* [PATCH v3] cifs: replace kfree() with kfree_sensitive() for sensitive data
@ 2022-09-20 18:10 Enzo Matsumiya
2022-10-04 19:04 ` Paulo Alcantara
2022-10-05 7:09 ` Steve French
0 siblings, 2 replies; 3+ messages in thread
From: Enzo Matsumiya @ 2022-09-20 18:10 UTC (permalink / raw)
To: linux-cifs; +Cc: smfrench, pc, ronniesahlberg, nspmangalore, kernel test robot
Replace kfree with kfree_sensitive, or prepend memzero_explicit() in
other cases, when freeing sensitive material that could still be left
in memory.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
Reported-by: kernel test robot <oliver.sang@intel.com>
Link: https://lore.kernel.org/r/202209201529.ec633796-oliver.sang@intel.com
---
v3: fix use-after-free reported by kernel test robot (this UAF existed before this patch,
actually), adjust commit message slightly
v2: remove unnecessary NULL checks before kfree_sensitive()
fs/cifs/cifsencrypt.c | 12 ++++++------
fs/cifs/connect.c | 6 +++---
fs/cifs/fs_context.c | 12 ++++++++++--
fs/cifs/misc.c | 2 +-
fs/cifs/sess.c | 24 +++++++++++++++---------
fs/cifs/smb2ops.c | 6 +++---
fs/cifs/smb2pdu.c | 19 ++++++++++++++-----
7 files changed, 52 insertions(+), 29 deletions(-)
diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
index 46f5718754f9..d848bc0aac27 100644
--- a/fs/cifs/cifsencrypt.c
+++ b/fs/cifs/cifsencrypt.c
@@ -679,7 +679,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
unlock:
cifs_server_unlock(ses->server);
setup_ntlmv2_rsp_ret:
- kfree(tiblob);
+ kfree_sensitive(tiblob);
return rc;
}
@@ -753,14 +753,14 @@ cifs_crypto_secmech_release(struct TCP_Server_Info *server)
server->secmech.ccmaesdecrypt = NULL;
}
- kfree(server->secmech.sdesccmacaes);
+ kfree_sensitive(server->secmech.sdesccmacaes);
server->secmech.sdesccmacaes = NULL;
- kfree(server->secmech.sdeschmacsha256);
+ kfree_sensitive(server->secmech.sdeschmacsha256);
server->secmech.sdeschmacsha256 = NULL;
- kfree(server->secmech.sdeschmacmd5);
+ kfree_sensitive(server->secmech.sdeschmacmd5);
server->secmech.sdeschmacmd5 = NULL;
- kfree(server->secmech.sdescmd5);
+ kfree_sensitive(server->secmech.sdescmd5);
server->secmech.sdescmd5 = NULL;
- kfree(server->secmech.sdescsha512);
+ kfree_sensitive(server->secmech.sdescsha512);
server->secmech.sdescsha512 = NULL;
}
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 7ae6f2c08153..a43d5686c302 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -311,7 +311,7 @@ cifs_abort_connection(struct TCP_Server_Info *server)
}
server->sequence_number = 0;
server->session_estab = false;
- kfree(server->session_key.response);
+ kfree_sensitive(server->session_key.response);
server->session_key.response = NULL;
server->session_key.len = 0;
server->lstrp = jiffies;
@@ -1580,7 +1580,7 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect)
cifs_crypto_secmech_release(server);
- kfree(server->session_key.response);
+ kfree_sensitive(server->session_key.response);
server->session_key.response = NULL;
server->session_key.len = 0;
kfree(server->hostname);
@@ -4134,7 +4134,7 @@ cifs_setup_session(const unsigned int xid, struct cifs_ses *ses,
if (ses->auth_key.response) {
cifs_dbg(FYI, "Free previous auth_key.response = %p\n",
ses->auth_key.response);
- kfree(ses->auth_key.response);
+ kfree_sensitive(ses->auth_key.response);
ses->auth_key.response = NULL;
ses->auth_key.len = 0;
}
diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c
index 0e13dec86b25..45119597c765 100644
--- a/fs/cifs/fs_context.c
+++ b/fs/cifs/fs_context.c
@@ -791,6 +791,13 @@ do { \
cifs_sb->ctx->field = NULL; \
} while (0)
+#define STEAL_STRING_SENSITIVE(cifs_sb, ctx, field) \
+do { \
+ kfree_sensitive(ctx->field); \
+ ctx->field = cifs_sb->ctx->field; \
+ cifs_sb->ctx->field = NULL; \
+} while (0)
+
static int smb3_reconfigure(struct fs_context *fc)
{
struct smb3_fs_context *ctx = smb3_fc2context(fc);
@@ -811,7 +818,7 @@ static int smb3_reconfigure(struct fs_context *fc)
STEAL_STRING(cifs_sb, ctx, UNC);
STEAL_STRING(cifs_sb, ctx, source);
STEAL_STRING(cifs_sb, ctx, username);
- STEAL_STRING(cifs_sb, ctx, password);
+ STEAL_STRING_SENSITIVE(cifs_sb, ctx, password);
STEAL_STRING(cifs_sb, ctx, domainname);
STEAL_STRING(cifs_sb, ctx, nodename);
STEAL_STRING(cifs_sb, ctx, iocharset);
@@ -1162,7 +1169,7 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
}
break;
case Opt_pass:
- kfree(ctx->password);
+ kfree_sensitive(ctx->password);
ctx->password = NULL;
if (strlen(param->string) == 0)
break;
@@ -1470,6 +1477,7 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
return 0;
cifs_parse_mount_err:
+ kfree_sensitive(ctx->password);
return -EINVAL;
}
diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
index 87f60f736731..85109a9a2146 100644
--- a/fs/cifs/misc.c
+++ b/fs/cifs/misc.c
@@ -1119,7 +1119,7 @@ cifs_alloc_hash(const char *name,
void
cifs_free_hash(struct crypto_shash **shash, struct sdesc **sdesc)
{
- kfree(*sdesc);
+ kfree_sensitive(*sdesc);
*sdesc = NULL;
if (*shash)
crypto_free_shash(*shash);
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 3af3b05b6c74..f1c3c6d9146c 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -1213,6 +1213,12 @@ sess_alloc_buffer(struct sess_data *sess_data, int wct)
static void
sess_free_buffer(struct sess_data *sess_data)
{
+ int i;
+
+ /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */
+ for (i = 0; i < 3; i++)
+ if (sess_data->iov[i].iov_base)
+ memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len);
free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
sess_data->buf0_type = CIFS_NO_BUFFER;
@@ -1374,7 +1380,7 @@ sess_auth_ntlmv2(struct sess_data *sess_data)
sess_data->result = rc;
sess_data->func = NULL;
sess_free_buffer(sess_data);
- kfree(ses->auth_key.response);
+ kfree_sensitive(ses->auth_key.response);
ses->auth_key.response = NULL;
}
@@ -1513,7 +1519,7 @@ sess_auth_kerberos(struct sess_data *sess_data)
sess_data->result = rc;
sess_data->func = NULL;
sess_free_buffer(sess_data);
- kfree(ses->auth_key.response);
+ kfree_sensitive(ses->auth_key.response);
ses->auth_key.response = NULL;
}
@@ -1648,7 +1654,7 @@ sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
out_free_ntlmsspblob:
- kfree(ntlmsspblob);
+ kfree_sensitive(ntlmsspblob);
out:
sess_free_buffer(sess_data);
@@ -1658,9 +1664,9 @@ sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
}
/* Else error. Cleanup */
- kfree(ses->auth_key.response);
+ kfree_sensitive(ses->auth_key.response);
ses->auth_key.response = NULL;
- kfree(ses->ntlmssp);
+ kfree_sensitive(ses->ntlmssp);
ses->ntlmssp = NULL;
sess_data->func = NULL;
@@ -1759,7 +1765,7 @@ sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data)
}
out_free_ntlmsspblob:
- kfree(ntlmsspblob);
+ kfree_sensitive(ntlmsspblob);
out:
sess_free_buffer(sess_data);
@@ -1767,9 +1773,9 @@ sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data)
rc = sess_establish_session(sess_data);
