diff options
author | Paulo Alcantara <pc@cjr.nz> | 2022-10-14 23:14:54 +0300 |
---|---|---|
committer | Steve French <stfrench@microsoft.com> | 2022-10-15 18:04:38 +0300 |
commit | b854b4ee66437e6e1622fda90529c814978cb4ca (patch) | |
tree | 478979757303c662c91b32695d38c8d5be5686cc | |
parent | a9e17d3d74d14e5fd10d54f0a07e0fce4e5f80dd (diff) | |
download | linux-b854b4ee66437e6e1622fda90529c814978cb4ca.tar.xz |
cifs: fix double-fault crash during ntlmssp
The crash occurred because we were calling memzero_explicit() on an
already freed sess_data::iov[1] (ntlmsspblob) in sess_free_buffer().
Fix this by not calling memzero_explicit() on sess_data::iov[1] as
it's already by handled by callers.
Fixes: a4e430c8c8ba ("cifs: replace kfree() with kfree_sensitive() for sensitive data")
Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
-rw-r--r-- | fs/cifs/sess.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index c9edec7081de..0435d1dfa9e1 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c @@ -1208,16 +1208,18 @@ out_free_smb_buf: static void sess_free_buffer(struct sess_data *sess_data) { - int i; + struct kvec *iov = sess_data->iov; - /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */ - for (i = 0; i < 3; i++) - if (sess_data->iov[i].iov_base) - memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len); + /* + * Zero the session data before freeing, as it might contain sensitive info (keys, etc). + * Note that iov[1] is already freed by caller. + */ + if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base) + memzero_explicit(iov[0].iov_base, iov[0].iov_len); - free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base); + free_rsp_buf(sess_data->buf0_type, iov[0].iov_base); sess_data->buf0_type = CIFS_NO_BUFFER; - kfree(sess_data->iov[2].iov_base); + kfree_sensitive(iov[2].iov_base); } static int |