Commit c7c137b9 authored by Steve French's avatar Steve French

smb3: do not allow insecure cifs mounts when using smb3

if mounting as smb3 do not allow cifs (vers=1.0) or insecure vers=2.0
mounts.

For example:
root@smf-Thinkpad-P51:~/cifs-2.6# mount -t smb3 //127.0.0.1/scratch /mnt -o username=testuser,password=Testpass1
root@smf-Thinkpad-P51:~/cifs-2.6# umount /mnt
root@smf-Thinkpad-P51:~/cifs-2.6# mount -t smb3 //127.0.0.1/scratch /mnt -o username=testuser,password=Testpass1,vers=1.0
mount: /mnt: wrong fs type, bad option, bad superblock on //127.0.0.1/scratch ...
root@smf-Thinkpad-P51:~/cifs-2.6# dmesg | grep smb3
[ 4302.200122] CIFS VFS: vers=1.0 (cifs) not permitted when mounting with smb3
root@smf-Thinkpad-P51:~/cifs-2.6# mount -t smb3 //127.0.0.1/scratch /mnt -o username=testuser,password=Testpass1,vers=3.11
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
Acked-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
Reviewed-by: default avatarSachin Prabhu <sprabhu@redhat.com>
parent 8ddecf5f
...@@ -698,8 +698,8 @@ static int cifs_set_super(struct super_block *sb, void *data) ...@@ -698,8 +698,8 @@ static int cifs_set_super(struct super_block *sb, void *data)
} }
static struct dentry * static struct dentry *
cifs_do_mount(struct file_system_type *fs_type, cifs_smb3_do_mount(struct file_system_type *fs_type,
int flags, const char *dev_name, void *data) int flags, const char *dev_name, void *data, bool is_smb3)
{ {
int rc; int rc;
struct super_block *sb; struct super_block *sb;
...@@ -710,7 +710,7 @@ cifs_do_mount(struct file_system_type *fs_type, ...@@ -710,7 +710,7 @@ cifs_do_mount(struct file_system_type *fs_type,
cifs_dbg(FYI, "Devname: %s flags: %d\n", dev_name, flags); cifs_dbg(FYI, "Devname: %s flags: %d\n", dev_name, flags);
volume_info = cifs_get_volume_info((char *)data, dev_name); volume_info = cifs_get_volume_info((char *)data, dev_name, is_smb3);
if (IS_ERR(volume_info)) if (IS_ERR(volume_info))
return ERR_CAST(volume_info); return ERR_CAST(volume_info);
...@@ -790,6 +790,20 @@ cifs_do_mount(struct file_system_type *fs_type, ...@@ -790,6 +790,20 @@ cifs_do_mount(struct file_system_type *fs_type,
goto out; goto out;
} }
static struct dentry *
smb3_do_mount(struct file_system_type *fs_type,
int flags, const char *dev_name, void *data)
{
return cifs_smb3_do_mount(fs_type, flags, dev_name, data, true);
}
static struct dentry *
cifs_do_mount(struct file_system_type *fs_type,
int flags, const char *dev_name, void *data)
{
return cifs_smb3_do_mount(fs_type, flags, dev_name, data, false);
}
static ssize_t static ssize_t
cifs_loose_read_iter(struct kiocb *iocb, struct iov_iter *iter) cifs_loose_read_iter(struct kiocb *iocb, struct iov_iter *iter)
{ {
...@@ -925,7 +939,7 @@ MODULE_ALIAS_FS("cifs"); ...@@ -925,7 +939,7 @@ MODULE_ALIAS_FS("cifs");
static struct file_system_type smb3_fs_type = { static struct file_system_type smb3_fs_type = {
.owner = THIS_MODULE, .owner = THIS_MODULE,
.name = "smb3", .name = "smb3",
.mount = cifs_do_mount, .mount = smb3_do_mount,
.kill_sb = cifs_kill_sb, .kill_sb = cifs_kill_sb,
/* .fs_flags */ /* .fs_flags */
}; };
......
...@@ -211,7 +211,7 @@ extern int cifs_setup_cifs_sb(struct smb_vol *pvolume_info, ...@@ -211,7 +211,7 @@ extern int cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
extern int cifs_match_super(struct super_block *, void *); extern int cifs_match_super(struct super_block *, void *);
extern void cifs_cleanup_volume_info(struct smb_vol *pvolume_info); extern void cifs_cleanup_volume_info(struct smb_vol *pvolume_info);
extern struct smb_vol *cifs_get_volume_info(char *mount_data, extern struct smb_vol *cifs_get_volume_info(char *mount_data,
const char *devname); const char *devname, bool is_smb3);
extern int cifs_mount(struct cifs_sb_info *, struct smb_vol *); extern int cifs_mount(struct cifs_sb_info *, struct smb_vol *);
extern void cifs_umount(struct cifs_sb_info *); extern void cifs_umount(struct cifs_sb_info *);
extern void cifs_mark_open_files_invalid(struct cifs_tcon *tcon); extern void cifs_mark_open_files_invalid(struct cifs_tcon *tcon);
......
...@@ -320,7 +320,7 @@ static int generic_ip_connect(struct TCP_Server_Info *server); ...@@ -320,7 +320,7 @@ static int generic_ip_connect(struct TCP_Server_Info *server);
static void tlink_rb_insert(struct rb_root *root, struct tcon_link *new_tlink); static void tlink_rb_insert(struct rb_root *root, struct tcon_link *new_tlink);
static void cifs_prune_tlinks(struct work_struct *work); static void cifs_prune_tlinks(struct work_struct *work);
static int cifs_setup_volume_info(struct smb_vol *volume_info, char *mount_data, static int cifs_setup_volume_info(struct smb_vol *volume_info, char *mount_data,
const char *devname); const char *devname, bool is_smb3);
/* /*
* cifs tcp session reconnection * cifs tcp session reconnection
...@@ -1166,7 +1166,7 @@ cifs_parse_cache_flavor(char *value, struct smb_vol *vol) ...@@ -1166,7 +1166,7 @@ cifs_parse_cache_flavor(char *value, struct smb_vol *vol)
} }
static int static int
cifs_parse_smb_version(char *value, struct smb_vol *vol) cifs_parse_smb_version(char *value, struct smb_vol *vol, bool is_smb3)
{ {
substring_t args[MAX_OPT_ARGS]; substring_t args[MAX_OPT_ARGS];
...@@ -1176,6 +1176,10 @@ cifs_parse_smb_version(char *value, struct smb_vol *vol) ...@@ -1176,6 +1176,10 @@ cifs_parse_smb_version(char *value, struct smb_vol *vol)
cifs_dbg(VFS, "mount with legacy dialect disabled\n"); cifs_dbg(VFS, "mount with legacy dialect disabled\n");
return 1; return 1;
} }
if (is_smb3) {
cifs_dbg(VFS, "vers=1.0 (cifs) not permitted when mounting with smb3\n");
return 1;
}
vol->ops = &smb1_operations; vol->ops = &smb1_operations;
vol->vals = &smb1_values; vol->vals = &smb1_values;
break; break;
...@@ -1184,6 +1188,10 @@ cifs_parse_smb_version(char *value, struct smb_vol *vol) ...@@ -1184,6 +1188,10 @@ cifs_parse_smb_version(char *value, struct smb_vol *vol)
cifs_dbg(VFS, "mount with legacy dialect disabled\n"); cifs_dbg(VFS, "mount with legacy dialect disabled\n");
return 1; return 1;
} }
if (is_smb3) {
cifs_dbg(VFS, "vers=2.0 not permitted when mounting with smb3\n");
return 1;
}
vol->ops = &smb20_operations; vol->ops = &smb20_operations;
vol->vals = &smb20_values; vol->vals = &smb20_values;
break; break;