/* Cleanup */
- kfree(ses->auth_key.response);
+ kfree_sensitive(ses->auth_key.response);
ses->auth_key.response = NULL;
- kfree(ses->ntlmssp);
+ kfree_sensitive(ses->ntlmssp);
ses->ntlmssp = NULL;
sess_data->func = NULL;
@@ -1845,7 +1851,7 @@ int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
rc = sess_data->result;
out:
- kfree(sess_data);
+ kfree_sensitive(sess_data);
return rc;
}
#endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 421be43af425..5094336cade6 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -4410,11 +4410,11 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
if (!rc && enc)
memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);
- kfree(iv);
+ kfree_sensitive(iv);
free_sg:
- kfree(sg);
+ kfree_sensitive(sg);
free_req:
- kfree(req);
+ kfree_sensitive(req);
return rc;
}
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 6352ab32c7e7..722ebff05759 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1345,6 +1345,13 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_data *sess_data)
static void
SMB2_sess_free_buffer(struct SMB2_sess_data *sess_data)
{
+ int i;
+
+ /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */
+ for (i = 0; i < 2; i++)
+ if (sess_data->iov[i].iov_base)
+ memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len);
+
free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
sess_data->buf0_type = CIFS_NO_BUFFER;
}
@@ -1477,6 +1484,8 @@ SMB2_auth_kerberos(struct SMB2_sess_data *sess_data)
out_put_spnego_key:
key_invalidate(spnego_key);
key_put(spnego_key);
+ if (rc)
+ kfree_sensitive(ses->auth_key.response);
out:
sess_data->result = rc;
sess_data->func = NULL;
@@ -1573,7 +1582,7 @@ SMB2_sess_auth_rawntlmssp_negotiate(struct SMB2_sess_data *sess_data)
}
out:
- kfree(ntlmssp_blob);
+ memzero_explicit(ntlmssp_blob, blob_length);
SMB2_sess_free_buffer(sess_data);
if (!rc) {
sess_data->result = 0;
@@ -1581,7 +1590,7 @@ SMB2_sess_auth_rawntlmssp_negotiate(struct SMB2_sess_data *sess_data)
return;
}
out_err:
- kfree(ses->ntlmssp);
+ kfree_sensitive(ses->ntlmssp);
ses->ntlmssp = NULL;
sess_data->result = rc;
sess_data->func = NULL;
@@ -1657,9 +1666,9 @@ SMB2_sess_auth_rawntlmssp_authenticate(struct SMB2_sess_data *sess_data)
}
#endif
out:
- kfree(ntlmssp_blob);
+ memzero_explicit(ntlmssp_blob, blob_length);
SMB2_sess_free_buffer(sess_data);
- kfree(ses->ntlmssp);
+ kfree_sensitive(ses->ntlmssp);
ses->ntlmssp = NULL;
sess_data->result = rc;
sess_data->func = NULL;
@@ -1737,7 +1746,7 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
cifs_server_dbg(VFS, "signing requested but authenticated as guest\n");
rc = sess_data->result;
out:
- kfree(sess_data);
+ kfree_sensitive(sess_data);
return rc;
}
--
2.35.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v3] cifs: replace kfree() with kfree_sensitive() for sensitive data
2022-09-20 18:10 [PATCH v3] cifs: replace kfree() with kfree_sensitive() for sensitive data Enzo Matsumiya
@ 2022-10-04 19:04 ` Paulo Alcantara
2022-10-05 7:09 ` Steve French
1 sibling, 0 replies; 3+ messages in thread
From: Paulo Alcantara @ 2022-10-04 19:04 UTC (permalink / raw)
To: Enzo Matsumiya, linux-cifs
Cc: smfrench, ronniesahlberg, nspmangalore, kernel test robot
Enzo Matsumiya <ematsumiya@suse.de> writes:
> Replace kfree with kfree_sensitive, or prepend memzero_explicit() in
> other cases, when freeing sensitive material that could still be left
> in memory.
