Message ID | 20221019142537.23718-1-pc@cjr.nz (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | cifs: fix memory leaks in session setup | expand |
Is this a cc:stable? or Fixes: tag? On Wed, Oct 19, 2022 at 9:24 AM Paulo Alcantara <pc@cjr.nz> wrote: > > We were only zeroing out the ntlmssp blob but forgot to free the > allocated buffer in the end of SMB2_sess_auth_rawntlmssp_negotiate() > and SMB2_sess_auth_rawntlmssp_authenticate() functions. > > This fixes below kmemleak reports: > > unreferenced object 0xffff88800ddcfc60 (size 96): > comm "mount.cifs", pid 758, jiffies 4294696066 (age 42.967s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [<00000000d0beeb29>] __kmalloc+0x39/0xa0 > [<00000000e3834047>] build_ntlmssp_smb3_negotiate_blob+0x2c/0x110 [cifs] > [<00000000e85f5ab2>] SMB2_sess_auth_rawntlmssp_negotiate+0xd3/0x230 [cifs] > [<0000000080fdb897>] SMB2_sess_setup+0x16c/0x2a0 [cifs] > [<000000009af320a8>] cifs_setup_session+0x13b/0x370 [cifs] > [<00000000f15d5982>] cifs_get_smb_ses+0x643/0xb90 [cifs] > [<00000000fe15eb90>] mount_get_conns+0x63/0x3e0 [cifs] > [<00000000768aba03>] mount_get_dfs_conns+0x16/0xa0 [cifs] > [<00000000cf1cf146>] cifs_mount+0x1c2/0x9a0 [cifs] > [<000000000d66b51e>] cifs_smb3_do_mount+0x10e/0x710 [cifs] > [<0000000077a996c5>] smb3_get_tree+0xf4/0x200 [cifs] > [<0000000094dbd041>] vfs_get_tree+0x23/0xc0 > [<000000003a8561de>] path_mount+0x2d3/0xb50 > [<00000000ed5c86d6>] __x64_sys_mount+0x102/0x140 > [<00000000142142f3>] do_syscall_64+0x3b/0x90 > [<00000000e2b89731>] entry_SYSCALL_64_after_hwframe+0x63/0xcd > unreferenced object 0xffff88801437f000 (size 512): > comm "mount.cifs", pid 758, jiffies 4294696067 (age 42.970s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [<00000000d0beeb29>] __kmalloc+0x39/0xa0 > [<00000000004f53d2>] build_ntlmssp_auth_blob+0x4f/0x340 [cifs] > [<000000005f333084>] SMB2_sess_auth_rawntlmssp_authenticate+0xd4/0x250 [cifs] > [<0000000080fdb897>] SMB2_sess_setup+0x16c/0x2a0 [cifs] > [<000000009af320a8>] cifs_setup_session+0x13b/0x370 [cifs] > [<00000000f15d5982>] cifs_get_smb_ses+0x643/0xb90 [cifs] > [<00000000fe15eb90>] mount_get_conns+0x63/0x3e0 [cifs] > [<00000000768aba03>] mount_get_dfs_conns+0x16/0xa0 [cifs] > [<00000000cf1cf146>] cifs_mount+0x1c2/0x9a0 [cifs] > [<000000000d66b51e>] cifs_smb3_do_mount+0x10e/0x710 [cifs] > [<0000000077a996c5>] smb3_get_tree+0xf4/0x200 [cifs] > [<0000000094dbd041>] vfs_get_tree+0x23/0xc0 > [<000000003a8561de>] path_mount+0x2d3/0xb50 > [<00000000ed5c86d6>] __x64_sys_mount+0x102/0x140 > [<00000000142142f3>] do_syscall_64+0x3b/0x90 > [<00000000e2b89731>] entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz> > --- > fs/cifs/smb2pdu.c | 15 +++++++-------- > 1 file changed, 7 insertions(+), 8 deletions(-) > > diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c > index c930b63bc422..a5695748a89b 100644 > --- a/fs/cifs/smb2pdu.c > +++ b/fs/cifs/smb2pdu.c > @@ -1341,14 +1341,13 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_data *sess_data) > static void > SMB2_sess_free_buffer(struct SMB2_sess_data *sess_data) > { > - int i; > + struct kvec *iov = sess_data->iov; > > - /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */ > - for (i = 0; i < 2; i++) > - if (sess_data->iov[i].iov_base) > - memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len); > + /* iov[1] is already freed by caller */ > + if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base) > + memzero_explicit(iov[0].iov_base, iov[0].iov_len); > > - free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base); > + free_rsp_buf(sess_data->buf0_type, iov[0].iov_base); > sess_data->buf0_type = CIFS_NO_BUFFER; > } > > @@ -1578,7 +1577,7 @@ SMB2_sess_auth_rawntlmssp_negotiate(struct SMB2_sess_data *sess_data) > } > > out: > - memzero_explicit(ntlmssp_blob, blob_length); > + kfree_sensitive(ntlmssp_blob); > SMB2_sess_free_buffer(sess_data); > if (!rc) { > sess_data->result = 0; > @@ -1662,7 +1661,7 @@ SMB2_sess_auth_rawntlmssp_authenticate(struct SMB2_sess_data *sess_data) > } > #endif > out: > - memzero_explicit(ntlmssp_blob, blob_length); > + kfree_sensitive(ntlmssp_blob); > SMB2_sess_free_buffer(sess_data); > kfree_sensitive(ses->ntlmssp); > ses->ntlmssp = NULL; > -- > 2.38.0 >
Steve French <smfrench@gmail.com> writes:
> Is this a cc:stable? or Fixes: tag?
Fixes: a4e430c8c8ba ("cifs: replace kfree() with kfree_sensitive() for sensitive data")
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index c930b63bc422..a5695748a89b 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -1341,14 +1341,13 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_data *sess_data) static void SMB2_sess_free_buffer(struct SMB2_sess_data *sess_data) { - int i; + struct kvec *iov = sess_data->iov; - /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */ - for (i = 0; i < 2; i++) - if (sess_data->iov[i].iov_base) - memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len); + /* iov[1] is already freed by caller */ + if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base) + memzero_explicit(iov[0].iov_base, iov[0].iov_len); - free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base); + free_rsp_buf(sess_data->buf0_type, iov[0].iov_base); sess_data->buf0_type = CIFS_NO_BUFFER; } @@ -1578,7 +1577,7 @@ SMB2_sess_auth_rawntlmssp_negotiate(struct SMB2_sess_data *sess_data) } out: - memzero_explicit(ntlmssp_blob, blob_length); + kfree_sensitive(ntlmssp_blob); SMB2_sess_free_buffer(sess_data); if (!rc) { sess_data->result = 0; @@ -1662,7 +1661,7 @@ SMB2_sess_auth_rawntlmssp_authenticate(struct SMB2_sess_data *sess_data) } #endif out: - memzero_explicit(ntlmssp_blob, blob_length); + kfree_sensitive(ntlmssp_blob); SMB2_sess_free_buffer(sess_data); kfree_sensitive(ses->ntlmssp); ses->ntlmssp = NULL;
We were only zeroing out the ntlmssp blob but forgot to free the allocated buffer in the end of SMB2_sess_auth_rawntlmssp_negotiate() and SMB2_sess_auth_rawntlmssp_authenticate() functions. This fixes below kmemleak reports: unreferenced object 0xffff88800ddcfc60 (size 96): comm "mount.cifs", pid 758, jiffies 4294696066 (age 42.967s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000d0beeb29>] __kmalloc+0x39/0xa0 [<00000000e3834047>] build_ntlmssp_smb3_negotiate_blob+0x2c/0x110 [cifs] [<00000000e85f5ab2>] SMB2_sess_auth_rawntlmssp_negotiate+0xd3/0x230 [cifs] [<0000000080fdb897>] SMB2_sess_setup+0x16c/0x2a0 [cifs] [<000000009af320a8>] cifs_setup_session+0x13b/0x370 [cifs] [<00000000f15d5982>] cifs_get_smb_ses+0x643/0xb90 [cifs] [<00000000fe15eb90>] mount_get_conns+0x63/0x3e0 [cifs] [<00000000768aba03>] mount_get_dfs_conns+0x16/0xa0 [cifs] [<00000000cf1cf146>] cifs_mount+0x1c2/0x9a0 [cifs] [<000000000d66b51e>] cifs_smb3_do_mount+0x10e/0x710 [cifs] [<0000000077a996c5>] smb3_get_tree+0xf4/0x200 [cifs] [<0000000094dbd041>] vfs_get_tree+0x23/0xc0 [<000000003a8561de>] path_mount+0x2d3/0xb50 [<00000000ed5c86d6>] __x64_sys_mount+0x102/0x140 [<00000000142142f3>] do_syscall_64+0x3b/0x90 [<00000000e2b89731>] entry_SYSCALL_64_after_hwframe+0x63/0xcd unreferenced object 0xffff88801437f000 (size 512): comm "mount.cifs", pid 758, jiffies 4294696067 (age 42.970s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000d0beeb29>] __kmalloc+0x39/0xa0 [<00000000004f53d2>] build_ntlmssp_auth_blob+0x4f/0x340 [cifs] [<000000005f333084>] SMB2_sess_auth_rawntlmssp_authenticate+0xd4/0x250 [cifs] [<0000000080fdb897>] SMB2_sess_setup+0x16c/0x2a0 [cifs] [<000000009af320a8>] cifs_setup_session+0x13b/0x370 [cifs] [<00000000f15d5982>] cifs_get_smb_ses+0x643/0xb90 [cifs] [<00000000fe15eb90>] mount_get_conns+0x63/0x3e0 [cifs] [<00000000768aba03>] mount_get_dfs_conns+0x16/0xa0 [cifs] [<00000000cf1cf146>] cifs_mount+0x1c2/0x9a0 [cifs] [<000000000d66b51e>] cifs_smb3_do_mount+0x10e/0x710 [cifs] [<0000000077a996c5>] smb3_get_tree+0xf4/0x200 [cifs] [<0000000094dbd041>] vfs_get_tree+0x23/0xc0 [<000000003a8561de>] path_mount+0x2d3/0xb50 [<00000000ed5c86d6>] __x64_sys_mount+0x102/0x140 [<00000000142142f3>] do_syscall_64+0x3b/0x90 [<00000000e2b89731>] entry_SYSCALL_64_after_hwframe+0x63/0xcd Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz> --- fs/cifs/smb2pdu.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-)