From patchwork Wed Mar 1 00:05:19 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pavel Shilovskiy X-Patchwork-Id: 9597307 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id EDB5F600CB for ; Wed, 1 Mar 2017 01:41:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DD44227F7F for ; Wed, 1 Mar 2017 01:41:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D00AF284DA; Wed, 1 Mar 2017 01:41:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C769527F7F for ; Wed, 1 Mar 2017 01:40:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751411AbdCABk6 (ORCPT ); Tue, 28 Feb 2017 20:40:58 -0500 Received: from mail-co1nam03on0098.outbound.protection.outlook.com ([104.47.40.98]:30124 "EHLO NAM03-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751396AbdCABk5 (ORCPT ); Tue, 28 Feb 2017 20:40:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=kMk02YrTBAUyOwAoV/dgP8f9dg6ajN/UQDgwbf4rG4w=; b=KFiZWkUt3ixMq0VuaEh07K5pbFJF/lgelzSODG9F1jYONqkLDX92RnQfL9WZPLleXSWIW+r+K1Z+j70N0lsLHexOxCwbJ2bCGXPXmGotyr/eseLfAtGjMz0mT1rv0U+EM/ZHttWN/smb94Xb8pFTpfIrygUB4Fzid9eFN25gsOA= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=microsoft.com; Received: from ubuntu-vm.corp.microsoft.com (2001:4898:80e8::63b) by MWHPR03MB2560.namprd03.prod.outlook.com (10.168.206.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.933.12; Wed, 1 Mar 2017 00:05:28 +0000 From: Pavel Shilovsky To: CC: Steve French , Pavel Shilovsky Subject: [PATCH] CIFS: Fix possible use after free in demultiplex thread Date: Tue, 28 Feb 2017 16:05:19 -0800 Message-ID: <1488326719-25303-1-git-send-email-pshilov@microsoft.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 X-Originating-IP: [2001:4898:80e8::63b] X-ClientProxiedBy: DM5PR2201CA0032.namprd22.prod.outlook.com (10.174.180.149) To MWHPR03MB2560.namprd03.prod.outlook.com (10.168.206.22) X-MS-Office365-Filtering-Correlation-Id: 7dde6045-d6d1-4c63-4565-08d46036ab7b X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:MWHPR03MB2560; X-Microsoft-Exchange-Diagnostics: 1; MWHPR03MB2560; 3:E2t082EJ0LM3/x5Deuro9DThWMZOqNyt8LRNenI+IsZQVf+DmDXUkg3RkQ++oMIWs6WhKKTDanOPHw+VX2H8PzbdadVRm/01pcacAsGD1clDCvIH3h6oIQlfBPkkxXuy1NtvnlmQdU3PQ/a5+jBQq71fDh71EPX7j9+bCIfVM5m9sQLEZuzF2qRYVpvP8gGTkRtaLRFJLXK58ho/VY+/b8BFa0rMyTtfigpguIt9Xq5/ueU85b020SD/PT9J9c1gzwNbCbVUGFgUlAuTCOVgnLuODjRmCrXPgRRwgKwqxBo=; 25:7kX/rSXKTNbbQOcwvMyKEA8s7cpG3tnbkir3Ztosh95ObADKxbGhIdWaMfEKwZeJnY048yYg7QNWUGZ9LoqXFzO5NJo1V/Q4e2wwIk6rGANQa7EnBtL9pmPAsHnfoR9QKaEfmkUsg898GYXHpuOvx0TsolWm2T69Uzp4n+ifyEjX6nonxtngzAqDiLl+PSG2WlBZSMU8LFPL8/xdtUK/YpvnypLk1KrjfxH3eCHh5IC9Y/A/Gq/OO5xp2Mw0gcGeAVyKzi7n7V+kWQYbmkiRPQajkyaNKAH/l2B856w1DSGCvuNDe5AEpwBU9aO1qTC5pNp3Kl8KH4Zo+QEXOgFvyf9sUUv094VinxDaAGbJRNZLErSkjIx2AIKAswXBVvxzRwhUk+sjvBhcBFiU5EbsxRrAsmv4SOCuCEvDdriYnMZhRv+ZWYLZmBoGFtMTS9Pt3z9WwbCNo8L4TY97M1U30g== X-Microsoft-Exchange-Diagnostics: 1; MWHPR03MB2560; 31:kueMi+SSZAojlSqE/Ct2od/kOcEDFXuFPrCgWZ864DRe45K4Cj2qGeOqJpJGCSWwSVhgcZQLWL4KB8BhPgNkaHtL2HT9emOBKjYVQUs4+UeqVJeG1kPAJqCK+kTyXO6bZPGSZjQnn5yy58mF7m9Td+P0GZoJdYoAfdhzo+jzudaUgSqHC4TUindLReX2n5Hyg85QB8huely+s3fKyEAaiCFgs/TvRrGytD91Qk2ECW0nem9mlfoctj2fC0j8XAEJVdOoBz6dAp3Uzk3AeYfL3HXBreFV6qjdZbYaWhM2yrU=; 20:6mKQRyBkDMNb7gbsdo3LpLkuqKCwCREMlD5Qzx2J74B+MTu7t1Blo5rDKRqUk/hhbcsF5j14mP3/dDyFbKsjPSdQs9lGB9aA44wbggdnhM9ztEqtf6wY2ophmpm0oj1NidzV7Nma+NIm0WqmeohOfJghtP42Ft72I4fED5AdxUh4HpwEmGd0qD0Zn7JfhRArP9aRE1Q9zT8t31E4c+LBIvy1BhwehMgApHakFcL1fEKWWnoOnQQPbqGOMBRzxCrfCkblFz2Vjz+HXf90bBhyVcfJNv1WeuGk7iUvLL+3swdRXyvFJjoUG2Z2AbXFeeV40CHOp+vq59EqdY+GNLlymuOvjS+oGCGQKSWEU83CxT9qIBVkLlQzXtp3OceQeBjOEQXoKg8p2cGma1ROMIL2DUdtAqPiez0mhvgZqbTsV0Gz627hs0cR4nAMVyzQhRaJrYSkfGsUtkmXv8i+/XxdryuJrgxi25mxtY/TPb4PeZkQFB+3aOU4y/kCUg/vSVLc X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(6041248)(20161123562025)(20161123560025)(20161123555025)(20161123564025)(20161123558025)(6072148); SRVR:MWHPR03MB2560; BCL:0; PCL:0; RULEID:; SRVR:MWHPR03MB2560; X-Microsoft-Exchange-Diagnostics: 1; MWHPR03MB2560; 4:K494bmpNNJpa2NIrv9gir1cuInOMR3cJcrkZmOIFlJALJOXRTIoeosGK+JdYm5Vhx4ojSQ1tCtGHqtSC1TvjWEaFciNYRdmZg0jsAeMYOse4R5SDojdOi0G/FvWqgDly9hvD65NgTa+gtjX6Kuf7RvmgWRNrmGD0XrPKdrpE0ETmstYatQHxHHmfgpgyMo8vT6Ro9UhtO94LRmcPl4kDY9UfYldDqV3k+W7c7x1omO/6UWEdnctMBqrRpW9LYOGaT10FlXA0/jLZfKbF5zm2aN7suA49XYmPMjbtxm/LvjQc93rwmXUiDYfmeWNgxVGof6RwlJs6N8rv6aoER/MFY8LeSlkKe3W/PHJw96GLw2p4MP+uF8RaBJ6v6pwL7uRGB27AY4YTpOH/8kOwG1EXcJr5OIEeWqX8YqesDERM/H4anB4BDihGUa82jozq+qlEO2cEdiAaLGRfH2USRdqDF98gQVV58LZrC5I0H+lv5vUqQYzfurBCY56ArV1B80Eb+Qtqmz2vXYH48SBZ9/P42vlpNPtbOtxldBe3fCxPkGlr3WQk1vI3OC5kIxlR7o36SlvwMXhaboOIedyGQFf0tmINzjzD75lbgWm3h+g/QxwXrGxDuvIu22QDIY3iLUHH X-Forefront-PRVS: 0233768B38 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6009001)(7916002)(39840400002)(39410400002)(39860400002)(39850400002)(39450400003)(92566002)(6486002)(50986999)(5005710100001)(10290500002)(5003940100001)(42186005)(50226002)(33646002)(10090500001)(6116002)(2351001)(81166006)(8676002)(54906002)(86362001)(2906002)(5660300001)(189998001)(48376002)(38730400002)(305945005)(50466002)(25786008)(36756003)(6666003)(7736002)(53936002)(110136004)(6916009)(47776003)(4326008); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR03MB2560; H:ubuntu-vm.corp.microsoft.com; FPR:; SPF:None; MLV:sfv; LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; MWHPR03MB2560; 23:9xDGKoFtrypHBS091SDnYCQAVvQCCvCxyeOIVMpyV?= =?us-ascii?Q?GsE+CJhhD1WeOi7fEeQv3ZYzU5difZW+KHXCJe3275aGP18U+nCfRGNyI2UZ?= =?us-ascii?Q?DzEKO8J7aAj5qK20uPnWOWi5JiwOhXqKVgCbkURVG2WyLLjeuZGfCCIlEQVa?= =?us-ascii?Q?S/Hzh9dJXSWXrV9UXEmcqM1XmZ5xHhN4KzO9FkSLg0nyRVsE68TP+7CjU+TJ?= =?us-ascii?Q?mmnkjsHoKGP75WNrq90vu2oTHWAkAFBsxHv0kjMWer2Hh/j9/Zx7EpbSq8a4?= =?us-ascii?Q?t5awORIfAeii82N0hutxt9mBaK4eL/aejqMfrdPWQk3WqyjbHXvFv7/K6lRL?= =?us-ascii?Q?yh66iijgUpgd5hXawHybTKcQMdIUk57bUMyFe+cFs3JcCkaRoiWcuw2nDxwH?= =?us-ascii?Q?EIUxrCR+oH2Seme8O970ByRe5M4nsrlNCqx6n3rMlqJBPmHF1j8UL23UrIck?= =?us-ascii?Q?i7RMwffuhhS0RxnIz+aWNPZ9Ox+qVsuia4MvcURF85cOfGX/8zCPrwu3Xqsa?= =?us-ascii?Q?eNjtAMrFnSvPqCt/X5bIKUUDXbvTTRFecEAZB+HzfVxXMRwD4KEZpfUHzqwE?= =?us-ascii?Q?ibo0IGd5MSEI8K4rKN7S9rIe6UoGQRjMQDT+qP0SqW19JzIuhqMXRkXu3F37?= =?us-ascii?Q?aHXO34CruRm54XFQPydAVsorYnGRLvGqWfnLvr4PVKMSB+CJChoOijxRXsc1?= =?us-ascii?Q?YnigB1+fGq/a1UbjFscaTbwqMzjf6j59IVgFfPhyQ0WvvBAgdGab+wsihdoq?= =?us-ascii?Q?jpyCv5vsvRt1Z4GJmBORlj0tR+S5MCNCjZngr1bhVyl8YFWMBoIZeEEF4eNG?= =?us-ascii?Q?rxOEgpT3Si9b6NQ51zdXMvXAbN89hvdZYP/qa5blR6LPYgUtHjHF1JzpxZJG?= =?us-ascii?Q?5jXor7+8XNzbbY8vLMhB+N4NfaKHJA3MSNsabqy7XLp5gY2zB3DCbkyzjSmI?= =?us-ascii?Q?A6XVvld73xVUhIz+j+hQRBpUIRymlsNJOyw+QlLApmjJ1sGbiAb+jhtn0KuZ?= =?us-ascii?Q?EJvJZHtr3jVo2mLnjWeEYSF46QYeogzEA+aVfzFWkBXaeDF0VKWEtE8jizu9?= =?us-ascii?Q?05nE6g=3D?= X-Microsoft-Exchange-Diagnostics: 1; MWHPR03MB2560; 6:CrX37n05ixLjRQbn0dWGqCvUs/EqHVs5GNczrNh7ODd7xgaV33SNht7HBFfKNMiMQsZqkzRZHTMhnQlhS56uCyE+mqDZqo/rGwpg/MGnr1dknX9KVRdQ/wHcfBNtIHzTwYj7aTbzhbGBG9l/1ehVT7ASbiSXmjJ/X4XmOGcM7AHUw5EAcyy3vajKGT9GRxRjhBWa/7JF4LocZdcHjhy30amG9/M5tyAB9rsukIYf46958g6oge+50zxpsew5xUhUjVY2gpgZgtPgT8lnQ8zTW8oxVwT0igcHzHPi7nk8UZYeEUFHGfryySNWP75svsfa0HT1/+D0uSFlb6NBrnHlfvASeIXGJStYQdbPxox0kFHR7TXjzbR6D1MqRLExYEhtCnOTUWkfJ5caMv062QkeEwcW6gtW8XlGXTN54tDCJH8=; 5:E2ld7nYQVGxQPV6Qqvg2urmmAeYq7VjB2sCZDRqm8wxFyWLxVBrJ0b29ljfMyI7+F94lTWayd8fzhah/aspUKfrMTTL6n0szQeH3hiv70g2/UJVKVAH04/VxWS3CHYtAALKS7oR3Y6jl6mToUswM6A==; 24:qBhQfEp3DO2SgCo/hvT147/lt6M5QSjdFQ2veK0BwPWcDtj5Ger9EmflSKlYYmDVG1eO7xhKLlbf7UV4ni3vVgwTX2ES9cfzpQxB6NtrHoE= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; MWHPR03MB2560; 7:c40LmEGn4tcPlJ46D39Lesa1TXQQNXJ2RzYXDIcFpIrmTQ8yvZ5Lrn4OFgJq7e3RanlNkfB2ItY0mVes9JGBPocFlULj0lQaUlJOmJCYYFkax9RnMjt2vHFvgYtwzU1cGfkPMcPGwL2zgxL4PgwdmPQanDh+cRe1I2e+Puuwwqtjn0uJEzb1cJJFlLu6C/qWkLfwmsuNRjRxEgYdj+TDwwn4oRCSalUauJC3DGGyBGj9Dm5TXg1QT1f8N4NgNmnZ7gh6gSIBI/jf9Mv9OFGdac3jopPTT9E/BYq9kT7t+UGHnR9Q1iJph8et1qbNbTPTqorhTZgtvVSL79u2kHRIrQ== X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Mar 2017 00:05:28.3262 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR03MB2560 Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The recent changes that added SMB3 encryption support introduced a possible use after free in the demultiplex thread. When we process an encrypted packed we obtain a pointer to SMB session but do not obtain a reference. This can possibly lead to a situation when this session was freed before we copy a decryption key from there. Fix this by obtaining a copy of the key rather than a pointer to the session under a spinlock. Signed-off-by: Pavel Shilovsky --- fs/cifs/smb2ops.c | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index a44b4db..d2cdd9c 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -1609,6 +1609,26 @@ static void cifs_crypt_complete(struct crypto_async_request *req, int err) complete(&res->completion); } +static int +smb2_get_enc_key(struct TCP_Server_Info *server, __u64 ses_id, int enc, u8 *key) +{ + struct cifs_ses *ses; + u8 *ses_enc_key; + + spin_lock(&cifs_tcp_ses_lock); + list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) { + if (ses->Suid != ses_id) + continue; + ses_enc_key = enc ? ses->smb3encryptionkey : + ses->smb3decryptionkey; + memcpy(key, ses_enc_key, SMB3_SIGN_KEY_SIZE); + spin_unlock(&cifs_tcp_ses_lock); + return 0; + } + spin_unlock(&cifs_tcp_ses_lock); + + return 1; +} /* * Encrypt or decrypt @rqst message. @rqst has the following format: * iov[0] - transform header (associate data), @@ -1622,10 +1642,10 @@ crypt_message(struct TCP_Server_Info *server, struct smb_rqst *rqst, int enc) struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)rqst->rq_iov[0].iov_base; unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 24; - struct cifs_ses *ses; int rc = 0; struct scatterlist *sg; u8 sign[SMB2_SIGNATURE_SIZE] = {}; + u8 key[SMB3_SIGN_KEY_SIZE]; struct aead_request *req; char *iv; unsigned int iv_len; @@ -1635,9 +1655,10 @@ crypt_message(struct TCP_Server_Info *server, struct smb_rqst *rqst, int enc) init_completion(&result.completion); - ses = smb2_find_smb_ses(server, tr_hdr->SessionId); - if (!ses) { - cifs_dbg(VFS, "%s: Could not find session\n", __func__); + rc = smb2_get_enc_key(server, tr_hdr->SessionId, enc, key); + if (rc) { + cifs_dbg(VFS, "%s: Could not get %scryption key\n", __func__, + enc ? "en" : "de"); return 0; } @@ -1649,8 +1670,7 @@ crypt_message(struct TCP_Server_Info *server, struct smb_rqst *rqst, int enc) tfm = enc ? server->secmech.ccmaesencrypt : server->secmech.ccmaesdecrypt; - rc = crypto_aead_setkey(tfm, enc ? ses->smb3encryptionkey : - ses->smb3decryptionkey, SMB3_SIGN_KEY_SIZE); + rc = crypto_aead_setkey(tfm, key, SMB3_SIGN_KEY_SIZE); if (rc) { cifs_dbg(VFS, "%s: Failed to set aead key %d\n", __func__, rc); return rc;