>
> Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
> Reported-by: kernel test robot <oliver.sang@intel.com>
> Link: https://lore.kernel.org/r/202209201529.ec633796-oliver.sang@intel.com
> ---
> v3: fix use-after-free reported by kernel test robot (this UAF existed before this patch,
> actually), adjust commit message slightly
> v2: remove unnecessary NULL checks before kfree_sensitive()
>
> fs/cifs/cifsencrypt.c | 12 ++++++------
> fs/cifs/connect.c | 6 +++---
> fs/cifs/fs_context.c | 12 ++++++++++--
> fs/cifs/misc.c | 2 +-
> fs/cifs/sess.c | 24 +++++++++++++++---------
> fs/cifs/smb2ops.c | 6 +++---
> fs/cifs/smb2pdu.c | 19 ++++++++++++++-----
> 7 files changed, 52 insertions(+), 29 deletions(-)
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v3] cifs: replace kfree() with kfree_sensitive() for sensitive data
2022-09-20 18:10 [PATCH v3] cifs: replace kfree() with kfree_sensitive() for sensitive data Enzo Matsumiya
2022-10-04 19:04 ` Paulo Alcantara
@ 2022-10-05 7:09 ` Steve French
1 sibling, 0 replies; 3+ messages in thread
From: Steve French @ 2022-10-05 7:09 UTC (permalink / raw)
To: Enzo Matsumiya
Cc: linux-cifs, pc, ronniesahlberg, nspmangalore, kernel test robot
merged into cifs-2.6.git for-next
On Tue, Sep 20, 2022 at 1:10 PM Enzo Matsumiya <ematsumiya@suse.de> wrote:
>
> Replace kfree with kfree_sensitive, or prepend memzero_explicit() in
> other cases, when freeing sensitive material that could still be left
> in memory.
>
> Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
> Reported-by: kernel test robot <oliver.sang@intel.com>
> Link: https://lore.kernel.org/r/202209201529.ec633796-oliver.sang@intel.com
> ---
> v3: fix use-after-free reported by kernel test robot (this UAF existed before this patch,
> actually), adjust commit message slightly
> v2: remove unnecessary NULL checks before kfree_sensitive()
>
> fs/cifs/cifsencrypt.c | 12 ++++++------
> fs/cifs/connect.c | 6 +++---
> fs/cifs/fs_context.c | 12 ++++++++++--
> fs/cifs/misc.c | 2 +-
> fs/cifs/sess.c | 24 +++++++++++++++---------
> fs/cifs/smb2ops.c | 6 +++---
> fs/cifs/smb2pdu.c | 19 ++++++++++++++-----
> 7 files changed, 52 insertions(+), 29 deletions(-)
>
> diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
> index 46f5718754f9..d848bc0aac27 100644
> --- a/fs/cifs/cifsencrypt.c
> +++ b/fs/cifs/cifsencrypt.c
> @@ -679,7 +679,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
> unlock:
> cifs_server_unlock(ses->server);
> setup_ntlmv2_rsp_ret:
> - kfree(tiblob);
> + kfree_sensitive(tiblob);
>
> return rc;
> }
> @@ -753,14 +753,14 @@ cifs_crypto_secmech_release(struct TCP_Server_Info *server)
> server->secmech.ccmaesdecrypt = NULL;
> }
>
> - kfree(server->secmech.sdesccmacaes);
> + kfree_sensitive(server->secmech.sdesccmacaes);
> server->secmech.sdesccmacaes = NULL;
> - kfree(server->secmech.sdeschmacsha256);
> + kfree_sensitive(server->secmech.sdeschmacsha256);
> server->secmech.sdeschmacsha256 = NULL;
> - kfree(server->secmech.sdeschmacmd5);
> + kfree_sensitive(server->secmech.sdeschmacmd5);
> server->secmech.sdeschmacmd5 = NULL;
> - kfree(server->secmech.sdescmd5);
> + kfree_sensitive(server->secmech.sdescmd5);
> server->secmech.sdescmd5 = NULL;
> - kfree(server->secmech.sdescsha512);
> + kfree_sensitive(server->secmech.sdescsha512);
> server->secmech.sdescsha512 = NULL;
> }
> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> index 7ae6f2c08153..a43d5686c302 100644
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
> @@ -311,7 +311,7 @@ cifs_abort_connection(struct TCP_Server_Info *server)
> }
> server->sequence_number = 0;
> server->session_estab = false;
> - kfree(server->session_key.response);
> + kfree_sensitive(server->session_key.response);
> server->session_key.response = NULL;
> server->session_key.len = 0;
> server->lstrp = jiffies;
> @@ -1580,7 +1580,7 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect)
>
> cifs_crypto_secmech_release(server);
>
> - kfree(server->session_key.response);
> + kfree_sensitive(server->session_key.response);
> server->session_key.response = NULL;
> server->session_key.len = 0;
> kfree(server->hostname);
> @@ -4134,7 +4134,7 @@ cifs_setup_session(const unsigned int xid, struct cifs_ses *ses,
> if (ses->auth_key.response) {
> cifs_dbg(FYI, "Free previous auth_key.response = %p\n",
> ses->auth_key.response);
> - kfree(ses->auth_key.response);
> + kfree_sensitive(ses->auth_key.response);
> ses->auth_key.response = NULL;
> ses->auth_key.len = 0;
> }
> diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c
> index 0e13dec86b25..45119597c765 100644
> --- a/fs/cifs/fs_context.c
> +++ b/fs/cifs/fs_context.c
> @@ -791,6 +791,13 @@ do { \
> cifs_sb->ctx->field = NULL; \
> } while (0)
>
> +#define STEAL_STRING_SENSITIVE(cifs_sb, ctx, field) \
> +do { \
> + kfree_sensitive(ctx->field); \
> + ctx->field = cifs_sb->ctx->field; \
> + cifs_sb->ctx->field = NULL; \
> +} while (0)
> +
> static int smb3_reconfigure(struct fs_context *fc)
> {
> struct smb3_fs_context *ctx = smb3_fc2context(fc);
> @@ -811,7 +818,7 @@ static int smb3_reconfigure(struct fs_context *fc)
> STEAL_STRING(cifs_sb, ctx, UNC);
> STEAL_STRING(cifs_sb, ctx, source);
> STEAL_STRING(cifs_sb, ctx, username);
> - STEAL_STRING(cifs_sb, ctx, password);
> + STEAL_STRING_SENSITIVE(cifs_sb, ctx, password);
> STEAL_STRING(cifs_sb, ctx, domainname);
> STEAL_STRING(cifs_sb, ctx, nodename);
> STEAL_STRING(cifs_sb, ctx, iocharset);
> @@ -1162,7 +1169,7 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
> }
> break;
> case Opt_pass:
> - kfree(ctx->password);
> + kfree_sensitive(ctx->password);
> ctx->password = NULL;
> if (strlen(param->string) == 0)
> break;
> @@ -1470,6 +1477,7 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
> return 0;
>
> cifs_parse_mount_err:
> + kfree_sensitive(ctx->password);
> return -EINVAL;
> }
>
> diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
> index 87f60f736731..85109a9a2146 100644
> --- a/fs/cifs/misc.c
> +++ b/fs/cifs/misc.c
> @@ -1119,7 +1119,7 @@ cifs_alloc_hash(const char *name,
> void
> cifs_free_hash(struct crypto_shash **shash, struct sdesc **sdesc)
> {
> - kfree(*sdesc);
> + kfree_sensitive(*sdesc);
> *sdesc = NULL;
> if (*shash)
> crypto_free_shash(*shash);
> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> index 3af3b05b6c74..f1c3c6d9146c 100644
> --- a/fs/cifs/sess.c
> +++ b/fs/cifs/sess.c
> @@ -1213,6 +1213,12 @@ sess_alloc_buffer(struct sess_data *sess_data, int wct)
> static void
> sess_free_buffer(struct sess_data *sess_data)
> {
> + int i;
> +
> + /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */
> + for (i = 0; i < 3; i++)
> + if (sess_data->iov[i].iov_base)
> + memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len);
>
> free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
> sess_data->buf0_type = CIFS_NO_BUFFER;
> @@ -1374,7 +1380,7 @@ sess_auth_ntlmv2(struct sess_data *sess_data)
> sess_data->result = rc;
> sess_data->func = NULL;
> sess_free_buffer(sess_data);
> - kfree(ses->auth_key.response);
> + kfree_sensitive(ses->auth_key.response);
> ses->auth_key.response = NULL;
> }
>
> @@ -1513,7 +1519,7 @@ sess_auth_kerberos(struct sess_data *sess_data)
> sess_data->result = rc;
> sess_data->func = NULL;
> sess_free_buffer(sess_data);
> - kfree(ses->auth_key.response);
> + kfree_sensitive(ses->auth_key.response);
> ses->auth_key.response = NULL;
> }
>
> @@ -1648,7 +1654,7 @@ sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
> rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
>
> out_free_ntlmsspblob:
> - kfree(ntlmsspblob);
> + kfree_sensitive(ntlmsspblob);
> out:
> sess_free_buffer(sess_data);
>
> @@ -1658,9 +1664,9 @@ sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
> }
>
> /* Else error. Cleanup */
> - kfree(ses->auth_key.response);
> + kfree_sensitive(ses->auth_key.response);
> ses->auth_key.response = NULL;
> - kfree(ses->ntlmssp);
> + kfree_sensitive(ses->ntlmssp);
> ses->ntlmssp = NULL;
>
> sess_data->func = NULL;
> @@ -1759,7 +1765,7 @@ sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data)
> }
>
> out_free_ntlmsspblob:
> - kfree(ntlmsspblob);
> + kfree_sensitive(ntlmsspblob);
> out:
> sess_free_buffer(sess_data);
>
> @@ -1767,9 +1773,9 @@ sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data)
> rc = sess_establish_session(sess_data);
>
> /* Cleanup */
> - kfree(ses->auth_key.response);
> + kfree_sensitive(ses->auth_key.response);
> ses->auth_key.response = NULL;
> - kfree(ses->ntlmssp);
> + kfree_sensitive(ses->ntlmssp);
> ses->ntlmssp = NULL;
>
> sess_data->func = NULL;
> @@ -1845,7 +1851,7 @@ int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
> rc = sess_data->result;
>
> out:
> - kfree(sess_data);
> + kfree_sensitive(sess_data);
> return rc;
> }
> #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
> diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
> index 421be43af425..5094336cade6 100644
> --- a/fs/cifs/smb2ops.c
> +++ b/fs/cifs/smb2ops.c
> @@ -4410,11 +4410,11 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
> if (!rc && enc)
> memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);
>
> - kfree(iv);
> + kfree_sensitive(iv);
> free_sg:
> - kfree(sg);
> + kfree_sensitive(sg);
> free_req:
> - kfree(req);
> + kfree_sensitive(req);
> return rc;
> }
>
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index 6352ab32c7e7..722ebff05759 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -1345,6 +1345,13 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_data *sess_data)
> static void
> SMB2_sess_free_buffer(struct SMB2_sess_data *sess_data)
> {
> + int i;
> +
> + /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */
> + for (i = 0; i < 2; i++)
> + if (sess_data->iov[i].iov_base)
> + memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len);
> +
> free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
> sess_data->buf0_type = CIFS_NO_BUFFER;
> }
> @@ -1477,6 +1484,8 @@ SMB2_auth_kerberos(struct SMB2_sess_data *sess_data)
> out_put_spnego_key:
> key_invalidate(spnego_key);
> key_put(spnego_key);
> + if (rc)
> + kfree_sensitive(ses->auth_key.response);
> out:
> sess_data->result = rc;
> sess_data->func = NULL;
> @@ -1573,7 +1582,7 @@ SMB2_sess_auth_rawntlmssp_negotiate(struct SMB2_sess_data *sess_data)
> }
>
> out:
> - kfree(ntlmssp_blob);
> + memzero_explicit(ntlmssp_blob, blob_length);
> SMB2_sess_free_buffer(sess_data);
> if (!rc) {
> sess_data->result = 0;
> @@ -1581,7 +1590,7 @@ SMB2_sess_auth_rawntlmssp_negotiate(struct SMB2_sess_data *sess_data)
> return;
> }
> out_err:
> - kfree(ses->ntlmssp);
> + kfree_sensitive(ses->ntlmssp);
> ses->ntlmssp = NULL;
> sess_data->result = rc;
> sess_data->func = NULL;
> @@ -1657,9 +1666,9 @@ SMB2_sess_auth_rawntlmssp_authenticate(struct SMB2_sess_data *sess_data)
> }
> #endif
> out:
> - kfree(ntlmssp_blob);
> + memzero_explicit(ntlmssp_blob, blob_length);
> SMB2_sess_free_buffer(sess_data);
> - kfree(ses->ntlmssp);
> + kfree_sensitive(ses->ntlmssp);
> ses->ntlmssp = NULL;
> sess_data->result = rc;
> sess_data->func = NULL;
> @@ -1737,7 +1746,7 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
> cifs_server_dbg(VFS, "signing requested but authenticated as guest\n");
> rc = sess_data->result;
> out:
> - kfree(sess_data);
> + kfree_sensitive(sess_data);
> return rc;
> }
>
> --
> 2.35.3
>
--
Thanks,
Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-10-05 7:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-20 18:10 [PATCH v3] cifs: replace kfree() with kfree_sensitive() for sensitive data Enzo Matsumiya
2022-10-04 19:04 ` Paulo Alcantara
2022-10-05 7:09 ` Steve French
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).