debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #02451
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug was fixed in the package linux - 5.15.0-142.152
---------------
linux (5.15.0-142.152) jammy; urgency=medium
* jammy/linux: 5.15.0-142.152 -proposed tracker (LP: #2110829)
* Rotate the Canonical Livepatch key (LP: #2111244)
- [Config] Prepare for Canonical Livepatch key rotation
* Jammy generic-64k fails to initialize gVNIC devices (LP: #2109537)
- gve: Perform adminq allocations through a dma_pool.
- gve: Deprecate adminq_pfn for pci revision 0x1.
- gve: Remove obsolete checks that rely on page size.
- gve: Add page size register to the register_page_list command.
- gve: Remove dependency on 4k page size.
* CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
(LP: #2099914) // CVE-2025-2312
- CIFS: New mount option for cifs.upcall namespace resolution
* [UBUNTU 22.04] net/smc: fix neighbour and rtable leak in smc_ib_find_route()
(LP: #2109601) // CVE-2024-36945
- net/smc: fix neighbour and rtable leak in smc_ib_find_route()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355)
- clockevents/drivers/i8253: Fix stop sequence for timer 0
- sched/isolation: Prevent boot crash when the boot CPU is nohz_full
- fbdev: hyperv_fb: iounmap() the correct memory when removing a device
- pinctrl: bcm281xx: Fix incorrect regmap max_registers value
- netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template.
- net: dsa: mv88e6xxx: Verify after ATU Load ops
- netpoll: hold rcu read lock in __netpoll_send_skb()
- Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio()
- ipvs: prevent integer overflow in do_ip_vs_get_ctl()
- netfilter: nft_exthdr: fix offset with ipv4_find_option()
- gre: Fix IPv6 link-local address generation.
- slab: clean up function prototypes
- slab: Introduce kmalloc_size_roundup()
- openvswitch: Use kmalloc_size_roundup() to match ksize() usage
- net: openvswitch: remove misbehaving actions length check
- net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices
- nvme-fc: go straight to connecting state when initializing
- hrtimers: Mark is_migration_base() with __always_inline
- powercap: call put_device() on an error path in
powercap_register_control_type()
- scsi: core: Use GFP_NOIO to avoid circular locking dependency
- ACPI: resource: IRQ override for Eluktronics MECH-17
- alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support
- vboxsf: fix building with GCC 15
- HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell
- sched: Clarify wake_up_q()'s write to task->wake_q.next
- s390/cio: Fix CHPID "configure" attribute caching
- thermal/cpufreq_cooling: Remove structure member documentation
- ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime()
- ASoC: arizona/madera: use fsleep() in up/down DAPM event delays.
- ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module
- net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors
- nvmet-rdma: recheck queue state is LIVE in state lock in recv done
- sctp: Fix undefined behavior in left shift operation
- nvme: only allow entering LIVE from CONNECTING state
- ASoC: tas2770: Fix volume scale
- ASoC: tas2764: Fix power control mask
- ASoC: tas2764: Set the SDOUT polarity correctly
- fuse: don't truncate cached, mutated symlink
- x86/irq: Define trace events conditionally
- mptcp: safety check before fallback
- drm/nouveau: Do not override forced connector status
- block: fix 'kmem_cache of name 'bio-108' already exists'
- USB: serial: ftdi_sio: add support for Altera USB Blaster 3
- USB: serial: option: add Telit Cinterion FE990B compositions
- USB: serial: option: fix Telit Cinterion FE990A name
- USB: serial: option: match on interface class for Telit FN990B
- drm/atomic: Filter out redundant DPMS calls
- drm/amd/display: Restore correct backlight brightness after a GPU reset
- qlcnic: fix memory leak issues in qlcnic_sriov_common.c
- lib/buildid: Handle memfd_secret() files in build_id_parse()
- tcp: fix races in tcp_abort()
- ASoC: ops: Consistently treat platform_max as control value
- drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data()
- ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe()
- cifs: Fix integer overflow while processing actimeo mount option
- i2c: ali1535: Fix an error handling path in ali1535_probe()
- i2c: ali15x3: Fix an error handling path in ali15x3_probe()
- i2c: sis630: Fix an error handling path in sis630_probe()
- drm/amd/display: Check for invalid input params when building scaling params
- smb: client: Fix match_session bug preventing session reuse
- Revert "smb: client: fix potential UAF in cifs_debug_files_proc_show()"
- smb: client: fix potential UAF in cifs_debug_files_proc_show()
- firmware: imx-scu: fix OF node leak in .probe()
- xfrm_output: Force software GSO only in tunnel mode
- ARM: dts: bcm2711: PL011 UARTs are actually r1p5
- RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx
- ARM: dts: bcm2711: Don't mark timer regs unconfigured
- RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path
- RDMA/hns: Remove redundant 'phy_addr' in hns_roce_hem_list_find_mtt()
- RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db()
- RDMA/hns: Fix a missing rollback in error path of
hns_roce_create_qp_common()
- RDMA/hns: Fix wrong value of max_sge_rd
- ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create().
- net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES
- Revert "gre: Fix IPv6 link-local address generation."
- i2c: omap: fix IRQ storms
- drm/v3d: Don't run jobs that have errors flagged in its fence
- mmc: atmel-mci: Add missing clk_disable_unprepare()
- ARM: shmobile: smp: Enforce shmobile_smp_* alignment
- batman-adv: Ignore own maximum aggregation size during RX
- drm/amdgpu: Fix JPEG video caps max size for navi1x and raven
- mptcp: Fix data stream corruption in the address announcement
- arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S
- ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names
- HID: hid-plantronics: Add mic mute mapping and generalize quirks
- ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed()
- ARM: 9351/1: fault: Add "cut here" line for prefetch aborts
- ARM: Remove address checking for MMUless devices
- ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx
- counter: stm32-lptimer-cnt: fix error handling when enabling
- counter: microchip-tcb-capture: Fix undefined counter channel state on probe
- tty: serial: 8250: Add some more device IDs
- tty: serial: 8250: Add Brainboxes XC devices
- net: usb: qmi_wwan: add Telit Cinterion FN990B composition
- net: usb: qmi_wwan: add Telit Cinterion FE990B composition
- net: usb: usbnet: restore usb%d name exception for local mac addresses
- serial: 8250_dma: terminate correct DMA in tx_dma_flush()
- x86/mm/pat: cpa-test: fix length for CPA_ARRAY test
- cpufreq: scpi: compare kHz instead of Hz
- cpufreq: governor: Fix negative 'idle_time' handling in dbs_update()
- x86/fpu: Avoid copying dynamic FP state from init_task in
arch_dup_task_struct()
- x86/platform: Only allow CONFIG_EISA for 32-bit
- [Config] updateconfigs for HAVE_EISA
- PM: sleep: Adjust check before setting power.must_resume
- selinux: Chain up tool resolving errors in install_policy.sh
- EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer
- EDAC/ie31200: Fix the DIMM size mask for several SoCs
- EDAC/ie31200: Fix the error path order of ie31200_init()
- PM: sleep: Fix handling devices with direct_complete set on errors
- lockdep: Don't disable interrupts on RT in disable_irq_nosync_lockdep.*()
- perf/ring_buffer: Allow the EPOLLRDNORM flag for poll
- media: platform: allgro-dvt: unregister v4l2_device on the error path
- HID: remove superfluous (and wrong) Makefile entry for
CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER
- ALSA: hda/realtek: Always honor no_shutup_pins
- ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio
compatible
- drm/bridge: ti-sn65dsi86: Fix multiple instances
- drm/dp_mst: Fix drm RAD print
- drm: xlnx: zynqmp: Fix max dma segment size
- drm/mediatek: mtk_hdmi: Unregister audio platform device on failure
- drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member
- PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data
payload
- PCI: brcmstb: Use internal register to change link capability
- PCI/portdrv: Only disable pciehp interrupts early when needed
- PCI: Avoid reset when disabled via sysfs
- drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters()
- PCI: Remove stray put_device() in pci_register_host_bridge()
- PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe
- drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer()
- PCI: pciehp: Don't enable HPIE when resuming in poll mode
- fbdev: au1100fb: Move a variable assignment behind a null pointer check
- mdacon: rework dependency list
- fbdev: sm501fb: Add some geometry checks.
