smb: client: fix use-after-free of signing key - kernel/linux.git

diff options

author	Paulo Alcantara <pc@manguebit.com>	2024-11-11 16:40:55 +0300
committer	Steve French <stfrench@microsoft.com>	2024-11-18 07:20:54 +0300
commit	343d7fe6df9e247671440a932b6a73af4fa86d95 (patch)
tree	0d13f8ea5f9cbff927248e1b523bbf36b50883a7 /tools/perf/scripts/python/gecko.py
parent	7460bf441656cebc2636189ab9ba9a65a0a8ab86 (diff)
download	linux-343d7fe6df9e247671440a932b6a73af4fa86d95.tar.xz

smb: client: fix use-after-free of signing key

Customers have reported use-after-free in @ses->auth_key.response with SMB2.1 + sign mounts which occurs due to following race: task A task B cifs_mount() dfs_mount_share() get_session() cifs_mount_get_session() cifs_send_recv() cifs_get_smb_ses() compound_send_recv() cifs_setup_session() smb2_setup_request() kfree_sensitive() smb2_calc_signature() crypto_shash_setkey() *UAF* Fix this by ensuring that we have a valid @ses->auth_key.response by checking whether @ses->ses_status is SES_GOOD or SES_EXITING with @ses->ses_lock held. After commit 24a9799aa8ef ("smb: client: fix UAF in smb2_reconnect_server()"), we made sure to call ->logoff() only when @ses was known to be good (e.g. valid ->auth_key.response), so it's safe to access signing key when @ses->ses_status == SES_EXITING. Cc: stable@vger.kernel.org Reported-by: Jay Shin <jaeshin@redhat.com> Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com>

Diffstat (limited to 'tools/perf/scripts/python/gecko.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: