• Rabin Vincent's avatar
    cifs: fix crash due to race in hmac(md5) handling · eeeec288
    Rabin Vincent authored
    [ Upstream commit bd975d1e ]
    
    The secmech hmac(md5) structures are present in the TCP_Server_Info
    struct and can be shared among multiple CIFS sessions.  However, the
    server mutex is not currently held when these structures are allocated
    and used, which can lead to a kernel crashes, as in the scenario below:
    
    mount.cifs(8) #1				mount.cifs(8) #2
    
    Is secmech.sdeschmaccmd5 allocated?
    // false
    
    						Is secmech.sdeschmaccmd5 allocated?
    						// false
    
    secmech.hmacmd = crypto_alloc_shash..
    secmech.sdeschmaccmd5 = kzalloc..
    sdeschmaccmd5->shash.tfm = &secmec.hmacmd;
    
    						secmech.sdeschmaccmd5 = kzalloc
    						// sdeschmaccmd5->shash.tfm
    						// not yet assigned
    
    crypto_shash_update()
     deref NULL sdeschmaccmd5->shash.tfm
    
     Unable to handle kernel paging request at virtual address 00000030
     epc   : 8027ba34 crypto_shash_update+0x38/0x158
     ra    : 8020f2e8 setup_ntlmv2_rsp+0x4bc/0xa84
     Call Trace:
      crypto_shash_update+0x38/0x158
      setup_ntlmv2_rsp+0x4bc/0xa84
      build_ntlmssp_auth_blob+0xbc/0x34c
      sess_auth_rawntlmssp_authenticate+0xac/0x248
      CIFS_SessSetup+0xf0/0x178
      cifs_setup_session+0x4c/0x84
      cifs_get_smb_ses+0x2c8/0x314
      cifs_mount+0x38c/0x76c
      cifs_do_mount+0x98/0x440
      mount_fs+0x20/0xc0
      vfs_kern_mount+0x58/0x138
      do_mount+0x1e8/0xccc
      SyS_mount+0x88/0xd4
      syscall_common+0x30/0x54
    
    Fix this by locking the srv_mutex around the code which uses these
    hmac(md5) structures.  All the other secmech algos already have similar
    locking.
    
    Fixes: 95dc8dd1 ("Limit allocation of crypto mechanisms to dialect which requires")
    Signed-off-by: default avatarRabin Vincent <rabinv@axis.com>
    Acked-by: default avatarSachin Prabhu <sprabhu@redhat.com>
    CC: Stable <stable@vger.kernel.org>
    Signed-off-by: default avatarSteve French <smfrench@gmail.com>
    Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
    eeeec288
cifsencrypt.c 23.6 KB