Skip to content

Commit dbf2159

Browse files
ematsumiyavijay-suman
ematsumiya
authored and
vijay-suman
committed
smb: client: fix UAF in async decryption
commit b0abcd6 upstream. Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API. Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ================================================================== [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110 [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] [ 194.200032] Call Trace: [ 194.200191] <TASK> [ 194.200327] dump_stack_lvl+0x4e/0x70 [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110 [ 194.200809] print_report+0x174/0x505 [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 194.201352] ? srso_return_thunk+0x5/0x5f [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0 [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202128] kasan_report+0xc8/0x150 [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202616] gf128mul_4k_lle+0xc1/0x110 [ 194.202863] ghash_update+0x184/0x210 [ 194.203103] shash_ahash_update+0x184/0x2a0 [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 [ 194.203651] ? srso_return_thunk+0x5/0x5f [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] [ 194.208507] ? srso_return_thunk+0x5/0x5f [ 194.209205] ? srso_return_thunk+0x5/0x5f [ 194.209925] ? srso_return_thunk+0x5/0x5f [ 194.210443] ? srso_return_thunk+0x5/0x5f [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] [ 194.214670] ? srso_return_thunk+0x5/0x5f [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] This is because TFM is being used in parallel. Fix this by allocating a new AEAD TFM for async decryption, but keep the existing one for synchronous READ cases (similar to what is done in smb3_calc_signature()). Also remove the calls to aead_request_set_callback() and crypto_wait_req() since it's always going to be a synchronous operation. Signed-off-by: Enzo Matsumiya <[email protected]> Signed-off-by: Steve French <[email protected]> [In linux-5.15, dec and enc fields are named ccmaesdecrypt and ccmaesencrypt.] Signed-off-by: Jianqi Ren <[email protected]> Signed-off-by: He Zhe <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit ef51c0d544b1518b35364480317ab6d3468f205d) Signed-off-by: Vijayendra Suman <[email protected]>
1 parent 05e641b commit dbf2159

File tree

2 files changed

+34
-20
lines changed

2 files changed

+34
-20
lines changed

fs/cifs/smb2ops.c

Lines changed: 28 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -4541,7 +4541,7 @@ smb2_get_enc_key(struct TCP_Server_Info *server, __u64 ses_id, int enc, u8 *key)
45414541
*/
45424542
static int
45434543
crypt_message(struct TCP_Server_Info *server, int num_rqst,
4544-
struct smb_rqst *rqst, int enc)
4544+
struct smb_rqst *rqst, int enc, struct crypto_aead *tfm)
45454545
{
45464546
struct smb2_transform_hdr *tr_hdr =
45474547
(struct smb2_transform_hdr *)rqst[0].rq_iov[0].iov_base;
@@ -4552,8 +4552,6 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
45524552
u8 key[SMB3_ENC_DEC_KEY_SIZE];
45534553
struct aead_request *req;
45544554
u8 *iv;
4555-
DECLARE_CRYPTO_WAIT(wait);
4556-
struct crypto_aead *tfm;
45574555
unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize);
45584556
void *creq;
45594557

@@ -4564,15 +4562,6 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
45644562
return rc;
45654563
}
45664564

4567-
rc = smb3_crypto_aead_allocate(server);
4568-
if (rc) {
4569-
cifs_server_dbg(VFS, "%s: crypto alloc failed\n", __func__);
4570-
return rc;
4571-
}
4572-
4573-
tfm = enc ? server->secmech.ccmaesencrypt :
4574-
server->secmech.ccmaesdecrypt;
4575-
45764565
if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) ||
45774566
(server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
45784567
rc = crypto_aead_setkey(tfm, key, SMB3_GCM256_CRYPTKEY_SIZE);
@@ -4611,11 +4600,7 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
46114600
aead_request_set_crypt(req, sg, sg, crypt_len, iv);
46124601
aead_request_set_ad(req, assoc_data_len);
46134602

4614-
aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
4615-
crypto_req_done, &wait);
4616-
4617-
rc = crypto_wait_req(enc ? crypto_aead_encrypt(req)
4618-
: crypto_aead_decrypt(req), &wait);
4603+
rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
46194604

46204605
if (!rc && enc)
46214606
memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);
@@ -4704,7 +4689,7 @@ smb3_init_transform_rq(struct TCP_Server_Info *server, int num_rqst,
47044689
/* fill the 1st iov with a transform header */
47054690
fill_transform_hdr(tr_hdr, orig_len, old_rq, server->cipher_type);
47064691

4707-
rc = crypt_message(server, num_rqst, new_rq, 1);
4692+
rc = crypt_message(server, num_rqst, new_rq, 1, server->secmech.ccmaesencrypt);
47084693
cifs_dbg(FYI, "Encrypt message returned %d\n", rc);
47094694
if (rc)
47104695
goto err_free;
@@ -4730,8 +4715,9 @@ decrypt_raw_data(struct TCP_Server_Info *server, char *buf,
47304715
unsigned int npages, unsigned int page_data_size,
47314716
bool is_offloaded)
47324717
{
4733-
struct kvec iov[2];
4718+
struct crypto_aead *tfm;
47344719
struct smb_rqst rqst = {NULL};
4720+
struct kvec iov[2];
47354721
int rc;
47364722

47374723
iov[0].iov_base = buf;
@@ -4746,9 +4732,31 @@ decrypt_raw_data(struct TCP_Server_Info *server, char *buf,
47464732
rqst.rq_pagesz = PAGE_SIZE;
47474733
rqst.rq_tailsz = (page_data_size % PAGE_SIZE) ? : PAGE_SIZE;
47484734

4749-
rc = crypt_message(server, 1, &rqst, 0);
4735+
if (is_offloaded) {
4736+
if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) ||
4737+
(server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
4738+
tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
4739+
else
4740+
tfm = crypto_alloc_aead("ccm(aes)", 0, 0);
4741+
if (IS_ERR(tfm)) {
4742+
rc = PTR_ERR(tfm);
4743+
cifs_server_dbg(VFS, "%s: Failed alloc decrypt TFM, rc=%d\n", __func__, rc);
4744+
4745+
return rc;
4746+
}
4747+
} else {
4748+
if (unlikely(!server->secmech.ccmaesdecrypt))
4749+
return -EIO;
4750+
4751+
tfm = server->secmech.ccmaesdecrypt;
4752+
}
4753+
4754+
rc = crypt_message(server, 1, &rqst, 0, tfm);
47504755
cifs_dbg(FYI, "Decrypt message returned %d\n", rc);
47514756

4757+
if (is_offloaded)
4758+
crypto_free_aead(tfm);
4759+
47524760
if (rc)
47534761
return rc;
47544762

fs/cifs/smb2pdu.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1063,6 +1063,12 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
10631063
else
10641064
cifs_server_dbg(VFS, "Missing expected negotiate contexts\n");
10651065
}
1066+
1067+
if (server->cipher_type && !rc) {
1068+
rc = smb3_crypto_aead_allocate(server);
1069+
if (rc)
1070+
cifs_server_dbg(VFS, "%s: crypto alloc failed, rc=%d\n", __func__, rc);
1071+
}
10661072
neg_exit:
10671073
free_rsp_buf(resp_buftype, rsp);
10681074
return rc;

0 commit comments

Comments
 (0)