This is a note to let you know that I've just added the patch titled
cifs: Fix preauth hash corruption
to the 4.19-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
cifs-fix-preauth-hash-corruption.patch
and it can be found in the queue-4.19 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 05946d4b7a7349ae58bfa2d51ae832e64a394c2d Mon Sep 17 00:00:00 2001
From: Vincent Whitchurch <vincent.whitchurch@xxxxxxxx>
Date: Wed, 10 Mar 2021 13:20:40 +0100
Subject: cifs: Fix preauth hash corruption
From: Vincent Whitchurch <vincent.whitchurch@xxxxxxxx>
commit 05946d4b7a7349ae58bfa2d51ae832e64a394c2d upstream.
smb311_update_preauth_hash() uses the shash in server->secmech without
appropriate locking, and this can lead to sessions corrupting each
other's preauth hashes.
The following script can easily trigger the problem:
#!/bin/sh -e
NMOUNTS=10
for i in $(seq $NMOUNTS);
mkdir -p /tmp/mnt$i
umount /tmp/mnt$i 2>/dev/null || :
done
while :; do
for i in $(seq $NMOUNTS); do
mount -t cifs //192.168.0.1/test /tmp/mnt$i -o ... &
done
wait
for i in $(seq $NMOUNTS); do
umount /tmp/mnt$i
done
done
Usually within seconds this leads to one or more of the mounts failing
with the following errors, and a "Bad SMB2 signature for message" is
seen in the server logs:
CIFS: VFS: \\192.168.0.1 failed to connect to IPC (rc=-13)
CIFS: VFS: cifs_mount failed w/return code = -13
Fix it by holding the server mutex just like in the other places where
the shashes are used.
Fixes: 8bd68c6e47abff34e4 ("CIFS: implement v3.11 preauth integrity")
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@xxxxxxxx>
CC: <stable@xxxxxxxxxxxxxxx>
Reviewed-by: Aurelien Aptel <aaptel@xxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
[aaptel: backport to kernel without CIFS_SESS_OP and multichannel]
Signed-off-by: Aurelien Aptel <aaptel@xxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/cifs/transport.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -891,9 +891,12 @@ compound_send_recv(const unsigned int xi
/*
* Compounding is never used during session establish.
*/
- if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP))
+ if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP)) {
+ mutex_lock(&ses->server->srv_mutex);
smb311_update_preauth_hash(ses, rqst[0].rq_iov,
rqst[0].rq_nvec);
+ mutex_unlock(&ses->server->srv_mutex);
+ }
if (timeout == CIFS_ASYNC_OP)
goto out;
@@ -964,7 +967,9 @@ compound_send_recv(const unsigned int xi
.iov_base = resp_iov[0].iov_base,
.iov_len = resp_iov[0].iov_len
};
+ mutex_lock(&ses->server->srv_mutex);
smb311_update_preauth_hash(ses, &iov, 1);
+ mutex_unlock(&ses->server->srv_mutex);
}
out:
Patches currently in stable-queue which might be from vincent.whitchurch@xxxxxxxx are
queue-4.19/cifs-fix-preauth-hash-corruption.patch