...@@ -1272,7 +1280,7 @@ cifs_parse_devname(const char *devname, struct smb_vol *vol) ...@@ -1272,7 +1280,7 @@ cifs_parse_devname(const char *devname, struct smb_vol *vol)
static int static int
cifs_parse_mount_options(const char *mountdata, const char *devname, cifs_parse_mount_options(const char *mountdata, const char *devname,
struct smb_vol *vol) struct smb_vol *vol, bool is_smb3)
{ {
char *data, *end; char *data, *end;
char *mountdata_copy = NULL, *options; char *mountdata_copy = NULL, *options;
...@@ -1985,7 +1993,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname, ...@@ -1985,7 +1993,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
if (string == NULL) if (string == NULL)
goto out_nomem; goto out_nomem;
if (cifs_parse_smb_version(string, vol) != 0) if (cifs_parse_smb_version(string, vol, is_smb3) != 0)
goto cifs_parse_mount_err; goto cifs_parse_mount_err;
got_version = true; got_version = true;
break; break;
...@@ -3797,7 +3805,7 @@ expand_dfs_referral(const unsigned int xid, struct cifs_ses *ses, ...@@ -3797,7 +3805,7 @@ expand_dfs_referral(const unsigned int xid, struct cifs_ses *ses,
} else { } else {
cleanup_volume_info_contents(volume_info); cleanup_volume_info_contents(volume_info);
rc = cifs_setup_volume_info(volume_info, mdata, rc = cifs_setup_volume_info(volume_info, mdata,
fake_devname); fake_devname, false);
} }
kfree(fake_devname); kfree(fake_devname);
kfree(cifs_sb->mountdata); kfree(cifs_sb->mountdata);
...@@ -3810,11 +3818,11 @@ expand_dfs_referral(const unsigned int xid, struct cifs_ses *ses, ...@@ -3810,11 +3818,11 @@ expand_dfs_referral(const unsigned int xid, struct cifs_ses *ses,
static int static int
cifs_setup_volume_info(struct smb_vol *volume_info, char *mount_data, cifs_setup_volume_info(struct smb_vol *volume_info, char *mount_data,
const char *devname) const char *devname, bool is_smb3)
{ {
int rc = 0; int rc = 0;
if (cifs_parse_mount_options(mount_data, devname, volume_info)) if (cifs_parse_mount_options(mount_data, devname, volume_info, is_smb3))
return -EINVAL; return -EINVAL;
if (volume_info->nullauth) { if (volume_info->nullauth) {
...@@ -3848,7 +3856,7 @@ cifs_setup_volume_info(struct smb_vol *volume_info, char *mount_data, ...@@ -3848,7 +3856,7 @@ cifs_setup_volume_info(struct smb_vol *volume_info, char *mount_data,
} }
struct smb_vol * struct smb_vol *
cifs_get_volume_info(char *mount_data, const char *devname) cifs_get_volume_info(char *mount_data, const char *devname, bool is_smb3)
{ {
int rc; int rc;
struct smb_vol *volume_info; struct smb_vol *volume_info;
...@@ -3857,7 +3865,7 @@ cifs_get_volume_info(char *mount_data, const char *devname) ...@@ -3857,7 +3865,7 @@ cifs_get_volume_info(char *mount_data, const char *devname)
if (!volume_info) if (!volume_info)
return ERR_PTR(-ENOMEM); return ERR_PTR(-ENOMEM);
rc = cifs_setup_volume_info(volume_info, mount_data, devname); rc = cifs_setup_volume_info(volume_info, mount_data, devname, is_smb3);
if (rc) { if (rc) {
cifs_cleanup_volume_info(volume_info); cifs_cleanup_volume_info(volume_info);
volume_info = ERR_PTR(rc); volume_info = ERR_PTR(rc);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment