projects / linux-2.6-microblaze.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7460bf4) | patch
smb: client: fix use-after-free of signing key
authorPaulo Alcantara <pc@manguebit.com>
Mon, 11 Nov 2024 13:40:55 +0000 (10:40 -0300)
committerSteve French <stfrench@microsoft.com>
Mon, 18 Nov 2024 04:20:54 +0000 (22:20 -0600)
commit343d7fe6df9e247671440a932b6a73af4fa86d95
tree0d13f8ea5f9cbff927248e1b523bbf36b50883a7tree
parent7460bf441656cebc2636189ab9ba9a65a0a8ab86commit | diff
smb: client: fix use-after-free of signing key

Customers have reported use-after-free in @ses->auth_key.response with
SMB2.1 + sign mounts which occurs due to following race:

task A                         task B
cifs_mount()
 dfs_mount_share()
  get_session()
   cifs_mount_get_session()    cifs_send_recv()
    cifs_get_smb_ses()          compound_send_recv()
     cifs_setup_session()        smb2_setup_request()
      kfree_sensitive()           smb2_calc_signature()
                                   crypto_shash_setkey() *UAF*

Fix this by ensuring that we have a valid @ses->auth_key.response by
checking whether @ses->ses_status is SES_GOOD or SES_EXITING with
@ses->ses_lock held.  After commit 24a9799aa8ef ("smb: client: fix UAF
in smb2_reconnect_server()"), we made sure to call ->logoff() only
when @ses was known to be good (e.g. valid ->auth_key.response), so
it's safe to access signing key when @ses->ses_status == SES_EXITING.

Cc: stable@vger.kernel.org
Reported-by: Jay Shin <jaeshin@redhat.com>
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/smb/client/smb2proto.h diff | blob | history
fs/smb/client/smb2transport.c diff | blob | history
MicroBlaze GIT Repository