- clk: amlogic: gxbb: drop incorrect flag on 32k clock
- crypto: hisilicon/sec2 - fix for aead authsize alignment
- of: property: Increase NR_FWNODE_REFERENCE_ARGS
- remoteproc: qcom_q6v5_pas: Make single-PD handling more robust
- libbpf: Fix hypothetical STT_SECTION extern NULL deref case
- clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock
- bpf: Use preempt_count() directly in bpf_send_signal_common()
- lib: 842: Improve error handling in sw842_compress()
- pinctrl: renesas: rza2: Fix missing of_node_put() call
- pinctrl: renesas: rzg2l: Fix missing of_node_put() call
- clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent
- remoteproc: qcom_q6v5_mss: Handle platforms with one power domain
- IB/mad: Check available slots before posting receive WRs
- pinctrl: tegra: Set SFIO mode to Mux Register
- clk: amlogic: g12b: fix cluster A parent data
- clk: amlogic: gxbb: drop non existing 32k clock parent
- clk: amlogic: g12a: fix mmc A peripheral clock
- x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1
- power: supply: max77693: Fix wrong conversion of charge input threshold
value
- crypto: nx - Fix uninitialised hv_nxc on error
- mfd: sm501: Switch to BIT() to mitigate integer overflows
- x86/dumpstack: Fix inaccurate unwinding from exception stacks due to
misplaced assignment
- crypto: hisilicon/sec2 - fix for aead auth key length
- clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock
- isofs: fix KMSAN uninit-value bug in do_isofs_readdir()
- soundwire: slave: fix an OF node reference leak in soundwire slave device
- coresight: catu: Fix number of pages while using 64k pages
- iio: accel: mma8452: Ensure error return on failure to matching oversampling
ratio
- iio: adc: ad7124: Fix comparison of channel configs
- perf units: Fix insufficient array space
- kexec: initialize ELF lowest address to ULONG_MAX
- NFSv4: Don't trigger uneccessary scans for return-on-close delegations
- fuse: fix dax truncate/punch_hole fault path
- i3c: master: svc: Fix missing the IBI rules
- perf python: Fixup description of sample.id event member
- perf python: Decrement the refcount of just created event on failure
- perf python: Don't keep a raw_data pointer to consumed ring buffer space
- perf python: Check if there is space to copy all the event
- fs/procfs: fix the comment above proc_pid_wchan()
- objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()
- exfat: fix the infinite loop in exfat_find_last_cluster()
- ksmbd: fix multichannel connection failure
- ring-buffer: Fix bytes_dropped calculation issue
- ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are
invalid
- octeontx2-af: Fix mbox INTR handler when num VFs > 64
- octeontx2-af: Free NIX_AF_INT_VEC_GEN irq
- sched/smt: Always inline sched_smt_active()
- wifi: iwlwifi: fw: allocate chained SG tables for dump
- nvme-tcp: fix possible UAF in nvme_tcp_poll
- nvme-pci: clean up CMBMSC when registering CMB fails
- nvme-pci: skip CMB blocks incompatible with PCI P2P DMA
- affs: generate OFS sequence numbers starting at 1
- affs: don't write overlarge OFS data block size fields
- sched/deadline: Use online cpus for validating runtime
- locking/semaphore: Use wake_q to wake up processes outside lock critical
section
- x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled
- drm/amd: Keep display off while going into S4
- ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx
- can: statistics: use atomic access in hot path
- hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9}
- riscv: ftrace: Add parentheses in macro definitions of make_call_t0 and
make_call_ra
- ntb: intel: Fix using link status DB's
- netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets
only
- vsock: avoid timeout during connect() if the socket is closing
- tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu().
- ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS
- can: flexcan: only change CAN state when link up in system PM
- can: flexcan: disable transceiver during system PM
- mmc: sdhci-brcmstb: Add ability to increase max clock rate for 72116b0
- mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops
- tty: serial: fsl_lpuart: use UARTMODIR register bits for lpuart32 platform
- tty: serial: fsl_lpuart: disable transmitter before changing RS485 related
registers
- platform/x86: ISST: Correct command storage data length
- ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk()
- x86/tsc: Always save/restore TSC sched_clock() on suspend/resume
- ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP
- mmc: sdhci-pxav3: set NEED_RSP_BUSY capability
- tracing: Ensure module defining synth event cannot be unloaded while tracing
- tracing: Fix synth event printk format for str fields
- tracing/osnoise: Fix possible recursive locking for cpus_read_lock()
- ext4: don't over-report free space or inodes in statvfs
- jfs: add index corruption check to DT_GETPAGE()
- NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up
- mmc: sdhci-brcmstb: use clk_get_rate(base_clk) in PM resume
- mm, slab: remove duplicate kernel-doc comment for ksize()
- tracing: Do not use PERF enums when perf is not defined
- mmc: sdhci-brcmstb: Initialize base_clk to NULL in sdhci_brcmstb_probe()
- Linux 5.15.180
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22025
- nfsd: put dl_stid if fail to queue dl_recall
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-39735
- jfs: fix slab-out-of-bounds read in ea_get()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-37785
- ext4: fix OOB read when checking dotdot dir
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22035
- tracing: Fix use-after-free in print_graph_function_flags during tracer
switching
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22044
- acpi: nfit: fix narrowing conversion in acpi_nfit_ctl
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22045
- x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2024-46753
- btrfs: handle errors from btrfs_dec_ref() properly
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22050
- usbnet:fix NPE during rx_complete
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2024-46812
- drm/amd/display: Skip inactive planes within
ModeSupportAndSystemConfiguration
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2024-46821
- drm/amd/pm: Fix negative array index read
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22054
- arcnet: Add NULL check in com20020pci_probe()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22055
- net: fix geneve_opt length integer overflow
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22056
- netfilter: nft_tunnel: fix geneve_opt type confusion addition
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22060
- net: mvpp2: Prevent parser TCAM memory corruption
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-38637
- net_sched: skbprio: Remove overly strict queue assertions
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22063
- netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22066
- ASoC: imx-card: Add NULL check in imx_card_probe()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2023-53034
- ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22071
- spufs: fix a leak in spufs_create_context()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22073
- spufs: fix a leak on spufs_new_file() failure
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21994
- ksmbd: fix incorrect validation for num_aces field of smb_acl
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-38575
- ksmbd: use aead_request_free to match aead_request_alloc
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22075
- rtnetlink: Allocate vfinfo size for VF GUIDs when supported
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22079
- ocfs2: validate l_tree_depth to avoid out-of-bounds access
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22081
- fs/ntfs3: Fix a couple integer overflows on 32bit systems
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22086
- RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22089
- RDMA/core: Don't expose hw_counters outside of init net namespace
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-39728
- clk: samsung: Fix UBSAN panic in samsung_clk_init()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-38152
- remoteproc: core: Clear table_sz when rproc_shutdown
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2024-58093
- PCI/ASPM: Fix link state exit during switch upstream function removal
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22097
- drm/vkms: Fix use after free and double free on init error
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-23136
- thermal: int340x: Add NULL check for adev
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-23138
- watch_queue: fix pipe accounting mismatch
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22020
- memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22021
- netfilter: socket: Lookup orig tuple for IPv6 SNAT
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22018
- atm: Fix NULL pointer dereference
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2024-56664
- bpf, sockmap: Fix race between element replace and close()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2024-53144 // CVE-2024-8805
- Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21996
- drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22014
- soc: qcom: pdr: Fix the potential deadlock
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21999
- proc: fix UAF in proc_get_inode()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22008
- regulator: check that dummy regulator has been probed before using it
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22004
- net: atm: fix use after free in lec_send()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22005
- ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22007
- Bluetooth: Fix error code in chan_alloc_skb_cb()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22010
- RDMA/hns: Fix soft lockup during bt pages loop
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21941
- drm/amd/display: Fix null check for pipe_ctx->plane_state in
resource_build_scaling_params
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21962
- cifs: Fix integer overflow while processing closetimeo mount option
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21963
- cifs: Fix integer overflow while processing acdirmax mount option
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21964
- cifs: Fix integer overflow while processing acregmax mount option
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21968
- drm/amd/display: Fix slab-use-after-free on hdcp_work
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21956
- drm/amd/display: Assign normalized_pix_clk when color depth = 14
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21991
- x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21992
- HID: ignore non-functional sensor in HP 5MP Camera
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21957
- scsi: qla1280: Fix kernel oops when debug level > 2
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21970
- net/mlx5: Bridge, fix the crash caused by LAG state check
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21959
- netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in
insert_tree()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21975
- net/mlx5: handle errors in mlx5_chains_create_table()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21981
- ice: fix memory leak in aRFS after reset
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2022-49728
- ipv6: Fix signed integer overflow in __ip6_append_data
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2022-49636
- vlan: fix memory leak in vlan_newlink()
* VM boots slowly with large-BAR GPU Passthrough due to pci/probe.c redundancy
(LP: #2097389)
- PCI: Batch BAR sizing operations
* kexec fails in LPAR when some cpus are disabled (LP: #2075575)
- powerpc/pseries: Fix scv instruction crash with kexec
* CVE-2024-56608
- drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create'
* CVE-2024-53168
- net: make sock_inuse_add() available
- sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket
* CVE-2024-56551
- drm/amdgpu: fix usage slab after free
* Packaging resync (LP: #1786013)
- [Packaging] update annotations scripts
-- Stefan Bader <stefan.bader@xxxxxxxxxxxxx> Mon, 19 May 2025 12:17:06
+0200
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2099914
Title:
CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials
cache
Status in cifs-utils package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Released
Status in cifs-utils source package in Focal:
Fix Released
Status in linux source package in Focal:
Fix Committed
Status in cifs-utils source package in Jammy:
Fix Released
Status in linux source package in Jammy:
Fix Released
Status in cifs-utils source package in Noble:
Fix Released
Status in linux source package in Noble:
Fix Released
Status in cifs-utils source package in Oracular:
Fix Released
Status in linux source package in Oracular:
Fix Committed
Status in cifs-utils source package in Plucky:
Fix Released
Status in linux source package in Plucky:
Fix Released
Bug description:
BugLink: https://bugs.launchpad.net/bugs/2099914
[Impact]
This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to
disclosing sensitive data from the host or container Kerberos credentials cache
by accessing the wrong credential cache that doesn't belong to the current user.
Consider the following scenario:
A CIFS/SMB file share is mounted on a host node using Kerberos
authentication.
During the session setup phase, the Linux kernel's cifs.ko module makes an
upcall to user space to retrieve the Kerberos service ticket from the credential
cache.
In typical (non-container) environments, this process works correctly, but in
containerized environments, the upcall may be directed to a different namespace
than intended, leading to issues. For example:
a) The file share is mounted on the host node at /mnt/testshare1, meaning the
Kerberos credential cache is stored in the host's namespace.
b) A Docker container is created, and the file share path /mnt/testshare1 is
exported to the container at /sharedpath.
c) When the service ticket expires and the SMB connection is lost, before the
ticket is refreshed in the credential cache, an application inside the container
performs a file operation. This triggers the kernel to attempt a session
reconnect.
d) During the session setup, a Kerberos ticket is needed, so the kernel invokes
the cifs.upcall binary using the request_key function. However, cifs.upcall
switches to the namespace of the caller (i.e., the container), causing it to
attempt to read the credential cache from the container's namespace. But since
the original mount happened in the host namespace, the credential cache is
located on the host, not in the container. This results in the upcall failing
to access the correct credential cache or accessinng credential cache which
doesn't belong to correct user.
[Fix]
The fix adds a "upcall_target" mount parameter that needs to be present in both
the kernel and cifs-utils. "upcall_target" specifies what namespace to find the
kerberos credential cache, and takes options "mount" being the host namespace,
or "app", being the container namespace. The language is intended to suit
Kubernetes based usecases.
The kernel requires the following commit:
commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
Author: Ritvik Budhiraja <rbudhiraja@xxxxxxxxxxxxx>
Date: Mon Nov 11 11:43:51 2024 +0000
Subject: CIFS: New mount option for cifs.upcall namespace resolution
Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
This landed in 6.13 mainline, and is already in plucky. Oracular is a clean
cherry pick, noble and jammy requires a context adjustment backport and focal
needed a heavy backport.
Test packages are available in the following ppa:
https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport
In addition, a userspace fix is also needed in cifs-utils, with the following
commits:
commit 89b679228cc1be9739d54203d28289b03352c174
From: Ritvik Budhiraja <rbudhiraja@xxxxxxxxxxxxx>
Date: Tue, 19 Nov 2024 06:07:58 +0000
Subject: CIFS.upcall to accomodate new namespace mount opt
Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174
commit cf63240489431e98033e599a7c9437b59494a2e4
From: Ritvik Budhiraja <rbudhiraja@xxxxxxxxxxxxx>
Date: Thu, 30 Jan 2025 14:13:10 +0000
Subject: cifs-utils: add documentation for upcall_target
Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4
These were a part of 7.2 upstream. Plucky already has this release, so we just
need to fix oracular, noble, jammy and focal.
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test
If you install the test packages, you can now use the upcall_target argument
with either "mount" or "app" options.
[Testcase]
Some knowledge of kerberos will go a long way to help you make this
all work.
We should be able to do all testing on the same VM.
1) Create a fresh VM
2) sudo apt update
3) sudo apt upgrade
4) sudo hostnamectl set-hostname samba-dc
5) sudo vim /etc/hosts
Add an entry with its IP address, e.g.:
192.168.122.124 samba-dc samba-dc.example.com
6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils
Focal:
sudo apt install keyutils
Oracular:
sudo apt install samba-ad-dc
Note: skip config of kerberos KDC.
7) sudo rm /etc/krb5.conf
8) sudo rm /etc/samba/smb.conf
9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1
10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
11) sudo systemctl mask smbd nmbd winbind
12) sudo systemctl disable smbd nmbd winbind
13) sudo systemctl stop smbd nmbd winbind
14) sudo systemctl unmask samba-ad-dc
15) sudo systemctl start samba-ad-dc
16) sudo systemctl enable samba-ad-dc
17) sudo reboot
18) sudo systemctl stop systemd-resolved
19) sudo systemctl disable systemd-resolved
20) cat << EOF >> /etc/resolv.conf
nameserver 192.168.122.124
search SAMBA
EOF
sudo vim /etc/samba/smb.conf
Change forwarder to 8.8.8.8
21) sudo reboot
22) host -t SRV _ldap._tcp.samba-dc.example.com
_ldap._tcp.samba-dc.example.com has SRV record 0 100 389 samba-dc.samba-dc.example.com.
23) $ smbclient -L localhost -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.13.17-Ubuntu)
SMB1 disabled -- no workgroup available
24) $ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter SAMBA\Administrator's password:
. D 0 Mon Feb 28 04:23:22 2022
.. D 0 Mon Feb 28 04:23:27 2022
9983232 blocks of size 1024. 7995324 blocks available
25) kinit administrator
Password for administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
26) klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 02:53:22
27) Create a share:
28) sudo mkdir -p /srv/samba/Demo/
29) sudo vim /etc/samba/smb.conf
[Demo]
path = /srv/samba/Demo/
read only = no
30) sudo chmod 0770 /srv/samba/Demo/
31) smbclient -U Administrator //samba-dc.example.com/demo
Password for [SAMBA\Administrator]:
Try "help" to get a list of possible commands.
smb: \>
32) smbclient -U Administrator --use-krb5-ccache=/tmp/krb5cc_1000 //samba-dc.example.com/demo
Try "help" to get a list of possible commands.
