* [PATCH] cifs: fix memory leaks in session setup
@ 2022-10-19 14:25 Paulo Alcantara
2022-10-19 15:28 ` Steve French
0 siblings, 1 reply; 3+ messages in thread
From: Paulo Alcantara @ 2022-10-19 14:25 UTC (permalink / raw)
To: smfrench; +Cc: linux-cifs, Paulo Alcantara
We were only zeroing out the ntlmssp blob but forgot to free the
allocated buffer in the end of SMB2_sess_auth_rawntlmssp_negotiate()
and SMB2_sess_auth_rawntlmssp_authenticate() functions.
This fixes below kmemleak reports:
unreferenced object 0xffff88800ddcfc60 (size 96):
comm "mount.cifs", pid 758, jiffies 4294696066 (age 42.967s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000d0beeb29>] __kmalloc+0x39/0xa0
[<00000000e3834047>] build_ntlmssp_smb3_negotiate_blob+0x2c/0x110 [cifs]
[<00000000e85f5ab2>] SMB2_sess_auth_rawntlmssp_negotiate+0xd3/0x230 [cifs]
[<0000000080fdb897>] SMB2_sess_setup+0x16c/0x2a0 [cifs]
[<000000009af320a8>] cifs_setup_session+0x13b/0x370 [cifs]
[<00000000f15d5982>] cifs_get_smb_ses+0x643/0xb90 [cifs]
[<00000000fe15eb90>] mount_get_conns+0x63/0x3e0 [cifs]
[<00000000768aba03>] mount_get_dfs_conns+0x16/0xa0 [cifs]
[<00000000cf1cf146>] cifs_mount+0x1c2/0x9a0 [cifs]
[<000000000d66b51e>] cifs_smb3_do_mount+0x10e/0x710 [cifs]
[<0000000077a996c5>] smb3_get_tree+0xf4/0x200 [cifs]
[<0000000094dbd041>] vfs_get_tree+0x23/0xc0
[<000000003a8561de>] path_mount+0x2d3/0xb50
[<00000000ed5c86d6>] __x64_sys_mount+0x102/0x140
[<00000000142142f3>] do_syscall_64+0x3b/0x90
[<00000000e2b89731>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
unreferenced object 0xffff88801437f000 (size 512):
comm "mount.cifs", pid 758, jiffies 4294696067 (age 42.970s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000d0beeb29>] __kmalloc+0x39/0xa0
[<00000000004f53d2>] build_ntlmssp_auth_blob+0x4f/0x340 [cifs]
[<000000005f333084>] SMB2_sess_auth_rawntlmssp_authenticate+0xd4/0x250 [cifs]
[<0000000080fdb897>] SMB2_sess_setup+0x16c/0x2a0 [cifs]
[<000000009af320a8>] cifs_setup_session+0x13b/0x370 [cifs]
[<00000000f15d5982>] cifs_get_smb_ses+0x643/0xb90 [cifs]
[<00000000fe15eb90>] mount_get_conns+0x63/0x3e0 [cifs]
[<00000000768aba03>] mount_get_dfs_conns+0x16/0xa0 [cifs]
[<00000000cf1cf146>] cifs_mount+0x1c2/0x9a0 [cifs]
[<000000000d66b51e>] cifs_smb3_do_mount+0x10e/0x710 [cifs]
[<0000000077a996c5>] smb3_get_tree+0xf4/0x200 [cifs]
[<0000000094dbd041>] vfs_get_tree+0x23/0xc0
[<000000003a8561de>] path_mount+0x2d3/0xb50
[<00000000ed5c86d6>] __x64_sys_mount+0x102/0x140
[<00000000142142f3>] do_syscall_64+0x3b/0x90
[<00000000e2b89731>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
---
fs/cifs/smb2pdu.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index c930b63bc422..a5695748a89b 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1341,14 +1341,13 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_data *sess_data)
static void
SMB2_sess_free_buffer(struct SMB2_sess_data *sess_data)
{
- int i;
+ struct kvec *iov = sess_data->iov;
- /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */
- for (i = 0; i < 2; i++)
- if (sess_data->iov[i].iov_base)
- memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len);
+ /* iov[1] is already freed by caller */
+ if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base)
+ memzero_explicit(iov[0].iov_base, iov[0].iov_len);
- free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
+ free_rsp_buf(sess_data->buf0_type, iov[0].iov_base);
sess_data->buf0_type = CIFS_NO_BUFFER;
}
@@ -1578,7 +1577,7 @@ SMB2_sess_auth_rawntlmssp_negotiate(struct SMB2_sess_data *sess_data)
}
out:
- memzero_explicit(ntlmssp_blob, blob_length);
+ kfree_sensitive(ntlmssp_blob);
SMB2_sess_free_buffer(sess_data);
if (!rc) {
sess_data->result = 0;
@@ -1662,7 +1661,7 @@ SMB2_sess_auth_rawntlmssp_authenticate(struct SMB2_sess_data *sess_data)
}
#endif
out:
- memzero_explicit(ntlmssp_blob, blob_length);
+ kfree_sensitive(ntlmssp_blob);
SMB2_sess_free_buffer(sess_data);
kfree_sensitive(ses->ntlmssp);
ses->ntlmssp = NULL;
--
2.38.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] cifs: fix memory leaks in session setup
2022-10-19 14:25 [PATCH] cifs: fix memory leaks in session setup Paulo Alcantara
@ 2022-10-19 15:28 ` Steve French
2022-10-19 15:47 ` Paulo Alcantara
0 siblings, 1 reply; 3+ messages in thread
From: Steve French @ 2022-10-19 15:28 UTC (permalink / raw)
To: Paulo Alcantara; +Cc: linux-cifs
Is this a cc:stable? or Fixes: tag?
On Wed, Oct 19, 2022 at 9:24 AM Paulo Alcantara <pc@cjr.nz> wrote:
>
> We were only zeroing out the ntlmssp blob but forgot to free the
> allocated buffer in the end of SMB2_sess_auth_rawntlmssp_negotiate()
> and SMB2_sess_auth_rawntlmssp_authenticate() functions.
>
> This fixes below kmemleak reports:
>
> unreferenced object 0xffff88800ddcfc60 (size 96):
> comm "mount.cifs", pid 758, jiffies 4294696066 (age 42.967s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<00000000d0beeb29>] __kmalloc+0x39/0xa0
> [<00000000e3834047>] build_ntlmssp_smb3_negotiate_blob+0x2c/0x110 [cifs]
> [<00000000e85f5ab2>] SMB2_sess_auth_rawntlmssp_negotiate+0xd3/0x230 [cifs]
> [<0000000080fdb897>] SMB2_sess_setup+0x16c/0x2a0 [cifs]
> [<000000009af320a8>] cifs_setup_session+0x13b/0x370 [cifs]
> [<00000000f15d5982>] cifs_get_smb_ses+0x643/0xb90 [cifs]
> [<00000000fe15eb90>] mount_get_conns+0x63/0x3e0 [cifs]
> [<00000000768aba03>] mount_get_dfs_conns+0x16/0xa0 [cifs]
> [<00000000cf1cf146>] cifs_mount+0x1c2/0x9a0 [cifs]
> [<000000000d66b51e>] cifs_smb3_do_mount+0x10e/0x710 [cifs]
> [<0000000077a996c5>] smb3_get_tree+0xf4/0x200 [cifs]
> [<0000000094dbd041>] vfs_get_tree+0x23/0xc0
> [<000000003a8561de>] path_mount+0x2d3/0xb50
> [<00000000ed5c86d6>] __x64_sys_mount+0x102/0x140
> [<00000000142142f3>] do_syscall_64+0x3b/0x90
> [<00000000e2b89731>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> unreferenced object 0xffff88801437f000 (size 512):
> comm "mount.cifs", pid 758, jiffies 4294696067 (age 42.970s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<00000000d0beeb29>] __kmalloc+0x39/0xa0
> [<00000000004f53d2>] build_ntlmssp_auth_blob+0x4f/0x340 [cifs]
> [<000000005f333084>] SMB2_sess_auth_rawntlmssp_authenticate+0xd4/0x250 [cifs]
> [<0000000080fdb897>] SMB2_sess_setup+0x16c/0x2a0 [cifs]
> [<000000009af320a8>] cifs_setup_session+0x13b/0x370 [cifs]
> [<00000000f15d5982>] cifs_get_smb_ses+0x643/0xb90 [cifs]
> [<00000000fe15eb90>] mount_get_conns+0x63/0x3e0 [cifs]
> [<00000000768aba03>] mount_get_dfs_conns+0x16/0xa0 [cifs]
> [<00000000cf1cf146>] cifs_mount+0x1c2/0x9a0 [cifs]
> [<000000000d66b51e>] cifs_smb3_do_mount+0x10e/0x710 [cifs]
> [<0000000077a996c5>] smb3_get_tree+0xf4/0x200 [cifs]
> [<0000000094dbd041>] vfs_get_tree+0x23/0xc0
> [<000000003a8561de>] path_mount+0x2d3/0xb50
> [<00000000ed5c86d6>] __x64_sys_mount+0x102/0x140
> [<00000000142142f3>] do_syscall_64+0x3b/0x90
> [<00000000e2b89731>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
> ---
> fs/cifs/smb2pdu.c | 15 +++++++--------
> 1 file changed, 7 insertions(+), 8 deletions(-)
>
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index c930b63bc422..a5695748a89b 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -1341,14 +1341,13 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_data *sess_data)
> static void
> SMB2_sess_free_buffer(struct SMB2_sess_data *sess_data)
> {
> - int i;
> + struct kvec *iov = sess_data->iov;
>
> - /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */
> - for (i = 0; i < 2; i++)
> - if (sess_data->iov[i].iov_base)
> - memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len);
> + /* iov[1] is already freed by caller */
> + if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base)
> + memzero_explicit(iov[0].iov_base, iov[0].iov_len);
>
> - free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
> + free_rsp_buf(sess_data->buf0_type, iov[0].iov_base);
> sess_data->buf0_type = CIFS_NO_BUFFER;
> }
>
> @@ -1578,7 +1577,7 @@ SMB2_sess_auth_rawntlmssp_negotiate(struct SMB2_sess_data *sess_data)
> }
>
> out:
> - memzero_explicit(ntlmssp_blob, blob_length);
> + kfree_sensitive(ntlmssp_blob);
> SMB2_sess_free_buffer(sess_data);
> if (!rc) {
> sess_data->result = 0;
> @@ -1662,7 +1661,7 @@ SMB2_sess_auth_rawntlmssp_authenticate(struct SMB2_sess_data *sess_data)
> }
> #endif
> out:
> - memzero_explicit(ntlmssp_blob, blob_length);
> + kfree_sensitive(ntlmssp_blob);
> SMB2_sess_free_buffer(sess_data);
> kfree_sensitive(ses->ntlmssp);
> ses->ntlmssp = NULL;
> --
> 2.38.0
>
--
Thanks,
Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] cifs: fix memory leaks in session setup
2022-10-19 15:28 ` Steve French
@ 2022-10-19 15:47 ` Paulo Alcantara
0 siblings, 0 replies; 3+ messages in thread
From: Paulo Alcantara @ 2022-10-19 15:47 UTC (permalink / raw)
To: Steve French; +Cc: linux-cifs
Steve French <smfrench@gmail.com> writes:
> Is this a cc:stable? or Fixes: tag?
Fixes: a4e430c8c8ba ("cifs: replace kfree() with kfree_sensitive() for sensitive data")
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-10-19 15:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-19 14:25 [PATCH] cifs: fix memory leaks in session setup Paulo Alcantara
2022-10-19 15:28 ` Steve French
2022-10-19 15:47 ` Paulo Alcantara
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.