UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/fs
History
Paulo Alcantara 46f8e25926 smb: client: fix NULL ptr deref in crypto_aead_setkey() 
commit 4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2 upstream.

Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so
when SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response,
the client uses AES-128-CCM as the default cipher.  See MS-SMB2
3.3.5.4.

Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added
a @server->cipher_type check to conditionally call
smb3_crypto_aead_allocate(), but that check would always be false as
@server->cipher_type is unset for SMB3.02.

Fix the following KASAN splat by setting @server->cipher_type for
SMB3.02 as well.

mount.cifs //srv/share /mnt -o vers=3.02,seal,...

BUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130
Read of size 8 at addr 0000000000000020 by task mount.cifs/1095
CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41
04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x5d/0x80
 ? crypto_aead_setkey+0x2c/0x130
 kasan_report+0xda/0x110
 ? crypto_aead_setkey+0x2c/0x130
 crypto_aead_setkey+0x2c/0x130
 crypt_message+0x258/0xec0 [cifs]
 ? __asan_memset+0x23/0x50
 ? __pfx_crypt_message+0x10/0x10 [cifs]
 ? mark_lock+0xb0/0x6a0
 ? hlock_class+0x32/0xb0
 ? mark_lock+0xb0/0x6a0
 smb3_init_transform_rq+0x352/0x3f0 [cifs]
 ? lock_acquire.part.0+0xf4/0x2a0
 smb_send_rqst+0x144/0x230 [cifs]
 ? __pfx_smb_send_rqst+0x10/0x10 [cifs]
 ? hlock_class+0x32/0xb0
 ? smb2_setup_request+0x225/0x3a0 [cifs]
 ? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs]
 compound_send_recv+0x59b/0x1140 [cifs]
 ? __pfx_compound_send_recv+0x10/0x10 [cifs]
 ? __create_object+0x5e/0x90
 ? hlock_class+0x32/0xb0
 ? do_raw_spin_unlock+0x9a/0xf0
 cifs_send_recv+0x23/0x30 [cifs]
 SMB2_tcon+0x3ec/0xb30 [cifs]
 ? __pfx_SMB2_tcon+0x10/0x10 [cifs]
 ? lock_acquire.part.0+0xf4/0x2a0
 ? __pfx_lock_release+0x10/0x10
 ? do_raw_spin_trylock+0xc6/0x120
 ? lock_acquire+0x3f/0x90
 ? _get_xid+0x16/0xd0 [cifs]
 ? __pfx_SMB2_tcon+0x10/0x10 [cifs]
 ? cifs_get_smb_ses+0xcdd/0x10a0 [cifs]
 cifs_get_smb_ses+0xcdd/0x10a0 [cifs]
 ? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs]
 ? cifs_get_tcp_session+0xaa0/0xca0 [cifs]
 cifs_mount_get_session+0x8a/0x210 [cifs]
 dfs_mount_share+0x1b0/0x11d0 [cifs]
 ? __pfx___lock_acquire+0x10/0x10
 ? __pfx_dfs_mount_share+0x10/0x10 [cifs]
 ? lock_acquire.part.0+0xf4/0x2a0
 ? find_held_lock+0x8a/0xa0
 ? hlock_class+0x32/0xb0
 ? lock_release+0x203/0x5d0
 cifs_mount+0xb3/0x3d0 [cifs]
 ? do_raw_spin_trylock+0xc6/0x120
 ? __pfx_cifs_mount+0x10/0x10 [cifs]
 ? lock_acquire+0x3f/0x90
 ? find_nls+0x16/0xa0
 ? smb3_update_mnt_flags+0x372/0x3b0 [cifs]
 cifs_smb3_do_mount+0x1e2/0xc80 [cifs]
 ? __pfx_vfs_parse_fs_string+0x10/0x10
 ? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs]
 smb3_get_tree+0x1bf/0x330 [cifs]
 vfs_get_tree+0x4a/0x160
 path_mount+0x3c1/0xfb0
 ? kasan_quarantine_put+0xc7/0x1d0
 ? __pfx_path_mount+0x10/0x10
 ? kmem_cache_free+0x118/0x3e0
 ? user_path_at+0x74/0xa0
 __x64_sys_mount+0x1a6/0x1e0
 ? __pfx___x64_sys_mount+0x10/0x10
 ? mark_held_locks+0x1a/0x90
 do_syscall_64+0xbb/0x1d0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Cc: Tom Talpey <tom@talpey.com>
Reported-by: Jianhong Yin <jiyin@redhat.com>
Cc: stable@vger.kernel.org # v6.12
Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2024-12-09 10:32:48 +01:00
..
