On Tue, Feb 27, 2018 at 01:22:31AM -0800, Srivatsa S. Bhat wrote: > On 2/27/18 12:54 AM, Greg Kroah-Hartman wrote: > > On Mon, Feb 26, 2018 at 07:44:28PM -0800, Srivatsa S. Bhat wrote: > >> On 1/3/18 6:15 PM, Srivatsa S. Bhat wrote: > >>> On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote: > >>>> On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote: > >>>>> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman: > >>>>>> 4.13-stable review patch. If anyone has any objections, please let me know. > >>>>>> > >>>>>> ------------------ > >>>>>> > >>>>>> From: Steve French <smfrench@xxxxxxxxx> > >>>>>> > >>>>>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream. > >>>>>> > >>>>>> According to MS-SMB2 3.2.55 validate_negotiate request must > >>>>>> always be signed. Some Windows can fail the request if you send it unsigned > >>>>>> > >>>>>> See kernel bugzilla bug 197311 > >>>>>> > >>>>>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com> > >>>>>> Signed-off-by: Steve French <smfrench@xxxxxxxxx> > >>>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > >>>>>> > >>>>>> --- > >>>>>> fs/cifs/smb2pdu.c | 3 +++ > >>>>>> 1 file changed, 3 insertions(+) > >>>>>> > >>>>>> --- a/fs/cifs/smb2pdu.c > >>>>>> +++ b/fs/cifs/smb2pdu.c > >>>>>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc > >>>>>> } else > >>>>>> iov[0].iov_len = get_rfc1002_length(req) + 4; > >>>>>> + /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */ > >>>>>> + if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO) > >>>>>> + req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED; > >>>>>> rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov); > >>>>>> cifs_small_buf_release(req); > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>>> This one needs to be backported to all stable kernels as the commit that > >>>>> introduced the regression: > >>>>> ' > >>>>> 0603c96f3af50e2f9299fa410c224ab1d465e0f9 > >>>>> SMB: Validate negotiate (to protect against downgrade) even if signing off > >>>>> > >>>>> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73 > >>>> > >>>> Oh wait, it breaks the builds on older kernels, that's why I didn't > >>>> apply it :) > >>>> > >>>> Can you provide me with a working backport? > >>>> > >>> > >>> Hi Steve, > >>> > >>> Is there a version of this fix available for stable kernels? > >>> > >> > >> Hi Greg, > >> > >> Mounting SMB3 shares continues to fail for me on 4.4.118 and 4.9.84 > >> due to the issues that I have described in detail on this mail thread. > >> > >> Since there is no apparent fix for this bug on stable kernels, could > >> you please consider reverting the original commit that caused this > >> regression? > >> > >> That commit was intended to enhance security, which is probably why it > >> was backported to stable kernels in the first place; but instead it > >> ends up breaking basic functionality itself (mounting). So in the > >> absence of a proper fix, I don't see much of an option but to revert > >> that commit. > >> > >> So, please consider reverting the following: > >> > >> commit 02ef29f9cbb616bf419 "SMB: Validate negotiate (to protect > >> against downgrade) even if signing off" on 4.4.118 > >> > >> commit 0e1b85a41a25ac888fb "SMB: Validate negotiate (to protect > >> against downgrade) even if signing off" on 4.9.84 > >> > >> They correspond to commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9 > >> upstream. Both these patches should revert cleanly. > > > > Do you still have this same problem on 4.14 and 4.15? If so, the issue > > needs to get fixed there, not papered-over by reverting these old > > changes, as you will hit the issue again in the future when you update > > to a newer kernel version. > > > > 4.14 and 4.15 work great! (I had mentioned this is in my original bug > report but forgot to summarize it here, sorry). Then what is the bugfix that should be applied here in order to keep things working with these patches applied? thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
