This is a note to let you know that I've just added the patch titled
cifs: fix double-fault crash during ntlmssp
to the 6.0-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
cifs-fix-double-fault-crash-during-ntlmssp.patch
and it can be found in the queue-6.0 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From b854b4ee66437e6e1622fda90529c814978cb4ca Mon Sep 17 00:00:00 2001
From: Paulo Alcantara <pc@xxxxxx>
Date: Fri, 14 Oct 2022 17:14:54 -0300
Subject: cifs: fix double-fault crash during ntlmssp
From: Paulo Alcantara <pc@xxxxxx>
commit b854b4ee66437e6e1622fda90529c814978cb4ca upstream.
The crash occurred because we were calling memzero_explicit() on an
already freed sess_data::iov[1] (ntlmsspblob) in sess_free_buffer().
Fix this by not calling memzero_explicit() on sess_data::iov[1] as
it's already by handled by callers.
Fixes: a4e430c8c8ba ("cifs: replace kfree() with kfree_sensitive() for sensitive data")
Reviewed-by: Enzo Matsumiya <ematsumiya@xxxxxxx>
Signed-off-by: Paulo Alcantara (SUSE) <pc@xxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/cifs/sess.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -1214,16 +1214,18 @@ out_free_smb_buf:
static void
sess_free_buffer(struct sess_data *sess_data)
{
- int i;
+ struct kvec *iov = sess_data->iov;
- /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */
- for (i = 0; i < 3; i++)
- if (sess_data->iov[i].iov_base)
- memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len);
+ /*
+ * Zero the session data before freeing, as it might contain sensitive info (keys, etc).
+ * Note that iov[1] is already freed by caller.
+ */
+ if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base)
+ memzero_explicit(iov[0].iov_base, iov[0].iov_len);
- free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
+ free_rsp_buf(sess_data->buf0_type, iov[0].iov_base);
sess_data->buf0_type = CIFS_NO_BUFFER;
- kfree(sess_data->iov[2].iov_base);
+ kfree_sensitive(iov[2].iov_base);
}
static int
Patches currently in stable-queue which might be from pc@xxxxxx are
queue-6.0/cifs-replace-kfree-with-kfree_sensitive-for-sensitiv.patch
queue-6.0/cifs-fix-double-fault-crash-during-ntlmssp.patch
queue-6.0/cifs-fix-use-after-free-on-the-link-name.patch
queue-6.0/cifs-fix-memory-leaks-in-session-setup.patch
queue-6.0/cifs-fix-oops-during-encryption.patch
queue-6.0/cifs-fix-xid-leak-in-cifs_get_file_info_unix.patch
queue-6.0/cifs-improve-symlink-handling-for-smb2.patch
