From: Jiri Slaby <jslaby@suse.cz>
To: stable@vger.kernel.org
Cc: Rabin Vincent <rabinv@axis.com>,
Steve French <smfrench@gmail.com>, Jiri Slaby <jslaby@suse.cz>
Subject: [patch added to 3.12-stable] cifs: fix crash due to race in hmac(md5) handling
Date: Thu, 18 Aug 2016 14:49:43 +0200 [thread overview]
Message-ID: <20160818124953.31969-38-jslaby@suse.cz> (raw)
In-Reply-To: <20160818124953.31969-1-jslaby@suse.cz>
From: Rabin Vincent <rabinv@axis.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit bd975d1eead2558b76e1079e861eacf1f678b73b upstream.
The secmech hmac(md5) structures are present in the TCP_Server_Info
struct and can be shared among multiple CIFS sessions. However, the
server mutex is not currently held when these structures are allocated
and used, which can lead to a kernel crashes, as in the scenario below:
mount.cifs(8) #1 mount.cifs(8) #2
Is secmech.sdeschmaccmd5 allocated?
// false
Is secmech.sdeschmaccmd5 allocated?
// false
secmech.hmacmd = crypto_alloc_shash..
secmech.sdeschmaccmd5 = kzalloc..
sdeschmaccmd5->shash.tfm = &secmec.hmacmd;
secmech.sdeschmaccmd5 = kzalloc
// sdeschmaccmd5->shash.tfm
// not yet assigned
crypto_shash_update()
deref NULL sdeschmaccmd5->shash.tfm
Unable to handle kernel paging request at virtual address 00000030
epc : 8027ba34 crypto_shash_update+0x38/0x158
ra : 8020f2e8 setup_ntlmv2_rsp+0x4bc/0xa84
Call Trace:
crypto_shash_update+0x38/0x158
setup_ntlmv2_rsp+0x4bc/0xa84
build_ntlmssp_auth_blob+0xbc/0x34c
sess_auth_rawntlmssp_authenticate+0xac/0x248
CIFS_SessSetup+0xf0/0x178
cifs_setup_session+0x4c/0x84
cifs_get_smb_ses+0x2c8/0x314
cifs_mount+0x38c/0x76c
cifs_do_mount+0x98/0x440
mount_fs+0x20/0xc0
vfs_kern_mount+0x58/0x138
do_mount+0x1e8/0xccc
SyS_mount+0x88/0xd4
syscall_common+0x30/0x54
Fix this by locking the srv_mutex around the code which uses these
hmac(md5) structures. All the other secmech algos already have similar
locking.
Fixes: 95dc8dd14e2e84cc ("Limit allocation of crypto mechanisms to dialect which requires")
Signed-off-by: Rabin Vincent <rabinv@axis.com>
Acked-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/cifs/cifsencrypt.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
index 684e1c5ad46d..84ae0a5a8ce0 100644
--- a/fs/cifs/cifsencrypt.c
+++ b/fs/cifs/cifsencrypt.c
@@ -720,24 +720,26 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
memcpy(ses->auth_key.response + baselen, tiblob, tilen);
+ mutex_lock(&ses->server->srv_mutex);
+
rc = crypto_hmacmd5_alloc(ses->server);
if (rc) {
cifs_dbg(VFS, "could not crypto alloc hmacmd5 rc %d\n", rc);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
/* calculate ntlmv2_hash */
rc = calc_ntlmv2_hash(ses, ntlmv2_hash, nls_cp);
if (rc) {
cifs_dbg(VFS, "could not get v2 hash rc %d\n", rc);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
/* calculate first part of the client response (CR1) */
rc = CalcNTLMv2_response(ses, ntlmv2_hash);
if (rc) {
cifs_dbg(VFS, "Could not calculate CR1 rc: %d\n", rc);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
/* now calculate the session key for NTLMv2 */
@@ -746,13 +748,13 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
if (rc) {
cifs_dbg(VFS, "%s: Could not set NTLMV2 Hash as a key\n",
__func__);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
rc = crypto_shash_init(&ses->server->secmech.sdeschmacmd5->shash);
if (rc) {
cifs_dbg(VFS, "%s: Could not init hmacmd5\n", __func__);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
rc = crypto_shash_update(&ses->server->secmech.sdeschmacmd5->shash,
@@ -760,7 +762,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
CIFS_HMAC_MD5_HASH_SIZE);
if (rc) {
cifs_dbg(VFS, "%s: Could not update with response\n", __func__);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
rc = crypto_shash_final(&ses->server->secmech.sdeschmacmd5->shash,
@@ -768,6 +770,8 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
if (rc)
cifs_dbg(VFS, "%s: Could not generate md5 hash\n", __func__);
+unlock:
+ mutex_unlock(&ses->server->srv_mutex);
setup_ntlmv2_rsp_ret:
kfree(tiblob);
--
2.9.3
next prev parent reply other threads:[~2016-08-18 12:50 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-18 12:49 [patch added to 3.12-stable] x86, asmlinkage, lguest: Pass in globals into assembler statement Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] can: at91_can: RX queue could get stuck at high bus load Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] can: fix handling of unmodifiable configuration options fix Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] can: fix oops caused by wrong rtnl dellink usage Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ipr: Clear interrupt on croc/crocodile when running with LSI Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] net: mvneta: set real interrupt per packet for tx_done Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] random32: add prandom_u32_max and convert open coded users Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] tcp: make challenge acks less predictable Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] net/irda: fix NULL pointer dereference on memory allocation failure Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] tcp: consider recv buf for the initial window scale Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] MIPS: KVM: Fix mapped fault broken commpage handling Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] MIPS: KVM: Add missing gfn range check Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] MIPS: KVM: Fix gfn range check in kseg0 tlb faults Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] MIPS: KVM: Propagate kseg0/mapped tlb fault errors Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] HID: i2c-hid: set power sleep before shutdown Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] HID: multitouch: Add MT_QUIRK_NOT_SEEN_MEANS_UP to Surface Pro 3 Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] x86/mm: Improve switch_mm() barrier comments Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] arm: oabi compat: add missing access checks Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] apparmor: fix ref count leak when profile sha1 hash is read Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] block: fix use-after-free in seq file Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] sysv, ipc: fix security-layer leaking Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] fuse: fix wrong assignment of ->flags in fuse_send_init() Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] crypto: gcm - Filter out async ghash if necessary Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] crypto: scatterwalk - Fix test in scatterwalk_done Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ext4: check for extents that wrap around Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ext4: fix deadlock during page writeback Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ext4: don't call ext4_should_journal_data() on the journal inode Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ext4: short-cut orphan cleanup on error Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ext4: fix reference counting bug on block allocation error Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable() Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] USB: serial: option: add support for Telit LE910 PID 0x1206 Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] gpio: pca953x: Fix NBANK calculation for PCA9536 Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] s5p-mfc: Set device name for reserved memory region devs Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] s5p-mfc: Add release callback for " Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] cifs: Check for existing directory when opening file with O_CREAT Jiri Slaby
2016-08-18 12:49 ` Jiri Slaby [this message]
2016-08-18 12:49 ` [patch added to 3.12-stable] CIFS: Fix a possible invalid memory access in smb2_query_symlink() Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] random: properly align get_random_int_hash Jiri Slaby
2016-08-19 3:14 ` Eric Biggers
2016-08-19 7:07 ` Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] nfs: don't create zero-length requests Jiri Slaby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160818124953.31969-38-jslaby@suse.cz \
--to=jslaby@suse.cz \
--cc=rabinv@axis.com \
--cc=smfrench@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.