From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Namjae Jeon <linkinjeon@kernel.org>,
Steve French <stfrench@microsoft.com>,
Sasha Levin <sashal@kernel.org>,
zdi-disclosures@trendmicro.com
Subject: [PATCH 5.15 02/73] ksmbd: fix user-after-free from session log off
Date: Wed, 6 Nov 2024 13:05:06 +0100 [thread overview]
Message-ID: <20241106120300.032987470@linuxfoundation.org> (raw)
In-Reply-To: <20241106120259.955073160@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit 7aa8804c0b67b3cb263a472d17f2cb50d7f1a930 ]
There is racy issue between smb2 session log off and smb2 session setup.
It will cause user-after-free from session log off.
This add session_lock when setting SMB2_SESSION_EXPIRED and referece
count to session struct not to free session while it is being used.
Cc: stable@vger.kernel.org # v5.15+
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-25282
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/mgmt/user_session.c | 26 +++++++++++++++++++++-----
fs/ksmbd/mgmt/user_session.h | 4 ++++
fs/ksmbd/server.c | 2 ++
fs/ksmbd/smb2pdu.c | 8 +++++++-
4 files changed, 34 insertions(+), 6 deletions(-)
diff --git a/fs/ksmbd/mgmt/user_session.c b/fs/ksmbd/mgmt/user_session.c
index 15f68ee050894..844db95e66511 100644
--- a/fs/ksmbd/mgmt/user_session.c
+++ b/fs/ksmbd/mgmt/user_session.c
@@ -176,9 +176,10 @@ static void ksmbd_expire_session(struct ksmbd_conn *conn)
down_write(&conn->session_lock);
xa_for_each(&conn->sessions, id, sess) {
- if (sess->state != SMB2_SESSION_VALID ||
- time_after(jiffies,
- sess->last_active + SMB2_SESSION_TIMEOUT)) {
+ if (atomic_read(&sess->refcnt) == 0 &&
+ (sess->state != SMB2_SESSION_VALID ||
+ time_after(jiffies,
+ sess->last_active + SMB2_SESSION_TIMEOUT))) {
xa_erase(&conn->sessions, sess->id);
hash_del(&sess->hlist);
ksmbd_session_destroy(sess);
@@ -268,8 +269,6 @@ struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id)
down_read(&sessions_table_lock);
sess = __session_lookup(id);
- if (sess)
- sess->last_active = jiffies;
up_read(&sessions_table_lock);
return sess;
@@ -288,6 +287,22 @@ struct ksmbd_session *ksmbd_session_lookup_all(struct ksmbd_conn *conn,
return sess;
}
+void ksmbd_user_session_get(struct ksmbd_session *sess)
+{
+ atomic_inc(&sess->refcnt);
+}
+
+void ksmbd_user_session_put(struct ksmbd_session *sess)
+{
+ if (!sess)
+ return;
+
+ if (atomic_read(&sess->refcnt) <= 0)
+ WARN_ON(1);
+ else
+ atomic_dec(&sess->refcnt);
+}
+
struct preauth_session *ksmbd_preauth_session_alloc(struct ksmbd_conn *conn,
u64 sess_id)
{
@@ -356,6 +371,7 @@ static struct ksmbd_session *__session_create(int protocol)
xa_init(&sess->rpc_handle_list);
sess->sequence_number = 1;
rwlock_init(&sess->tree_conns_lock);
+ atomic_set(&sess->refcnt, 1);
ret = __init_smb2_session(sess);
if (ret)
diff --git a/fs/ksmbd/mgmt/user_session.h b/fs/ksmbd/mgmt/user_session.h
index 63cb08fffde84..ce91b1d698e71 100644
--- a/fs/ksmbd/mgmt/user_session.h
+++ b/fs/ksmbd/mgmt/user_session.h
@@ -61,6 +61,8 @@ struct ksmbd_session {
struct ksmbd_file_table file_table;
unsigned long last_active;
rwlock_t tree_conns_lock;
+
+ atomic_t refcnt;
};
static inline int test_session_flag(struct ksmbd_session *sess, int bit)
@@ -101,4 +103,6 @@ void ksmbd_release_tree_conn_id(struct ksmbd_session *sess, int id);
int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name);
void ksmbd_session_rpc_close(struct ksmbd_session *sess, int id);
int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id);
+void ksmbd_user_session_get(struct ksmbd_session *sess);
+void ksmbd_user_session_put(struct ksmbd_session *sess);
#endif /* __USER_SESSION_MANAGEMENT_H__ */
diff --git a/fs/ksmbd/server.c b/fs/ksmbd/server.c
index 63b01f7d97031..09ebcf39d5bcb 100644
--- a/fs/ksmbd/server.c
+++ b/fs/ksmbd/server.c
@@ -238,6 +238,8 @@ static void __handle_ksmbd_work(struct ksmbd_work *work,
} while (is_chained == true);
send:
+ if (work->sess)
+ ksmbd_user_session_put(work->sess);
if (work->tcon)
ksmbd_tree_connect_put(work->tcon);
smb3_preauth_hash_rsp(work);
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 089dc2f51229a..54f7cf7a98b2b 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -606,8 +606,10 @@ int smb2_check_user_session(struct ksmbd_work *work)
/* Check for validity of user session */
work->sess = ksmbd_session_lookup_all(conn, sess_id);
- if (work->sess)
+ if (work->sess) {
+ ksmbd_user_session_get(work->sess);
return 1;
+ }
ksmbd_debug(SMB, "Invalid user session, Uid %llu\n", sess_id);