9p fs/9p: fix uninitialized values during inode evict 2024-11-22 15:38:37 +01:00
adfs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
affs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
afs afs: Fix missing subdir edit when renamed between parent dirs 2024-11-08 16:28:20 +01:00
autofs v6.6-vfs.autofs 2023-08-28 11:39:14 -07:00
befs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
bfs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
btrfs btrfs: do not BUG_ON() when freeing tree block after error 2024-12-09 10:32:41 +01:00
cachefiles cachefiles: Fix missing pos updates in cachefiles_ondemand_fd_write_iter() 2024-12-09 10:31:45 +01:00
ceph ceph: fix cap ref leak via netfs init_request 2024-10-10 11:57:59 +02:00
coda v6.6-vfs.ctime 2023-08-28 09:31:32 -07:00
configfs configfs: convert to ctime accessor functions 2023-07-13 10:28:05 +02:00
cramfs fs: Convert to bdev_open_by_dev() 2024-08-19 06:04:25 +02:00
crypto fs: Create a generic is_dot_dotdot() utility 2024-10-04 16:29:48 +02:00
debugfs debugfs: fix automount d_fsdata usage 2024-01-20 11:51:37 +01:00
devpts v6.6-vfs.misc 2023-08-28 10:17:14 -07:00
dlm dlm: fix user space lock decision to copy lvb 2024-06-12 11:11:38 +02:00
ecryptfs fs: Create a generic is_dot_dotdot() utility 2024-10-04 16:29:48 +02:00
efivarfs efivarfs: Request at most 512 bytes for variable names 2024-03-06 14:48:41 +00:00
efs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
erofs erofs: handle NONHEAD !delta[1] lclusters gracefully 2024-12-09 10:32:11 +01:00
exfat exfat: fix uninit-value in __exfat_get_dentry_set 2024-12-09 10:32:45 +01:00
exportfs exportfs: remove kernel-doc warnings in exportfs 2023-08-29 17:45:22 -04:00
ext2 ext2: Verify bitmap and itable block numbers before using them 2024-08-03 08:54:15 +02:00
ext4 ext4: fix FS_IOC_GETFSMAP handling 2024-12-09 10:32:42 +01:00
f2fs f2fs: fix null reference error when checking end of zone 2024-12-09 10:32:41 +01:00
fat fat: fix uninitialized variable 2024-10-22 15:46:20 +02:00
freevxfs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
fscache netfs/fscache: Add a memory barrier for FSCACHE_VOLUME_CREATING 2024-12-09 10:31:45 +01:00
fuse fuse: fix memory leak in fuse_create_open 2024-09-12 11:11:26 +02:00
gfs2 gfs2: Remove and replace gfs2_glock_queue_work 2024-12-09 10:32:38 +01:00
hfs hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() 2024-08-03 08:54:15 +02:00
hfsplus hfsplus: don't query the device logical block size multiple times 2024-12-09 10:31:45 +01:00
hostfs hostfs: fix dev_t handling 2024-08-03 08:54:22 +02:00
hpfs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
hugetlbfs mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE 2024-02-23 09:25:16 +01:00
iomap iomap: turn iomap_want_unshare_iter into an inline function 2024-11-08 16:28:19 +01:00
isofs isofs: handle CDs with bad root inode but good Joliet root directory 2024-04-13 13:07:34 +02:00
jbd2 jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit 2024-10-10 11:57:50 +02:00
jffs2 jffs2: Fix potential illegal address access in jffs2_free_inode 2024-07-11 12:49:09 +02:00
jfs jfs: xattr: check invalid xattr size more strictly 2024-12-09 10:32:42 +01:00
kernfs kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files 2024-08-29 17:33:33 +02:00
lockd nfsd: stop setting ->pg_stats for unused stats 2024-08-19 06:04:23 +02:00
minix for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
netfs netfs: Only call folio_start_fscache() one time for each folio 2023-09-18 12:03:46 -07:00
nfs nfs: Fix KMSAN warning in decode_getfattr_attrs() 2024-11-14 13:19:37 +01:00
nfs_common
nfsd NFSD: Fix nfsd4_shutdown_copy() 2024-12-09 10:32:30 +01:00
nilfs2 nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint 2024-11-22 15:38:34 +01:00
nls nls: Hide new NLS_UCS2_UTILS 2023-08-31 12:07:34 -05:00
notify fsnotify: fix sending inotify event with unexpected filename 2024-12-09 10:32:44 +01:00
ntfs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
ntfs3 fs/ntfs3: Sequential field availability check in mi_enum_attr() 2024-11-08 16:28:28 +01:00
ocfs2 ocfs2: fix uninitialized value in ocfs2_file_read_iter() 2024-12-09 10:32:20 +01:00
omfs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
openpromfs openpromfs: finish conversion to the new mount API 2024-06-12 11:11:30 +02:00
orangefs orangefs: fix out-of-bounds fsid access 2024-07-11 12:49:08 +02:00
overlayfs ovl: fail if trusted xattrs are needed but caller lacks permission 2024-10-10 11:57:44 +02:00
proc fs/proc/kcore.c: fix coccinelle reported ERROR instances 2024-12-09 10:32:18 +01:00
pstore pstore/zone: Add a null pointer check to the psz_kmsg_read 2024-04-13 13:07:31 +02:00
qnx4 for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
qnx6 for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
quota quota: Remove BUG_ON from dqget() 2024-08-29 17:33:33 +02:00
ramfs ramfs: convert to ctime accessor functions 2023-07-24 10:30:04 +02:00
reiserfs reiserfs: fix uninit-value in comp_keys 2024-08-19 06:04:26 +02:00
romfs fs: Convert to bdev_open_by_dev() 2024-08-19 06:04:25 +02:00
smb smb: client: fix NULL ptr deref in crypto_aead_setkey() 2024-12-09 10:32:48 +01:00
squashfs Squashfs: sanity check symbolic link size 2024-09-12 11:11:39 +02:00
sysfs fs: sysfs: Fix reference leak in sysfs_break_active_protection() 2024-04-27 17:11:41 +02:00
sysv sysv: don't call sb_bread() with pointers_lock held 2024-04-13 13:07:34 +02:00
tracefs eventfs: Use list_del_rcu() for SRCU protected list variable 2024-09-12 11:11:27 +02:00
ubifs Revert "ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path" 2024-10-10 11:58:09 +02:00
udf udf: fix uninit-value use in udf_get_fileshortad 2024-11-01 01:58:28 +01:00
ufs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
unicode unicode: Fix utf8_load() error path 2024-12-09 10:32:12 +01:00
vboxsf vboxsf: explicitly deny setlease attempts 2024-05-17 12:02:13 +02:00
verity fsverity: use register_sysctl_init() to avoid kmemleak warning 2024-06-16 13:47:33 +02:00
xfs xfs: add bounds checking to xlog_recover_process_data 2024-12-09 10:32:39 +01:00
zonefs zonefs: Improve error handling 2024-02-23 09:25:13 +01:00
Kconfig for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
Kconfig.binfmt riscv: support the elf-fdpic binfmt loader 2023-08-23 14:17:43 -07:00
Makefile fs: add CONFIG_BUFFER_HEAD 2023-08-02 09:13:09 -06:00
aio.c fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion 2024-04-03 15:28:44 +02:00
anon_inodes.c
attr.c v6.6-vfs.misc 2023-08-28 10:17:14 -07:00
bad_inode.c fs: drop the timespec64 argument from update_time 2023-08-11 09:04:57 +02:00
binfmt_elf.c ELF: fix kernel.randomize_va_space double read 2024-09-12 11:11:29 +02:00
binfmt_elf_fdpic.c fs: binfmt_elf_efpic: don't use missing interpreter's properties 2024-08-29 17:33:33 +02:00
binfmt_elf_test.c
binfmt_flat.c binfmt_flat: Fix corruption when not offsetting data start 2024-08-19 06:04:30 +02:00
binfmt_misc.c binfmt_misc: cleanup on filesystem umount 2024-08-29 17:33:27 +02:00
binfmt_script.c
buffer.c ext4: sanity check for NULL pointer after ext4_force_shutdown 2024-08-19 06:04:29 +02:00
char_dev.c
compat_binfmt_elf.c
coredump.c v6.5/vfs.misc 2023-06-26 09:50:21 -07:00
d_path.c
dax.c fsdax: dax_unshare_iter needs to copy entire blocks 2024-11-08 16:28:19 +01:00
dcache.c fs: better handle deep ancestor chains in is_subdir() 2024-07-25 09:50:54 +02:00
direct-io.c - Yosry Ahmed brought back some cgroup v1 stats in OOM logs. 2023-06-28 10:28:11 -07:00
drop_caches.c fs: drop_caches: draining pages before dropping caches 2023-08-18 10:12:11 -07:00
eventfd.c eventfd: prevent underflow for eventfd semaphores 2023-07-11 11:41:34 +02:00
eventpoll.c epoll: be better about file lifetimes 2024-06-12 11:11:30 +02:00
exec.c exec: don't WARN for racy path_noexec check 2024-11-01 01:58:27 +01:00
fcntl.c fs: Fix file_set_fowner LSM hook inconsistencies 2024-10-04 16:29:56 +02:00
fhandle.c fs: Annotate struct file_handle with __counted_by() and use struct_size() 2024-08-19 06:04:28 +02:00
file.c close_range(): fix the logics in descriptor table trimming 2024-10-10 11:58:00 +02:00
file_table.c fs: use __fput_sync in close(2) 2023-08-08 19:36:51 +02:00
filesystems.c
fs-writeback.c fs/writeback: bail out if there is no more inodes for IO and queued once 2024-06-27 13:49:00 +02:00
fs_context.c fs: factor out vfs_parse_monolithic_sep() helper 2023-10-12 18:53:36 +03:00
fs_parser.c
fs_pin.c
fs_struct.c kill do_each_thread() 2023-08-21 13:46:25 -07:00
fs_types.c
fsopen.c fs: add FSCONFIG_CMD_CREATE_EXCL 2023-08-14 18:48:02 +02:00
init.c
inode.c fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name 2024-12-09 10:31:41 +01:00
internal.h for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
ioctl.c lsm: new security_file_ioctl_compat() hook 2024-01-31 16:18:54 -08:00
kernel_read_file.c fs: Fix kernel-doc warnings 2023-08-19 12:12:12 +02:00
libfs.c fs: new accessor methods for atime and mtime 2024-01-05 15:19:40 +01:00
locks.c filelock: Fix fcntl/close race recovery compat path 2024-07-27 11:34:10 +02:00
mbcache.c
mnt_idmapping.c
mount.h
mpage.c
namei.c fs: Create a generic is_dot_dotdot() utility 2024-10-04 16:29:48 +02:00
namespace.c mount: handle OOM on mnt_warn_timestamp_expiry 2024-10-04 16:28:51 +02:00
nsfs.c fs: convert to ctime accessor functions 2023-07-13 10:28:04 +02:00
open.c openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) 2024-11-01 01:58:32 +01:00
pipe.c fs/pipe: Fix lockdep false-positive in watchqueue pipe_write() 2024-04-10 16:35:57 +02:00
pnode.c
pnode.h
posix_acl.c fs: convert to ctime accessor functions 2023-07-13 10:28:04 +02:00
proc_namespace.c
read_write.c fs: Fix one kernel-doc comment 2023-08-15 08:32:45 +02:00
readdir.c vfs: get rid of old '->iterate' directory operation 2023-08-06 15:08:35 +02:00
remap_range.c
select.c fs/select: rework stack allocation hack for clang 2024-03-26 18:19:17 -04:00
seq_file.c
signalfd.c
splice.c - Some swap cleanups from Ma Wupeng ("fix WARN_ON in add_to_avail_list") 2023-08-29 14:25:26 -07:00
stack.c fs: convert to ctime accessor functions 2023-07-13 10:28:04 +02:00
stat.c fs: Pass AT_GETATTR_NOSEC flag to getattr interface function 2023-12-03 07:33:03 +01:00
statfs.c
super.c fs: Convert to bdev_open_by_dev() 2024-08-19 06:04:25 +02:00
sync.c
sysctls.c
timerfd.c
userfaultfd.c Fix userfaultfd_api to return EINVAL as expected 2024-07-18 13:21:22 +02:00
utimes.c
xattr.c vfs: Fix potential circular locking through setxattr() and removexattr() 2024-09-12 11:11:38 +02:00