Home
My Posts

Archive
Login
Signup

Recent Posts

Free subdomains

Want your own xyz.kpaste.net sub-domain for your community? Just type the address into your browser address bar (foo.xyz.kpaste.net is also supported).

Suggestions/Bugs?

Email us at . Try to include as much info as possible.

About

Pastebin is a tool for collaborative debugging or editing.

 

msnfs41client: Patch for kernel impersonation+misc, 2024-04-30
Posted by Anonymous on Tue 30th Apr 2024 16:28
raw | new post

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting: None Bash C C++ CSS Diff HTML mIRC Script Perl PHP Python Smarty XML ---------------------------- ABAP Actionscript ADA Apache Log AppleScript APT sources.list ASM ASP AutoIT Bash C C# C++ C++ (with QT) CSS Diff HTML INI (Config Files) Java Javascript Lua Make mIRC Script MySQL NSIS Perl PHP Python Q(uick)BASIC robots Ruby Ruby on Rails SDLBasic Smarty SQL TCL Text VB.NET Visual BASIC Visual Fox Pro Visual Prolog Windows Registry Files XML Xorg.conf

To highlight particular lines, prefix each line with {%HIGHLIGHT}
From 392c0769f193a22ea6c4a8aa645055e87ab29f4b Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Tue, 30 Apr 2024 15:36:58 +0200 Subject: [PATCH 1/5] daemon: SID cache should reuse entries which have the same "win32name" SID cache should reuse entries which have the same "win32name". This avoids cache thrashing if multile threads write the same data into the cache. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- daemon/sid.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/daemon/sid.c b/daemon/sid.c index 1716fd5..7e3f3d4 100644 --- a/daemon/sid.c +++ b/daemon/sid.c @@ -233,7 +233,15 @@ void sidcache_add(sidcache *cache, const char* win32name, PSID value) /* Find the oldest valid cache entry */ freeEntryIndex = -1; for (i = 0; i < SIDCACHE_SIZE; i++) { - if (cache->entries[i].sid == NULL) { + if (cache->entries[i].sid) { + /* Same name ? Then reuse this slot... */ + if (!strcmp(cache->entries[i].win32name, win32name)) { + freeEntryIndex = i; + break; + } + } + else { + /* (cache->entries[i].sid == NULL) --> empty slot... */ freeEntryIndex = i; break; } -- 2.43.0 From 3ca2252f4c21205c16d13e0d7c3b5399f1ad58f1 Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Tue, 30 Apr 2024 15:43:01 +0200 Subject: [PATCH 2/5] sys: Use |SECURITY_STATIC_TRACKING| instead of |SECURITY_DYNAMIC_TRACKING| Use |SECURITY_STATIC_TRACKING| instead of |SECURITY_DYNAMIC_TRACKING| for impersonation, to handle cases where the client thread we impersonate gets destroyed before we can impersonate it. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- sys/nfs41_driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/nfs41_driver.c b/sys/nfs41_driver.c index 21d6e6d..bbce1d7 100644 --- a/sys/nfs41_driver.c +++ b/sys/nfs41_driver.c @@ -1545,7 +1545,7 @@ NTSTATUS nfs41_UpcallCreate( if (clnt_sec_ctx == NULL) { SeCaptureSubjectContext(&sec_ctx); - sec_qos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; + sec_qos.ContextTrackingMode = SECURITY_STATIC_TRACKING; sec_qos.ImpersonationLevel = SecurityImpersonation; sec_qos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE); sec_qos.EffectiveOnly = 0; @@ -3009,7 +3009,7 @@ NTSTATUS nfs41_GetLUID( SECURITY_CLIENT_CONTEXT clnt_sec_ctx; SeCaptureSubjectContext(&sec_ctx); - sec_qos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; + sec_qos.ContextTrackingMode = SECURITY_STATIC_TRACKING; sec_qos.ImpersonationLevel = SecurityIdentification; sec_qos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE); sec_qos.EffectiveOnly = 0; -- 2.43.0 From 26e7b86b963610db045ef42da237f557ed730a41 Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Tue, 30 Apr 2024 16:09:52 +0200 Subject: [PATCH 3/5] sys: Set |entry->psec_ctx = NULL;| after |SeDeleteClientSecurity()| Set |entry->psec_ctx = NULL| after |SeDeleteClientSecurity()|, to avoid use-after-free. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- sys/nfs41_driver.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/sys/nfs41_driver.c b/sys/nfs41_driver.c index bbce1d7..3ca6ea6 100644 --- a/sys/nfs41_driver.c +++ b/sys/nfs41_driver.c @@ -1549,16 +1549,17 @@ NTSTATUS nfs41_UpcallCreate( sec_qos.ImpersonationLevel = SecurityImpersonation; sec_qos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE); sec_qos.EffectiveOnly = 0; + entry->psec_ctx = &entry->sec_ctx; status = SeCreateClientSecurityFromSubjectContext(&sec_ctx, &sec_qos, - 1, &entry->sec_ctx); + 1, entry->psec_ctx); if (status != STATUS_SUCCESS) { print_error("nfs41_UpcallCreate: " "SeCreateClientSecurityFromSubjectContext failed with %x\n", status); RxFreePool(entry); entry = NULL; - } else - entry->psec_ctx = &entry->sec_ctx; + } + SeReleaseSubjectContext(&sec_ctx); } else entry->psec_ctx = clnt_sec_ctx; @@ -2106,7 +2107,10 @@ NTSTATUS nfs41_shutdown_daemon( if (status) goto out; status = nfs41_UpcallWaitForReply(entry, UPCALL_TIMEOUT_DEFAULT); - SeDeleteClientSecurity(&entry->sec_ctx); + if (entry->psec_ctx == &entry->sec_ctx) { + SeDeleteClientSecurity(entry->psec_ctx); + } + entry->psec_ctx = NULL; if (status) goto out; RxFreePool(entry); @@ -2365,7 +2369,10 @@ NTSTATUS nfs41_unmount( #endif status = nfs41_UpcallCreate(NFS41_UNMOUNT, NULL, session, INVALID_HANDLE_VALUE, version, NULL, &entry); - SeDeleteClientSecurity(&entry->sec_ctx); + if (entry->psec_ctx == &entry->sec_ctx) { + SeDeleteClientSecurity(entry->psec_ctx); + } + entry->psec_ctx = NULL; if (status) goto out; nfs41_UpcallWaitForReply(entry, timeout); @@ -2748,7 +2755,10 @@ NTSTATUS nfs41_mount( entry->u.Mount.FsAttrs = FsAttrs; status = nfs41_UpcallWaitForReply(entry, config->timeout); - SeDeleteClientSecurity(&entry->sec_ctx); + if (entry->psec_ctx == &entry->sec_ctx) { + SeDeleteClientSecurity(entry->psec_ctx); + } + entry->psec_ctx = NULL; if (status) goto out; *session = entry->session; if (entry->u.Mount.lease_time > config->timeout) @@ -3937,7 +3947,10 @@ retry_on_link: status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout); #ifndef USE_MOUNT_SEC_CONTEXT - SeDeleteClientSecurity(&entry->sec_ctx); + if (entry->psec_ctx == &entry->sec_ctx) { + SeDeleteClientSecurity(entry->psec_ctx); + } + entry->psec_ctx = NULL; #endif if (status) goto out; -- 2.43.0 From 9d85234de0be630f494f288c210c732ffd40745d Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Tue, 30 Apr 2024 16:31:42 +0200 Subject: [PATCH 4/5] sys: Fix kernel crash (illegal object reference count) during unmount Fix "illegal object reference count" kernel crash during unmount, caused by doing a |SeDeleteClientSecurity()| before doing the unmount upcall which would use this |SECURITY_CLIENT_CONTEXT| Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- sys/nfs41_driver.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/sys/nfs41_driver.c b/sys/nfs41_driver.c index 3ca6ea6..cd7bb84 100644 --- a/sys/nfs41_driver.c +++ b/sys/nfs41_driver.c @@ -2369,13 +2369,14 @@ NTSTATUS nfs41_unmount( #endif status = nfs41_UpcallCreate(NFS41_UNMOUNT, NULL, session, INVALID_HANDLE_VALUE, version, NULL, &entry); + if (status) goto out; + + nfs41_UpcallWaitForReply(entry, timeout); + if (entry->psec_ctx == &entry->sec_ctx) { SeDeleteClientSecurity(entry->psec_ctx); } entry->psec_ctx = NULL; - if (status) goto out; - - nfs41_UpcallWaitForReply(entry, timeout); RxFreePool(entry); out: #ifdef ENABLE_TIMINGS -- 2.43.0 From 7f76988b1fdd9fd373f065bff517ad5e5066ac2a Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Tue, 30 Apr 2024 16:54:29 +0200 Subject: [PATCH 5/5] sys: Disable |STORE_MOUNT_SEC_CONTEXT|, we do not use this data Disable |STORE_MOUNT_SEC_CONTEXT|, we do not use this data Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- sys/nfs41_driver.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sys/nfs41_driver.c b/sys/nfs41_driver.c index cd7bb84..c1ddcfd 100644 --- a/sys/nfs41_driver.c +++ b/sys/nfs41_driver.c @@ -48,7 +48,8 @@ * that */ #ifndef NFS41_DRIVER_SETGID_NEWGRP_SUPPORT -#define USE_MOUNT_SEC_CONTEXT +#define USE_MOUNT_SEC_CONTEXT 1 +#define STORE_MOUNT_SEC_CONTEXT 1 #endif /* debugging printout defines */ @@ -395,7 +396,7 @@ typedef struct _NFS41_V_NET_ROOT_EXTENSION { BOOLEAN read_only; BOOLEAN write_thru; BOOLEAN nocache; -#define STORE_MOUNT_SEC_CONTEXT + #ifdef STORE_MOUNT_SEC_CONTEXT SECURITY_CLIENT_CONTEXT mount_sec_ctx; #endif -- 2.43.0

Title:

Privacy: Public Private

How long should your post be retained?

15 mins an hour a day a week a month forever

All content is user-submitted.
The administrators of this site (kpaste.net) are not responsible for their content.
Abuse reports should be emailed to us at