smb: \>
33) klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 02:53:22
04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example.com@xxxxxxxxxxx
renew until 04/10/25 02:53:22
Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 02:53:22
34) sudo -s
35) # kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 03:26:06
36) # mkdir /mnt/testshare1
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
37) # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 03:26:06
04/09/25 03:30:26 04/09/25 13:26:10 cifs/samba-dc.example.com@
renew until 04/10/25 03:26:06
Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
38) journalctl
kernel: netfs: FS-Cache loaded
kernel: Key type cifs.spnego registered
kernel: Key type cifs.idmap registered
kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). T>
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1805]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6ee
cifs.upcall[1806]: ver=2
cifs.upcall[1806]: host=samba-dc.example.com
cifs.upcall[1806]: ip=192.168.122.124
cifs.upcall[1806]: sec=1
cifs.upcall[1806]: uid=0
cifs.upcall[1806]: creduid=0
cifs.upcall[1806]: user=root
cifs.upcall[1806]: pid=1774
cifs.upcall[1805]: get_cachename_from_process_env: pid == 0
cifs.upcall[1805]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1805]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1805]: handle_krb5_mech: using native krb5
cifs.upcall[1805]: handle_krb5_mech: obtained service ticket
cifs.upcall[1805]: Exit status 0
Take note of the line:
get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
39) # stat /mnt/testshare1
File: /mnt/testshare1
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,41 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 02:54:45.264000000 +0000
Modify: 2025-04-09 02:54:45.264000000 +0000
Change: 2025-04-09 02:54:45.264000000 +0000
Birth: 2025-04-09 02:54:45.264000000 +0000
40) sudo apt install docker.io
41) docker pull ubuntu:24.04
42) docker run -it -v /mnt/testshare1:/mnt/shared --name cifstest ubuntu:24.04 /bin/bash
43) root@685c7e420afc:/# stat /mnt/shared
File: /mnt/shared
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,41 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 02:54:45.264000000 +0000
Modify: 2025-04-09 02:54:45.264000000 +0000
Change: 2025-04-09 02:54:45.264000000 +0000
Birth: 2025-04-09 02:54:45.264000000 +0000
root@685c7e420afc:/# ls /mnt/shared
44) root@685c7e420afc:/# apt install krb5-user vim
45) root@685c7e420afc:/# vim /etc/krb5.conf
Under libdefaults, add default_ccache_name = /tmp/krb5cc_00%{uid} save and exit.
46) Back on the host in root, clear initial kerberos crediental cache and disconnect cifs connections.
# kdestroy -c /tmp/krb5cc_0
# ss -K dport 445
47) Back in the container:
root@685c7e420afc:/# stat /mnt/shared
48) Back on the host in root:
# journalctl
kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
cifs.upcall[2804]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0xaf3
cifs.upcall[2805]: ver=2
cifs.upcall[2805]: host=samba-dc.example.com
cifs.upcall[2805]: ip=192.168.122.124
cifs.upcall[2805]: sec=1
cifs.upcall[2805]: uid=0
cifs.upcall[2805]: creduid=0
cifs.upcall[2805]: user=root
cifs.upcall[2805]: pid=2803
cifs.upcall[2804]: get_cachename_from_process_env: pid == 0
cifs.upcall[2804]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000
cifs.upcall[2804]: get_tgt_time: unable to get principal
cifs.upcall[2804]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[2804]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[2804]: handle_krb5_mech: using GSS-API
cifs.upcall[2804]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
cifs.upcall[2804]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: /tmp/krb5cc_000)
cifs.upcall[2804]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
cifs.upcall[2804]: Unable to obtain service ticket
cifs.upcall[2804]: Exit status 458752
Note that it now tries to read /tmp/krb5cc_000 from container namespace instead
of /tmp/krb5cc_0 from host namespace.
If you install the test packages from the following ppas:
https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport
https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test
When you initially mount the cifs filesystem, use the new mount option
upcall_target=mount.
# mount -t cifs -o
cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=mount
//samba-dc.example.com/demo /mnt/testshare1
Repeat the testcase. When we disconnect the cifs connection and try stat inside
the container, the kerberos crediental cache should be /tmp/krb5cc_0 in the
host namespace.
get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
A successful run with upcall_target=mount and fixed cifs-utils should
look like:
cifs.upcall[2122]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x849;upcall_target=mount
cifs.upcall[2123]: ver=2
cifs.upcall[2123]: host=samba-dc.example.com
cifs.upcall[2123]: ip=192.168.122.124
cifs.upcall[2123]: sec=1
cifs.upcall[2123]: uid=0
cifs.upcall[2123]: creduid=0
cifs.upcall[2123]: user=root
cifs.upcall[2123]: pid=2121
cifs.upcall[2123]: upcall_target=mount
cifs.upcall[2122]: upcall_target=mount, not switching namespaces to application thread
cifs.upcall[2122]: get_cachename_from_process_env: pid == 0
cifs.upcall[2122]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[2122]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[2122]: handle_krb5_mech: using native krb5
cifs.upcall[2122]: handle_krb5_mech: obtained service ticket
cifs.upcall[2122]: Exit status 0
Specific Testcases Of Existing / Patched Packages:
patched kernel, existing cifs-utils
-----------------------------------
When specifying "upcall_target" on mount command line, e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1
# journalctl -f
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1540]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x600;upcall_target=app
cifs.upcall[1541]: ver=2
cifs.upcall[1541]: host=samba-dc.example.com
cifs.upcall[1541]: ip=192.168.122.124
cifs.upcall[1541]: sec=1
cifs.upcall[1541]: uid=0
cifs.upcall[1541]: creduid=0
cifs.upcall[1541]: user=root
cifs.upcall[1541]: pid=1536
cifs.upcall[1540]: get_cachename_from_process_env: pid == 0
cifs.upcall[1540]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1540]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1540]: handle_krb5_mech: using native krb5
cifs.upcall[1540]: handle_krb5_mech: obtained service ticket
cifs.upcall[1540]: Exit status 0
Test with no "upcall_target". e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
# journalctl -f
Apr 30 04:23:35 samba-dc kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x614;upcall_target=app
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: ver=2
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: host=samba-dc.example.com
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: ip=192.168.122.124
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: sec=1
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: uid=0
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: creduid=0
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: user=root
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: pid=1556
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: get_cachename_from_process_env: pid == 0
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: handle_krb5_mech: getting service ticket for samba-dc.example.com
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: handle_krb5_mech: using native krb5
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: handle_krb5_mech: obtained service ticket
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: Exit status 0
existing kernel, patched cifs-utils
-----------------------------------
When specifying "upcall_target" on mount command line, e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1
mount error(22): Invalid argument
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
# journalctl -f
kernel: cifs: Unknown parameter 'upcall_target'
Test with no "upcall_target". e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
# journalctl -f
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[10899]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x2a8d
cifs.upcall[10900]: ver=2
cifs.upcall[10900]: host=samba-dc.example.com
cifs.upcall[10900]: ip=192.168.122.124
cifs.upcall[10900]: sec=1
cifs.upcall[10900]: uid=0
cifs.upcall[10900]: creduid=0
cifs.upcall[10900]: user=root
cifs.upcall[10900]: pid=10893
cifs.upcall[10899]: upcall_target=app, switching namespaces to application thread
cifs.upcall[10899]: get_cachename_from_process_env: pid == 0
cifs.upcall[10899]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[10899]: main: valid service ticket exists in credential cache
cifs.upcall[10899]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[10899]: handle_krb5_mech: using native krb5
cifs.upcall[10899]: handle_krb5_mech: obtained service ticket
cifs.upcall[10899]: Exit status 0
Note the line:
cifs.upcall[10899]: upcall_target=app, switching namespaces to application thread
[Where problems can occur]
We are adding a new mount option to cifs in both the kernel and in
cifs-utils.
Existing cifs-utils packages need to not break when making upcalls to kernels
that have this new upcall_target option, and existing kernels need to not break
when using new cifs-utils packages that set upcall_target without the necessary
in kernel support.
We need to be careful to test three scenarios:
* patched kernel, patched cifs-utils
* patched kernel, existing cifs-utils
* existing kernel, patched cifs-utils
The default option is "app" and "app" has the same behaviour of pre-
patch, that is, to use the credential cache of the calling process
namespace. This should not introduce any behaviour change to existing
setups. Not specifying any option at mount time defaults to "app"
automatically. Users must opt into using "mount" themselves.
If a regression were to occur, it could affect mounting of cifs / smb shares and
users would not be able to access their data.
Additionally, if a regression were to occur, we could also further confuse what
namespace is to be used for accessing the user's kerberos credentials cache,
which could disclose data from the host or container namespace to the incorrect
namespace.
[Other info]
CVE-2025-2312
https://ubuntu.com/security/CVE-2025-2312
https://nvd.nist.gov/vuln/detail/CVE-2025-2312
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions
