linux-cifs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure
       [not found] <2025110432-maimed-polio-c7b4@gregkh>
@ 2025-11-04 10:03 ` Qianchang Zhao
  2025-11-04 11:51   ` Namjae Jeon
  2025-11-04 14:12 ` Qianchang Zhao
  1 sibling, 1 reply; 6+ messages in thread
From: Qianchang Zhao @ 2025-11-04 10:03 UTC (permalink / raw)
  To: Namjae Jeon, Steve French
  Cc: Sergey Senozhatsky, Tom Talpey, linux-cifs, linux-kernel, gregkh,
	Qianchang Zhao, Zhitong Liu, stable

When encrypt_resp() fails at the send path, we only set
STATUS_DATA_ERROR but leave the transform buffer allocated (work->tr_buf
in this tree). Repeating this path leaks kernel memory and can lead to
OOM (DoS) when encryption is required.

Reproduced on: Linux v6.18-rc2 (self-built test kernel)

Fix by freeing the transform buffer and forcing plaintext error reply.

Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
---
 fs/smb/server/server.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c
index 7b01c7589..15dd13e76 100644
--- a/fs/smb/server/server.c
+++ b/fs/smb/server/server.c
@@ -246,11 +246,11 @@ static void __handle_ksmbd_work(struct ksmbd_work *work,
 		rc = conn->ops->encrypt_resp(work);
 		if (rc < 0) {
 			conn->ops->set_rsp_status(work, STATUS_DATA_ERROR);
-			 work->encrypted = false;
-    			 	if (work->tr_buf) {
-            				kvfree(work->tr_buf);
-            				work->tr_buf = NULL;
-       			   	}
+			work->encrypted = false;
+			if (work->tr_buf) {
+				kvfree(work->tr_buf);
+				work->tr_buf = NULL;
+			}
 		}
 	}
 	if (work->sess)
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure
  2025-11-04 10:03 ` [PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure Qianchang Zhao
@ 2025-11-04 11:51   ` Namjae Jeon
  0 siblings, 0 replies; 6+ messages in thread
From: Namjae Jeon @ 2025-11-04 11:51 UTC (permalink / raw)
  To: Qianchang Zhao
  Cc: Steve French, Sergey Senozhatsky, Tom Talpey, linux-cifs,
	linux-kernel, gregkh, Zhitong Liu, stable

On Tue, Nov 4, 2025 at 7:03 PM Qianchang Zhao <pioooooooooip@gmail.com> wrote:
>
> When encrypt_resp() fails at the send path, we only set
> STATUS_DATA_ERROR but leave the transform buffer allocated (work->tr_buf
> in this tree). Repeating this path leaks kernel memory and can lead to
> OOM (DoS) when encryption is required.
>
> Reproduced on: Linux v6.18-rc2 (self-built test kernel)
>
> Fix by freeing the transform buffer and forcing plaintext error reply.
>
> Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
> Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
> ---
>  fs/smb/server/server.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c
> index 7b01c7589..15dd13e76 100644
> --- a/fs/smb/server/server.c
> +++ b/fs/smb/server/server.c
> @@ -246,11 +246,11 @@ static void __handle_ksmbd_work(struct ksmbd_work *work,
>                 rc = conn->ops->encrypt_resp(work);
>                 if (rc < 0) {
>                         conn->ops->set_rsp_status(work, STATUS_DATA_ERROR);
> -                        work->encrypted = false;
> -                               if (work->tr_buf) {
> -                                       kvfree(work->tr_buf);
> -                                       work->tr_buf = NULL;
> -                                       }
> +                       work->encrypted = false;
> +                       if (work->tr_buf) {
> +                               kvfree(work->tr_buf);
> +                               work->tr_buf = NULL;
> +                       }
This patch seems to be broken or wrong. Please check the patch again.
Thanks!
>                 }
>         }
>         if (work->sess)
> --
> 2.34.1
>

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure
       [not found] <2025110432-maimed-polio-c7b4@gregkh>
  2025-11-04 10:03 ` [PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure Qianchang Zhao
@ 2025-11-04 14:12 ` Qianchang Zhao
  2025-11-05  5:14   ` Namjae Jeon
  2025-11-06  6:58   ` [PATCH v2] ksmbd: clear 'encrypted' on encrypt_resp() failure to send plaintext error Qianchang Zhao
  1 sibling, 2 replies; 6+ messages in thread
From: Qianchang Zhao @ 2025-11-04 14:12 UTC (permalink / raw)
  To: Namjae Jeon, Steve French
  Cc: Sergey Senozhatsky, Tom Talpey, linux-cifs, linux-kernel, gregkh,
	Qianchang Zhao, Zhitong Liu, stable

When encrypt_resp() fails at the send path, we only set
STATUS_DATA_ERROR but leave the transform buffer allocated (work->tr_buf
in this tree). Repeating this path leaks kernel memory and can lead to
OOM (DoS) when encryption is required.

Reproduced on: Linux v6.18-rc2 (self-built test kernel)

Fix by freeing the transform buffer and forcing plaintext error reply.

Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
---
 fs/smb/server/server.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c
index 40420544c..15dd13e76 100644
--- a/fs/smb/server/server.c
+++ b/fs/smb/server/server.c
@@ -244,8 +244,14 @@ static void __handle_ksmbd_work(struct ksmbd_work *work,
 	if (work->sess && work->sess->enc && work->encrypted &&
 	    conn->ops->encrypt_resp) {
 		rc = conn->ops->encrypt_resp(work);
-		if (rc < 0)
+		if (rc < 0) {
 			conn->ops->set_rsp_status(work, STATUS_DATA_ERROR);
+			work->encrypted = false;
+			if (work->tr_buf) {
+				kvfree(work->tr_buf);
+				work->tr_buf = NULL;
+			}
+		}
 	}
 	if (work->sess)
 		ksmbd_user_session_put(work->sess);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure
  2025-11-04 14:12 ` Qianchang Zhao
@ 2025-11-05  5:14   ` Namjae Jeon
  2025-11-06  6:58   ` [PATCH v2] ksmbd: clear 'encrypted' on encrypt_resp() failure to send plaintext error Qianchang Zhao
  1 sibling, 0 replies; 6+ messages in thread
From: Namjae Jeon @ 2025-11-05  5:14 UTC (permalink / raw)
  To: Qianchang Zhao
  Cc: Steve French, Sergey Senozhatsky, Tom Talpey, linux-cifs,
	linux-kernel, gregkh, Zhitong Liu, stable

On Tue, Nov 4, 2025 at 11:12 PM Qianchang Zhao <pioooooooooip@gmail.com> wrote:
>
> When encrypt_resp() fails at the send path, we only set
> STATUS_DATA_ERROR but leave the transform buffer allocated (work->tr_buf
> in this tree). Repeating this path leaks kernel memory and can lead to
> OOM (DoS) when encryption is required.
>
> Reproduced on: Linux v6.18-rc2 (self-built test kernel)
>
> Fix by freeing the transform buffer and forcing plaintext error reply.
>
> Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
> Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
> ---
>  fs/smb/server/server.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c
> index 40420544c..15dd13e76 100644
> --- a/fs/smb/server/server.c
> +++ b/fs/smb/server/server.c
> @@ -244,8 +244,14 @@ static void __handle_ksmbd_work(struct ksmbd_work *work,
>         if (work->sess && work->sess->enc && work->encrypted &&
>             conn->ops->encrypt_resp) {
>                 rc = conn->ops->encrypt_resp(work);
> -               if (rc < 0)
> +               if (rc < 0) {
>                         conn->ops->set_rsp_status(work, STATUS_DATA_ERROR);
> +                       work->encrypted = false;
> +                       if (work->tr_buf) {
> +                               kvfree(work->tr_buf);
->tr_buf is freed in ksmbd_free_work_struct(). How can tr_buf not be freed?
Thanks.
> +                               work->tr_buf = NULL;
> +                       }
> +               }
>         }
>         if (work->sess)
>                 ksmbd_user_session_put(work->sess);
> --
> 2.34.1
>

