| Message ID | 20230110205520.4425-1-pc@cjr.nz (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | cifs: fix double free on failed kerberos auth | expand |
merged into cifs-2.6.git for-next pending testing Xioli, Let me know if you want me to add your reported-by and/or tested-by On Tue, Jan 10, 2023 at 2:55 PM Paulo Alcantara <pc@cjr.nz> wrote: > > If session setup failed with kerberos auth, we ended up freeing > cifs_ses::auth_key.response twice in SMB2_auth_kerberos() and > sesInfoFree(). > > Fix this by zeroing out cifs_ses::auth_key.response after freeing it > in SMB2_auth_kerberos(). > > Fixes: a4e430c8c8ba ("cifs: replace kfree() with kfree_sensitive() for sensitive data") > Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz> > Acked-by: Ronnie Sahlberg <lsahlber@redhat.com> > --- > fs/cifs/smb2pdu.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c > index 2c484d47c592..727f16b426be 100644 > --- a/fs/cifs/smb2pdu.c > +++ b/fs/cifs/smb2pdu.c > @@ -1482,8 +1482,11 @@ SMB2_auth_kerberos(struct SMB2_sess_data *sess_data) > out_put_spnego_key: > key_invalidate(spnego_key); > key_put(spnego_key); > - if (rc) > + if (rc) { > kfree_sensitive(ses->auth_key.response); > + ses->auth_key.response = NULL; > + ses->auth_key.len = 0; > + } > out: > sess_data->result = rc; > sess_data->func = NULL; > -- > 2.39.0 >
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 2c484d47c592..727f16b426be 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -1482,8 +1482,11 @@ SMB2_auth_kerberos(struct SMB2_sess_data *sess_data) out_put_spnego_key: key_invalidate(spnego_key); key_put(spnego_key); - if (rc) + if (rc) { kfree_sensitive(ses->auth_key.response); + ses->auth_key.response = NULL; + ses->auth_key.len = 0; + } out: sess_data->result = rc; sess_data->func = NULL;
If session setup failed with kerberos auth, we ended up freeing cifs_ses::auth_key.response twice in SMB2_auth_kerberos() and sesInfoFree(). Fix this by zeroing out cifs_ses::auth_key.response after freeing it in SMB2_auth_kerberos(). Fixes: a4e430c8c8ba ("cifs: replace kfree() with kfree_sensitive() for sensitive data") Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz> Acked-by: Ronnie Sahlberg <lsahlber@redhat.com> --- fs/cifs/smb2pdu.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)