2123]: ip=192.168.122.124
cifs.upcall[2123]: sec=1
cifs.upcall[2123]: uid=0
cifs.upcall[2123]: creduid=0
cifs.upcall[2123]: user=root
cifs.upcall[2123]: pid=2121
cifs.upcall[2123]: upcall_target=mount
cifs.upcall[2122]: upcall_target=mount, not switching namespaces to application thread
cifs.upcall[2122]: get_cachename_from_process_env: pid == 0
cifs.upcall[2122]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[2122]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[2122]: handle_krb5_mech: using native krb5
cifs.upcall[2122]: handle_krb5_mech: obtained service ticket
cifs.upcall[2122]: Exit status 0
Specific Testcases Of Existing / Patched Packages:
patched kernel, existing cifs-utils
-----------------------------------
When specifying "upcall_target" on mount command line, e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1
# journalctl -f
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1540]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x600;upcall_target=app
cifs.upcall[1541]: ver=2
cifs.upcall[1541]: host=samba-dc.example.com
cifs.upcall[1541]: ip=192.168.122.124
cifs.upcall[1541]: sec=1
cifs.upcall[1541]: uid=0
cifs.upcall[1541]: creduid=0
cifs.upcall[1541]: user=root
cifs.upcall[1541]: pid=1536
cifs.upcall[1540]: get_cachename_from_process_env: pid == 0
cifs.upcall[1540]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1540]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1540]: handle_krb5_mech: using native krb5
cifs.upcall[1540]: handle_krb5_mech: obtained service ticket
cifs.upcall[1540]: Exit status 0
Test with no "upcall_target". e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
# journalctl -f
Apr 30 04:23:35 samba-dc kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x614;upcall_target=app
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: ver=2
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: host=samba-dc.example.com
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: ip=192.168.122.124
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: sec=1
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: uid=0
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: creduid=0
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: user=root
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: pid=1556
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: get_cachename_from_process_env: pid == 0
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: handle_krb5_mech: getting service ticket for samba-dc.example.com
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: handle_krb5_mech: using native krb5
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: handle_krb5_mech: obtained service ticket
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: Exit status 0
existing kernel, patched cifs-utils
-----------------------------------
When specifying "upcall_target" on mount command line, e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1
mount error(22): Invalid argument
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
# journalctl -f
kernel: cifs: Unknown parameter 'upcall_target'
Test with no "upcall_target". e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
# journalctl -f
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[10899]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x2a8d
cifs.upcall[10900]: ver=2
cifs.upcall[10900]: host=samba-dc.example.com
cifs.upcall[10900]: ip=192.168.122.124
cifs.upcall[10900]: sec=1
cifs.upcall[10900]: uid=0
cifs.upcall[10900]: creduid=0
cifs.upcall[10900]: user=root
cifs.upcall[10900]: pid=10893
cifs.upcall[10899]: upcall_target=app, switching namespaces to application thread
cifs.upcall[10899]: get_cachename_from_process_env: pid == 0
cifs.upcall[10899]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[10899]: main: valid service ticket exists in credential cache
cifs.upcall[10899]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[10899]: handle_krb5_mech: using native krb5
cifs.upcall[10899]: handle_krb5_mech: obtained service ticket
cifs.upcall[10899]: Exit status 0
Note the line:
cifs.upcall[10899]: upcall_target=app, switching namespaces to application thread
[Where problems can occur]
We are adding a new mount option to cifs in both the kernel and in
cifs-utils.
Existing cifs-utils packages need to not break when making upcalls to kernels
that have this new upcall_target option, and existing kernels need to not break
when using new cifs-utils packages that set upcall_target without the necessary
in kernel support.
We need to be careful to test three scenarios:
* patched kernel, patched cifs-utils
* patched kernel, existing cifs-utils
* existing kernel, patched cifs-utils
The default option is "app" and "app" has the same behaviour of pre-
patch, that is, to use the credential cache of the calling process
namespace. This should not introduce any behaviour change to existing
setups. Not specifying any option at mount time defaults to "app"
automatically. Users must opt into using "mount" themselves.
If a regression were to occur, it could affect mounting of cifs / smb shares and
users would not be able to access their data.
Additionally, if a regression were to occur, we could also further confuse what
namespace is to be used for accessing the user's kerberos credentials cache,
which could disclose data from the host or container namespace to the incorrect
namespace.
[Other info]
CVE-2025-2312
https://ubuntu.com/security/CVE-2025-2312
https://nvd.nist.gov/vuln/detail/CVE-2025-2312
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions