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH v2] ksmbd: clear 'encrypted' on encrypt_resp() failure to send plaintext error
  2025-11-04 14:12 ` Qianchang Zhao
  2025-11-05  5:14   ` Namjae Jeon
@ 2025-11-06  6:58   ` Qianchang Zhao
  2025-11-08 14:27     ` Namjae Jeon
  1 sibling, 1 reply; 6+ messages in thread
From: Qianchang Zhao @ 2025-11-06  6:58 UTC (permalink / raw)
  To: Namjae Jeon, linux-cifs
  Cc: Steve French, Sergey Senozhatsky, Tom Talpey, linux-kernel,
	stable, gregkh, Qianchang Zhao, Zhitong Liu

When encrypt_resp() fails in the send path, we set STATUS_DATA_ERROR but
leave work->encrypted true. The send path then still assumes a valid
transform buffer and tries to build/send an encrypted reply.

Clear work->encrypted on failure to force a plaintext error reply.
The transform buffer (if allocated) is released by ksmbd_free_work_struct(),
so no explicit kvfree(tr_buf) is needed.

Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>

---
v2:
  - Drop explicit kvfree(tr_buf); it is freed in ksmbd_free_work_struct().
  - Keep only 'work->encrypted = false' and update the commit message.

 fs/smb/server/server.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c
index 40420544c..a7444a78f 100644
--- a/fs/smb/server/server.c
+++ b/fs/smb/server/server.c
@@ -244,8 +244,10 @@ static void __handle_ksmbd_work(struct ksmbd_work *work,
 	if (work->sess && work->sess->enc && work->encrypted &&
 	    conn->ops->encrypt_resp) {
 		rc = conn->ops->encrypt_resp(work);
-		if (rc < 0)
+		if (rc < 0) {
 			conn->ops->set_rsp_status(work, STATUS_DATA_ERROR);
+			work->encrypted = false;
+		}
 	}
 	if (work->sess)
 		ksmbd_user_session_put(work->sess);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH v2] ksmbd: clear 'encrypted' on encrypt_resp() failure to send plaintext error
  2025-11-06  6:58   ` [PATCH v2] ksmbd: clear 'encrypted' on encrypt_resp() failure to send plaintext error Qianchang Zhao
@ 2025-11-08 14:27     ` Namjae Jeon
  0 siblings, 0 replies; 6+ messages in thread
From: Namjae Jeon @ 2025-11-08 14:27 UTC (permalink / raw)
  To: Qianchang Zhao
  Cc: linux-cifs, Steve French, Sergey Senozhatsky, Tom Talpey,
	linux-kernel, stable, gregkh, Zhitong Liu

On Thu, Nov 6, 2025 at 3:58 PM Qianchang Zhao <pioooooooooip@gmail.com> wrote:
>
> When encrypt_resp() fails in the send path, we set STATUS_DATA_ERROR but
> leave work->encrypted true. The send path then still assumes a valid
> transform buffer and tries to build/send an encrypted reply.
>
> Clear work->encrypted on failure to force a plaintext error reply.
ksmbd will send a plain text error reply regardless of the
work->encrypted value.
It doesn't seem to make any sense to set this to false.
Thanks.

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-11-08 14:27 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <2025110432-maimed-polio-c7b4@gregkh>
2025-11-04 10:03 ` [PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure Qianchang Zhao
2025-11-04 11:51   ` Namjae Jeon
2025-11-04 14:12 ` Qianchang Zhao
2025-11-05  5:14   ` Namjae Jeon
2025-11-06  6:58   ` [PATCH v2] ksmbd: clear 'encrypted' on encrypt_resp() failure to send plaintext error Qianchang Zhao
2025-11-08 14:27     ` Namjae Jeon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).