Bump version to 4.18.0-553.126.2

Add the cifs.spnego userspace description fence. 1100-smb-client-reject-userspace-cifs.spnego-descriptions.patch Upstream commit 3da1fdf4efbc with the file path rewritten from fs/smb/client/cifs_spnego.c to fs/cifs/cifs_spnego.c (the cifs source has not been relocated under fs/smb/client/ in the AlmaLinux 8 tree). Refuses userspace-created cifs.spnego keys via request_key(2)/add_key(2); only kernel CIFS using the private spnego_cred may create them. cifs.upcall treats the key description as kernel-originating pid/uid/creduid/upcall_target -- without this fence, userspace can spoof those fields. Reintroduce the tarfile_release indirection so pkgrelease can advance independently of the imported source tarball (the indirection was reset by the 553.126.1 CS import; same pattern as 9497fbc22).
2026-05-28 12:07:55 +00:00 · 2026-05-28 12:07:55 +00:00 · dde83d6182
commit dde83d6182
parent 1a903c27c7
2 changed files with 80 additions and 6 deletions
--- a/SOURCES/1100-smb-client-reject-userspace-cifs.spnego-descriptions.patch
+++ b/SOURCES/1100-smb-client-reject-userspace-cifs.spnego-descriptions.patch
@ -0,0 +1,66 @@
+From 3da1fdf4efbc490041eb4f836bf596201203f8f2 Mon Sep 17 00:00:00 2001
+From: Asim Viladi Oglu Manizada <manizada@pm.me>
+Date: Sat, 16 May 2026 21:15:39 +0000
+Subject: smb: client: reject userspace cifs.spnego descriptions
+
+cifs.spnego key descriptions contain authority-bearing fields such as
+pid, uid, creduid, and upcall_target that cifs.upcall treats as
+kernel-originating inputs. However, userspace can also create keys of
+this type through request_key(2) or add_key(2), allowing those fields to
+be supplied without CIFS origin.
+
+Only accept cifs.spnego descriptions while CIFS is using its private
+spnego_cred to request the key.
+
+Fixes: f1d662a7d5e5 ("[CIFS] Add upcall files for cifs to use spnego/kerberos")
+Assisted-by: avom-custom-harness:gpt-5.5-qwen3.6-mod-mix
+Reviewed-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Asim Viladi Oglu Manizada <manizada@pm.me>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/cifs/cifs_spnego.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c
+index 3a41bbada04c76..44c40727568042 100644
+--- a/fs/cifs/cifs_spnego.c
+++ b/fs/cifs/cifs_spnego.c
+@@ -8,6 +8,7 @@
+  */
+ 
+ #include <linux/list.h>
+#include <linux/cred.h>
+ #include <linux/slab.h>
+ #include <linux/string.h>
+ #include <keys/user-type.h>
+@@ -40,12 +41,27 @@ cifs_spnego_key_destroy(struct key *key)
+ 	kfree(key->payload.data[0]);
+ }
+ 
+static int
+cifs_spnego_key_vet_description(const char *description)
+{
+	/*
+	 * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall.
+	 * They are only valid when produced by CIFS while using the private
+	 * spnego_cred installed below.  Do not let userspace create this type
+	 * of key through request_key(2)/add_key(2), since the helper treats
+	 * pid/uid/creduid/upcall_target as kernel-originating fields.
+	 */
+	if (current_cred() != spnego_cred)
+		return -EPERM;
+	return 0;
+}
+ 
+ /*
+  * keytype for CIFS spnego keys
+  */
+ struct key_type cifs_spnego_key_type = {
+ 	.name		= "cifs.spnego",
+	.vet_description = cifs_spnego_key_vet_description,
+ 	.instantiate	= cifs_spnego_key_instantiate,
+ 	.destroy	= cifs_spnego_key_destroy,
+ 	.describe	= user_describe,
+-- 
+cgit 1.3-korg
+
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@ -38,10 +38,11 @@
 # define buildid .local

 %define specversion 4.18.0
-%define pkgrelease 553.126.1.el8_10
+%define pkgrelease 553.126.2.el8_10
+%define tarfile_release 553.126.1.el8_10

 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 553.126.1%{?dist}
+%define specrelease 553.126.2%{?dist}

 %define pkg_release %{specrelease}%{?buildid}

@ -435,7 +436,7 @@ BuildRequires: xmlto
 BuildRequires: asciidoc
 %endif

-Source0: linux-%{specversion}-%{pkgrelease}.tar.xz
+Source0: linux-%{specversion}-%{tarfile_release}.tar.xz

 Source9: x509.genkey

@ -530,6 +531,8 @@ Patch999999: linux-kernel-test.patch
 # AlmaLinux Patch
 Patch1000: debrand-single-cpu.patch
 Patch1002: debrand-rh-i686-cpu.patch
+Patch1100: 1100-smb-client-reject-userspace-cifs.spnego-descriptions.patch
+
 Patch2001: 0001-Enable-all-disabled-pci-devices-by-moving-to-unmaint.patch
 Patch2002: 0002-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch
 Patch2003: 0003-Bring-back-deprecated-pci-ids-to-mptsas-mptspi-drive.patch
@ -1096,9 +1099,9 @@ ApplyOptionalPatch()
  fi
 }

-%setup -q -n %{name}-%{specversion}-%{pkgrelease} -c
-cp -v %{SOURCE9000} linux-%{specversion}-%{pkgrelease}/certs/rhel.pem
-mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL}
+%setup -q -n %{name}-%{specversion}-%{tarfile_release} -c
+cp -v %{SOURCE9000} linux-%{specversion}-%{tarfile_release}/certs/rhel.pem
+mv linux-%{specversion}-%{tarfile_release} linux-%{KVERREL}

 cd linux-%{KVERREL}

@ -1107,6 +1110,7 @@ ApplyOptionalPatch linux-kernel-test.patch
 # Applying AlmaLinux Patch
 ApplyPatch debrand-single-cpu.patch
 ApplyPatch debrand-rh-i686-cpu.patch
+ApplyPatch 1100-smb-client-reject-userspace-cifs.spnego-descriptions.patch
 ApplyPatch 0001-Enable-all-disabled-pci-devices-by-moving-to-unmaint.patch
 ApplyPatch 0002-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch
 ApplyPatch 0003-Bring-back-deprecated-pci-ids-to-mptsas-mptspi-drive.patch
@ -2713,6 +2717,10 @@ fi
 #
 #
 %changelog
+* Thu May 28 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.126.2
+- smb: client: reject userspace cifs.spnego descriptions (upstream commit
+  3da1fdf4efbc)
+
 * Thu May 28 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.126.1
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024