From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Tom Talpey <tom@talpey.com>,
Jianhong Yin <jiyin@redhat.com>,
"Paulo Alcantara (Red Hat)" <pc@manguebit.com>,
Steve French <stfrench@microsoft.com>
Subject: [PATCH 6.1 48/49] smb: client: fix NULL ptr deref in crypto_aead_setkey()
Date: Thu, 30 Jan 2025 15:02:24 +0100 [thread overview]
Message-ID: <20250130140135.751793326@linuxfoundation.org> (raw)
In-Reply-To: <20250130140133.825446496@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.com>
commit 4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2 upstream.
Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so
when SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response,
the client uses AES-128-CCM as the default cipher. See MS-SMB2
3.3.5.4.
Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added
a @server->cipher_type check to conditionally call
smb3_crypto_aead_allocate(), but that check would always be false as
@server->cipher_type is unset for SMB3.02.
Fix the following KASAN splat by setting @server->cipher_type for
SMB3.02 as well.
mount.cifs //srv/share /mnt -o vers=3.02,seal,...
BUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130
Read of size 8 at addr 0000000000000020 by task mount.cifs/1095
CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41
04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
? crypto_aead_setkey+0x2c/0x130
kasan_report+0xda/0x110
? crypto_aead_setkey+0x2c/0x130
crypto_aead_setkey+0x2c/0x130
crypt_message+0x258/0xec0 [cifs]
? __asan_memset+0x23/0x50
? __pfx_crypt_message+0x10/0x10 [cifs]
? mark_lock+0xb0/0x6a0
? hlock_class+0x32/0xb0
? mark_lock+0xb0/0x6a0
smb3_init_transform_rq+0x352/0x3f0 [cifs]
? lock_acquire.part.0+0xf4/0x2a0
smb_send_rqst+0x144/0x230 [cifs]
? __pfx_smb_send_rqst+0x10/0x10 [cifs]
? hlock_class+0x32/0xb0
? smb2_setup_request+0x225/0x3a0 [cifs]
? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs]
compound_send_recv+0x59b/0x1140 [cifs]
? __pfx_compound_send_recv+0x10/0x10 [cifs]
? __create_object+0x5e/0x90
? hlock_class+0x32/0xb0
? do_raw_spin_unlock+0x9a/0xf0
cifs_send_recv+0x23/0x30 [cifs]
SMB2_tcon+0x3ec/0xb30 [cifs]
? __pfx_SMB2_tcon+0x10/0x10 [cifs]
? lock_acquire.part.0+0xf4/0x2a0
? __pfx_lock_release+0x10/0x10
? do_raw_spin_trylock+0xc6/0x120
? lock_acquire+0x3f/0x90
? _get_xid+0x16/0xd0 [cifs]
? __pfx_SMB2_tcon+0x10/0x10 [cifs]
? cifs_get_smb_ses+0xcdd/0x10a0 [cifs]
cifs_get_smb_ses+0xcdd/0x10a0 [cifs]
? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs]
? cifs_get_tcp_session+0xaa0/0xca0 [cifs]
cifs_mount_get_session+0x8a/0x210 [cifs]
dfs_mount_share+0x1b0/0x11d0 [cifs]
? __pfx___lock_acquire+0x10/0x10
? __pfx_dfs_mount_share+0x10/0x10 [cifs]
? lock_acquire.part.0+0xf4/0x2a0
? find_held_lock+0x8a/0xa0
? hlock_class+0x32/0xb0
? lock_release+0x203/0x5d0
cifs_mount+0xb3/0x3d0 [cifs]
? do_raw_spin_trylock+0xc6/0x120
? __pfx_cifs_mount+0x10/0x10 [cifs]
? lock_acquire+0x3f/0x90
? find_nls+0x16/0xa0
? smb3_update_mnt_flags+0x372/0x3b0 [cifs]
cifs_smb3_do_mount+0x1e2/0xc80 [cifs]
? __pfx_vfs_parse_fs_string+0x10/0x10
? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs]
smb3_get_tree+0x1bf/0x330 [cifs]
vfs_get_tree+0x4a/0x160
path_mount+0x3c1/0xfb0
? kasan_quarantine_put+0xc7/0x1d0
? __pfx_path_mount+0x10/0x10
? kmem_cache_free+0x118/0x3e0
? user_path_at+0x74/0xa0
__x64_sys_mount+0x1a6/0x1e0
? __pfx___x64_sys_mount+0x10/0x10
? mark_held_locks+0x1a/0x90
do_syscall_64+0xbb/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Cc: Tom Talpey <tom@talpey.com>
Reported-by: Jianhong Yin <jiyin@redhat.com>
Cc: stable@vger.kernel.org # v6.12
Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -1070,7 +1070,9 @@ SMB2_negotiate(const unsigned int xid,
* SMB3.0 supports only 1 cipher and doesn't have a encryption neg context
* Set the cipher type manually.
*/
- if (server->dialect == SMB30_PROT_ID && (server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION))
+ if ((server->dialect == SMB30_PROT_ID ||
+ server->dialect == SMB302_PROT_ID) &&
+ (server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION))
server->cipher_type = SMB2_ENCRYPTION_AES128_CCM;
security_blob = smb2_get_data_area_len(&blob_offset, &blob_length,
next prev parent reply other threads:[~2025-01-30 14:31 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-30 14:01 [PATCH 6.1 00/49] 6.1.128-rc1 review Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 01/49] ASoC: wm8994: Add depends on MFD core Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 02/49] ASoC: samsung: Add missing selects for MFD_WM8994 Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 03/49] seccomp: Stub for !CONFIG_SECCOMP Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 04/49] scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 05/49] drm/amd/display: Use HW lock mgr for PSR1 Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 06/49] irqchip/sunxi-nmi: Add missing SKIP_WAKE flag Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 07/49] ASoC: samsung: midas_wm1811: Map missing jack kcontrols Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 08/49] ASoC: samsung: Add missing depends on I2C Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 09/49] regmap: detach regmap from dev on regmap_exit Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 10/49] ipv6: Fix soft lockups in fib6_select_path under high next hop churn Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 11/49] softirq: Allow raising SCHED_SOFTIRQ from SMP-call-function on RT kernel Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 12/49] xfs: bump max fsgeom struct version Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 13/49] xfs: hoist freeing of rt data fork extent mappings Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 14/49] xfs: prevent rt growfs when quota is enabled Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 15/49] xfs: rt stubs should return negative errnos when rt disabled Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 16/49] xfs: fix units conversion error in xfs_bmap_del_extent_delay Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 17/49] xfs: make sure maxlen is still congruent with prod when rounding down Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 18/49] xfs: introduce protection for drop nlink Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 19/49] xfs: handle nimaps=0 from xfs_bmapi_write in xfs_alloc_file_space Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 20/49] xfs: allow read IO and FICLONE to run concurrently Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 21/49] xfs: factor out xfs_defer_pending_abort Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 22/49] xfs: abort intent items when recovery intents fail Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 6.1 23/49] xfs: only remap the written blocks in xfs_reflink_end_cow_extent Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 24/49] xfs: up(ic_sema) if flushing data device fails Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 25/49] xfs: fix internal error from AGFL exhaustion Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 26/49] xfs: inode recovery does not validate the recovered inode Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 27/49] xfs: clean up dqblk extraction Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 28/49] xfs: dquot recovery does not validate the recovered dquot Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 29/49] xfs: clean up FS_XFLAG_REALTIME handling in xfs_ioctl_setattr_xflags Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 30/49] xfs: respect the stable writes flag on the RT device Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 31/49] gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 32/49] io_uring: fix waiters missing wake ups Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 33/49] net: sched: fix ets qdisc OOB Indexing Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 34/49] block: fix integer overflow in BLKSECDISCARD Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 35/49] Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad" Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 36/49] vfio/platform: check the bounds of read/write syscalls Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 37/49] ext4: fix access to uninitialised lock in fc replay path Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 38/49] ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 39/49] scsi: storvsc: Ratelimit warning logs to prevent VM denial of service Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 40/49] wifi: iwlwifi: add a few rate index validity checks Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 41/49] smb: client: fix UAF in async decryption Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 42/49] USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 43/49] Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 44/49] ALSA: usb-audio: Add delay quirk for USB Audio Device Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 45/49] Input: atkbd - map F23 key to support default copilot shortcut Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 46/49] Input: xpad - add unofficial Xbox 360 wireless receiver clone Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 6.1 47/49] Input: xpad - add support for wooting two he (arm) Greg Kroah-Hartman
2025-01-30 14:02 ` Greg Kroah-Hartman [this message]
2025-01-30 14:02 ` [PATCH 6.1 49/49] ASoC: samsung: midas_wm1811: Fix Headphone Switch control creation Greg Kroah-Hartman
2025-01-30 17:58 ` [PATCH 6.1 00/49] 6.1.128-rc1 review Mark Brown
2025-01-30 21:31 ` Florian Fainelli
2025-01-31 5:38 ` Jon Hunter
2025-01-31 12:57 ` Pavel Machek
2025-01-31 13:57 ` Ron Economos
2025-01-31 15:26 ` Naresh Kamboju
2025-01-31 16:58 ` Muhammad Usama Anjum
2025-02-01 8:15 ` [PATCH 6.1] " Hardik Garg
2025-02-01 12:19 ` [PATCH 6.1 00/49] " Peter Schneider
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250130140135.751793326@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jiyin@redhat.com \
--cc=patches@lists.linux.dev \
--cc=pc@manguebit.com \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.