Received: by 10.223.176.5 with SMTP id f5csp910689wra; Sat, 27 Jan 2018 12:10:15 -0800 (PST) X-Google-Smtp-Source: AH8x224U0Ps1eEEH/igV1p427vJN6Z0D2bFansYmH2T+8fRPJopMr8bMkRcy2vcPnc1S11VmVSNb X-Received: by 10.99.114.23 with SMTP id n23mr18186343pgc.407.1517083815709; Sat, 27 Jan 2018 12:10:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517083815; cv=none; d=google.com; s=arc-20160816; b=HV5aVIBKyikbxKM7OAnQKpBp6HdiSbPMF6z6JCEYXzUygfbJ8/HqzJT0fYYQ81q4vI tCLaj+yFbSppOU7e5z3Lgx+QhWXzTlsce6F7rS4/NB5YOinr+Zv9KcoWezryq/dGVOmr ydQTeUb5Q2b9vcxBPgryi/aVGpyrWIGq0PY6EQxXo8FBbyxFrq4UrA33l0w5d6pfPrAT bvOvuDFHP49GDrau77MfafTQUqjVDnwY2yJ9i/EbAp1vfg/ysgcLoq5MI+q/Sc75JmHE rhlJwMdmrChh37P1i3s+Xu+ig1JxzD1VrvLes6ctnIMNBHpl71ZMoEeO2bgJKEGw8kxV Dbow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=aIV9Yi734CtSdX7IblYzkycW466Dz1H+/AwImfhzWSA=; b=yRUleVq7QMqSDDz5x/cs+T9Y3hzAO+v683aYnBjsvG1st9SQKYMUHdn/1mHJK4QCw9 1rmZDUufoEa47EFpWGfYFxCE83gKtczBB6wzdQRF23/hpsdOrXeeTsE/zLBuvv7rXfwc XYOFJS9qTW84Di0XzRwGDAfb6+blPLRxdM/iRnYjxeKDiEcQYygT/3Wi3JAiFtQXqoiK iZVGqFzo03AC1XbB9XfktbLAAuJQg8WCCycxmmccoa3FolXJSWBTmrG27Es/m+Vaeqpb YDfbY3mrAp7umfq1XpZtcKPNnOmhOg8LDmy3P8hULiaRCE31uoI21cJ/W8wZvJGmAS2F h2Sg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernelim-com.20150623.gappssmtp.com header.s=20150623 header.b=irIBIBs9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c9si201384pgp.284.2018.01.27.12.09.55; Sat, 27 Jan 2018 12:10:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernelim-com.20150623.gappssmtp.com header.s=20150623 header.b=irIBIBs9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752618AbeA0UJ1 (ORCPT + 99 others); Sat, 27 Jan 2018 15:09:27 -0500 Received: from mail-wr0-f172.google.com ([209.85.128.172]:37177 "EHLO mail-wr0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752248AbeA0UJY (ORCPT ); Sat, 27 Jan 2018 15:09:24 -0500 Received: by mail-wr0-f172.google.com with SMTP id f11so3284275wre.4 for ; Sat, 27 Jan 2018 12:09:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernelim-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=aIV9Yi734CtSdX7IblYzkycW466Dz1H+/AwImfhzWSA=; b=irIBIBs91Hppgd4SzaKIpK3WnKOsKZ9+L3SRYjR0sC1x5n1C3G0n+WLPgjDeizXAen NqmcKjYN7hHdgPv2DRZQgTuC2Csb16S6kMHkLefypnchrtfztXGhQRYg7jMEM7k2Wucw FItRY1fRsY6CnZZ5P18UY4l5BjXrrOI38+3KGze/hA+09fVvunCC3C/91jBmzdR6BhJ1 29D3ijjyM/0JRfbOn73icyxefGS+0nb6IUZQC8Q4l3wk2QpxPkenbQIjxpnM14qA3VOq wJKtYvr0OsXloThS01MEY05zcbCFI2dyn7IxDWs/ft5oBXGVcthV4Yn79nvzvpI88j3U vjFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=aIV9Yi734CtSdX7IblYzkycW466Dz1H+/AwImfhzWSA=; b=GyE1XstTScs0vwVWXLc/u1xh+aEkwV8Kff4n2ZBjz9mLR0ovHQV6F8NVimP+DbhUse kyo6WGZgLcl5iiZdb84tucHTMJ/HGUZ4UAEnhBjXVxG55XZSHPGZTJurVER03RjLc48i lAEodw+R1E4Xe1IilPBmTlHdnm/PZKCn5xk7JzJ834BTOjAYsC6m47qHI9rNYb+g6Kqv 7z/tuttHT3xLoqNC92otTvI/XhmaCgteKqjm6PLuGAEejYq7UG+ktZqHkuG3gIYLt1/m 7NTO/fcNmrBzqRvuFmdlNYgNyvxAFRK4e5eFOODeOUQKApJrLl8hvnjU5fggAgegmArq 5zhQ== X-Gm-Message-State: AKwxytd7VnbKloCxo4qyZ24bSS/I7OSGucviMwbjieVWodtMP08ETHcI J0vOi57/WwEki+a8T3JlUPHOAsOw X-Received: by 10.223.154.134 with SMTP id a6mr7752413wrc.246.1517083763016; Sat, 27 Jan 2018 12:09:23 -0800 (PST) Received: from jupiter.home.aloni.org ([176.231.0.193]) by smtp.gmail.com with ESMTPSA id y64sm4866196wmg.35.2018.01.27.12.09.21 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 27 Jan 2018 12:09:22 -0800 (PST) From: Dan Aloni To: linux-kernel@vger.kernel.org Cc: Steve French , stable@vger.kernel.org, linux-cifs@vger.kernel.org Subject: [PATCH stable] cifs: empty TargetInfo leads to crash on recovery Date: Sat, 27 Jan 2018 22:07:41 +0200 Message-Id: <20180127200741.57298-1-dan@kernelim.com> X-Mailer: git-send-email 2.14.3 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org commit cabfb3680f78 upstream. [ resend from Oct 20, 2014, see [1] ] A trivially patched Samba server (see [2] [3]) can cause a remote kernel crash (see [4]) in a client's CIFS kernel module upon session recovery, under kernels prior to v4.11. The server patch can made by a single source line modification - returning an empty TargetInfo in an NTLMSSP setup negotiation response. To reproduce at the client side, the CIFS client can be instructed to mount with SMB 2.0, on a share without user/password credentials, e.g: mount -t cifs //[host]/[share] -o vers=2.0,guest [mountpoint] (It may also reproduce with credentials, but I used a simpler configuration for the reproduction) An demo patch to Samba 4.7.4 is provided in the links provided. As for the client crash itself: When the session is recovered (after a server start/stop, for example), the following condition turns out to be true: ses->auth_key.len != 0 && ses->auth_key.response == NULL This will cause the following memcpy() in setup_ntlmv2_rsp() to GPF, because tiblob == NULL and tilen != 0 (these are the old auth_key values): memcpy(ses->auth_key.response + baselen, tiblob, tilen); By bisecting, upstream commit cabfb3680f78 ("CIFS: Enable encryption during session setup phase") from v4.11 have fixed this issue. According to my tests, LTS kernels versions 4.4.x and 4.9.x are affected. The patch below applies for 4.4.x however a similar patch can be applied to 4.9.x and older kernels. Signed-off-by: Dan Aloni CC: Steve French CC: stable@vger.kernel.org # 4.4.x CC: linux-cifs@vger.kernel.org CC: linux-kernel@vger.kernel.org [1] https://patchwork.kernel.org/patch/5106391/ [2] (temporary url) http://copr-dist-git.fedorainfracloud.org/cgit/alonid/samba-for-client-crash-repro/samba.git/tree/0001-Patch.patch?id=43229c84abe008bfc11aa86f5bacb03a1e54f88c [3] (temporary url) https://copr.fedorainfracloud.org/coprs/alonid/samba-for-client-crash-repro/ [4] [ 3414.518134] BUG: unable to handle kernel NULL pointer dereference at (null) [ 3414.518200] IP: memcpy_erms+0x6/0x10 [ 3414.518227] PGD 0 [ 3414.518252] Oops: 0000 [#1] SMP [ 3414.518272] Modules linked in: arc4 md4 cifs rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables snd_hda_codec_generic ppdev snd_hda_intel snd_hda_codec crct10dif_pclmul crc32_pclmul snd_hwdep snd_hda_core ghash_clmulni_intel snd_seq snd_seq_device snd_pcm joydev parport_pc tpm_tis parport tpm_tis_core tpm snd_timer snd soundcore qemu_fw_cfg virtio_balloon i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc xfs libcrc32c [ 3414.518708] virtio_blk virtio_console virtio_net qxl drm_kms_helper ttm crc32c_intel drm ata_generic nvme serio_raw nvme_core virtio_pci virtio_ring virtio pata_acpi [ 3414.518803] CPU: 3 PID: 1697 Comm: kworker/3:1 Not tainted 4.10.0-rc6-dan-00097-ge765a3d89ede #20 [ 3414.518852] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014 [ 3414.518927] Workqueue: cifsiod smb2_reconnect_server [cifs] [ 3414.518960] task: ffff8cc6764a4000 task.stack: ffff9bc548808000 [ 3414.518997] RIP: 0010:memcpy_erms+0x6/0x10 [ 3414.519021] RSP: 0018:ffff9bc54880bbc8 EFLAGS: 00010296 [ 3414.519051] RAX: ffff8cc6ba00d8dc RBX: ffff8cc676190400 RCX: 0000000000000010 [ 3414.519091] RDX: 0000000000000010 RSI: 0000000000000000 RDI: ffff8cc6ba00d8dc [ 3414.519130] RBP: ffff9bc54880bc30 R08: ffff9bc54880bb58 R09: ffff9bc54880bb58 [ 3414.519170] R10: 000000004619520e R11: 00000000f46cd8cf R12: 0000000000000000 [ 3414.519209] R13: 0000000000000000 R14: ffff8cc6ba00d8a0 R15: 0000000000000010 [ 3414.519250] FS: 0000000000000000(0000) GS:ffff8cc6bfd80000(0000) knlGS:0000000000000000 [ 3414.519314] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3414.519347] CR2: 0000000000000000 CR3: 000000007992a000 CR4: 00000000003406e0 [ 3414.519392] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3414.519431] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3414.519470] Call Trace: [ 3414.519510] ? setup_ntlmv2_rsp+0x124/0xa10 [cifs] [ 3414.519553] build_ntlmssp_auth_blob+0x36/0x310 [cifs] [ 3414.519597] SMB2_sess_auth_rawntlmssp_authenticate+0xc7/0x300 [cifs] [ 3414.519646] SMB2_sess_setup+0x9a/0x140 [cifs] [ 3414.519685] cifs_setup_session+0x78/0x100 [cifs] [ 3414.519722] ? cifs_negotiate_protocol+0x84/0xd0 [cifs] [ 3414.519763] smb2_reconnect+0x308/0x3e0 [cifs] [ 3414.519793] ? __internal_add_timer+0x1f/0x60 [ 3414.519831] smb2_reconnect_server+0x187/0x260 [cifs] [ 3414.519863] process_one_work+0x19e/0x440 [ 3414.519887] worker_thread+0x4e/0x4a0 [ 3414.519910] ? process_one_work+0x440/0x440 [ 3414.519936] kthread+0x11e/0x140 [ 3414.520493] ? kthread_park+0x90/0x90 [ 3414.520989] ret_from_fork+0x2c/0x40 [ 3414.521450] Code: 78 ff ff ff 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 [ 3414.522488] RIP: memcpy_erms+0x6/0x10 RSP: ffff9bc54880bbc8 [ 3414.522964] CR2: 0000000000000000 [ 3414.526127] ---[ end trace bbe4aa1e45cc6c17 ]--- --- fs/cifs/smb2pdu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index f2ff60e58ec8..91c9e83df457 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -633,6 +633,7 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses, */ kfree(ses->auth_key.response); ses->auth_key.response = NULL; + ses->auth_key.len = 0; /* * If memory allocation is successful, caller of this function @@ -837,6 +838,7 @@ ssetup_exit: rc = server->ops->generate_signingkey(ses); kfree(ses->auth_key.response); ses->auth_key.response = NULL; + ses->auth_key.len = 0; if (rc) { cifs_dbg(FYI, "SMB3 session key generation failed\n"); @@ -861,6 +863,7 @@ keygen_exit: if (!server->sign) { kfree(ses->auth_key.response); ses->auth_key.response = NULL; + ses->auth_key.len = 0; } if (spnego_key) { key_invalidate(spnego_key); -- 2.14.3