return -ENOENT;
}
@@ -1761,6 +1763,7 @@ int smb2_sess_setup(struct ksmbd_work *work)
}
conn->binding = true;
+ ksmbd_user_session_get(sess);
} else if ((conn->dialect < SMB30_PROT_ID ||
server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) &&
(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) {
@@ -1787,6 +1790,7 @@ int smb2_sess_setup(struct ksmbd_work *work)
}
conn->binding = false;
+ ksmbd_user_session_get(sess);
}
work->sess = sess;
@@ -2235,7 +2239,9 @@ int smb2_session_logoff(struct ksmbd_work *work)
}
ksmbd_destroy_file_table(&sess->file_table);
+ down_write(&conn->session_lock);
sess->state = SMB2_SESSION_EXPIRED;
+ up_write(&conn->session_lock);
ksmbd_free_user(sess->user);
sess->user = NULL;
--
2.43.0
next prev parent reply other threads:[~2024-11-06 13:19 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-06 12:05 [PATCH 5.15 00/73] 5.15.171-rc1 review Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 01/73] selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test Greg Kroah-Hartman
2024-11-06 12:05 ` Greg Kroah-Hartman [this message]
2024-11-06 12:05 ` [PATCH 5.15 03/73] ACPI: PRM: Remove unnecessary blank lines Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 04/73] ACPI: PRM: Change handler_addr type to void pointer Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 05/73] ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 06/73] cgroup: Fix potential overflow issue when checking max_depth Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 07/73] mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 08/73] wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 09/73] wifi: brcm80211: BRCM_TRACING should depend on TRACING Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 10/73] RDMA/cxgb4: Dump vendor specific QP details Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 11/73] RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 12/73] RDMA/bnxt_re: synchronize the qp-handle table array Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 13/73] mac80211: do drv_reconfig_complete() before restarting all Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 14/73] mac80211: Add support to trigger sta disconnect on hardware restart Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 15/73] wifi: iwlwifi: mvm: disconnect station vifs if recovery failed Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 16/73] wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 17/73] ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 18/73] net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 19/73] igb: Disable threaded IRQ for igb_msix_other Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 20/73] ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 21/73] gtp: allow -1 to be specified as file description from userspace Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 22/73] net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 23/73] netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 24/73] bpf: Fix out-of-bounds write in trie_get_next_key() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 25/73] netfilter: Fix use-after-free in get_info() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 26/73] net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 27/73] netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 28/73] firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 29/73] ACPI: CPPC: Make rmw_lock a raw_spin_lock Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 30/73] fs/ntfs3: Check if more than chunk-size bytes are written Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 31/73] fs/ntfs3: Fix warning possible deadlock in ntfs_set_state Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 32/73] fs/ntfs3: Fix possible deadlock in mi_read Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 33/73] fs/ntfs3: Additional check in ni_clear() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 34/73] scsi: scsi_transport_fc: Allow setting rport state to current state Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 35/73] net: amd: mvme147: Fix probe banner message Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 36/73] NFS: remove revoked delegation from servers delegation list Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 37/73] misc: sgi-gru: Dont disable preemption in GRU driver Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 38/73] usbip: tools: Fix detach_port() invalid port error path Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 39/73] usb: phy: Fix API devm_usb_put_phy() can not release the phy Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 40/73] usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 41/73] xhci: Fix Link TRB DMA in command ring stopped completion event Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 42/73] xhci: Use pm_runtime_get to prevent RPM on unsupported systems Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 43/73] Revert "driver core: Fix uevent_show() vs driver detach race" Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 44/73] wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 45/73] wifi: ath10k: Fix memory leak in management tx Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 46/73] wifi: iwlegacy: Clear stale interrupts before resuming device Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 47/73] staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 48/73] iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 49/73] iio: light: veml6030: fix microlux value calculation Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 50/73] nilfs2: fix potential deadlock with newly created symlinks Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 51/73] riscv: vdso: Prevent the compiler from inserting calls to memset() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 52/73] riscv: efi: Set NX compat flag in PE/COFF header Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 53/73] riscv: Use %u to format the output of cpu Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 54/73] riscv: Remove unused GENERATING_ASM_OFFSETS Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.15 55/73] riscv: Remove duplicated GET_RM Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 56/73] mm/page_alloc: call check_new_pages() while zone spinlock is not held Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 57/73] mm/page_alloc: fix tracepoint mm_page_alloc_zone_locked() Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 58/73] mm/page_alloc: split out buddy removal code from rmqueue into separate helper Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 59/73] mm/page_alloc: rename ALLOC_HIGH to ALLOC_MIN_RESERVE Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 60/73] mm/page_alloc: treat RT tasks similar to __GFP_HIGH Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 61/73] mm/page_alloc: explicitly record high-order atomic allocations in alloc_flags Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 62/73] mm/page_alloc: explicitly define what alloc flags deplete min reserves Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 63/73] mm/page_alloc: explicitly define how __GFP_HIGH non-blocking allocations accesses reserves Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 64/73] mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 65/73] ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 66/73] x86/bugs: Use code segment selector for VERW operand Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 67/73] nilfs2: fix kernel bug due to missing clearing of checked flag Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 68/73] wifi: iwlwifi: mvm: fix 6 GHz scan construction Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 69/73] mm: shmem: fix data-race in shmem_getattr() Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 70/73] Revert "drm/mipi-dsi: Set the fwnode for mipi_dsi_device" Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 71/73] drm/i915: Fix potential context UAFs Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 72/73] vt: prevent kernel-infoleak in con_font_get() Greg Kroah-Hartman
2024-11-06 12:06 ` [PATCH 5.15 73/73] mac80211: always have ieee80211_sta_restart() Greg Kroah-Hartman
2024-11-06 16:53 ` [PATCH 5.15 00/73] 5.15.171-rc1 review SeongJae Park
2024-11-07 2:50 ` Shuah Khan
2024-11-07 2:56 ` Shuah Khan
2024-11-07 12:03 ` Naresh Kamboju
2024-11-07 13:42 ` Jon Hunter
2024-11-07 19:29 ` Florian Fainelli
2024-11-08 2:31 ` Ron Economos
2024-11-08 7:06 ` [PATCH 5.15] " Hardik Garg
2024-11-08 15:46 ` [PATCH 5.15 00/73] " Mark Brown
2024-11-09 16:05 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241106120300.032987470@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linkinjeon@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
--cc=zdi-disclosures@trendmicro.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox