From patchwork Mon Oct 20 15:00:05 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Aloni <dan@kernelim.com>
X-Patchwork-Id: 5106401
Return-Path: <linux-cifs-owner@kernel.org>
X-Original-To: patchwork-cifs-client@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 9833F9F30B
	for <patchwork-cifs-client@patchwork.kernel.org>;
	Mon, 20 Oct 2014 15:00:31 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id A2E4320148
	for <patchwork-cifs-client@patchwork.kernel.org>;
	Mon, 20 Oct 2014 15:00:30 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 7E69620136
	for <patchwork-cifs-client@patchwork.kernel.org>;
	Mon, 20 Oct 2014 15:00:29 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752032AbaJTPAO (ORCPT
	<rfc822;patchwork-cifs-client@patchwork.kernel.org>);
	Mon, 20 Oct 2014 11:00:14 -0400
Received: from mail-wi0-f181.google.com ([209.85.212.181]:64575 "EHLO
	mail-wi0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751672AbaJTPAN (ORCPT
	<rfc822; linux-cifs@vger.kernel.org>); Mon, 20 Oct 2014 11:00:13 -0400
Received: by mail-wi0-f181.google.com with SMTP id hi2so6587465wib.8
	for <linux-cifs@vger.kernel.org>;
	Mon, 20 Oct 2014 08:00:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=UKntLtJaevSJ4ado+VzO/6TZgPMWLslGq4mmuooT2Tw=;
	b=CukgHzVs9d/84zsZg81GGE87ff81XmiLioLrIh2Wuu9o2xFoeR8Itqve07YHXA5uW7
	MTKpyvzdn1rpTGEtS47gl6nfvaQFuGvk6tSFtrRmpCWi7iXzHFh7SnQjlo8dGb163Bkw
	CAj+WZkef0RTT5wdJOp+/9roQcqHU2wDj4KtWdOCE+KV8hphL4gy+iAccKqOV4EL+C0k
	YgLrb+zYKHs4ontRr2RPCNByOa7o9+9yAvktGTnqLAXF0t7P5oc0dh4UymHeKpl/sztH
	oRmDjjQzUK2T2UuiSO5EXSpKqpb47tOthN6+0hjTWqzh86DiKYP2oqeCFUELctbo4eiu
	irKg==
X-Gm-Message-State: 
 ALoCoQmd/sufhw0ZHR2TWvCP+IRxq4cDnFN0wYHJmMuUJvXInsP0W5qDfcOTq0Wea+NGhHs/42Ly
X-Received: by 10.194.239.10 with SMTP id vo10mr34367888wjc.29.1413817211025;
	Mon, 20 Oct 2014 08:00:11 -0700 (PDT)
Received: from carbon.home.aloni.org ([31.210.181.40])
	by mx.google.com with ESMTPSA id
	fa7sm12161732wjd.27.2014.10.20.08.00.09 for <multiple recipients>
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 20 Oct 2014 08:00:10 -0700 (PDT)
From: Dan Aloni <dan@kernelim.com>
To: Steve French <smfrench@gmail.com>
Cc: linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] [CIFS] fix auth_key cleanup in SMB2_sess_setup() for
	possible crash
Date: Mon, 20 Oct 2014 18:00:05 +0300
Message-Id: <1413817205-6319-1-git-send-email-dan@kernelim.com>
X-Mailer: git-send-email 1.9.3
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-cifs.vger.kernel.org>
X-Mailing-List: linux-cifs@vger.kernel.org
X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The ses->auth_key.len field should be zeroed out during error paths,
along with the 'response' field.

Rationale:

It is possible with a specially crafted SMB2 server to cause the setup
to free the key but keep the session. When the session is recovered
(after a connection drop, for example), the following condition turn
out to be true:

     ses->auth_key.len != 0  &&  ses->auth_key.response == NULL

This will cause the following memcpy() in setup_ntlmv2_rsp() to GPF,
because tiblob == NULL and tilen != 0 (these are the old auth_key values):

     memcpy(ses->auth_key.response + baselen, tiblob, tilen);

As seen here (Fedora 20 kernel build 3.16.3-200.fc20.x86_64):

[985673.540019] BUG: unable to handle kernel NULL pointer dereference at           (null)
[985673.540049] IP: [<ffffffff8136b7a6>] memcpy+0x6/0x110
[...]
[985673.540957]  [<ffffffffa09d28e5>] ? setup_ntlmv2_rsp+0x235/0x9d0 [cifs]
[985673.540980]  [<ffffffffa09ccc8a>] ? cifs_small_buf_get+0x1a/0x30 [cifs]
[985673.541003]  [<ffffffffa09dfe05>] ? small_smb2_init+0x285/0x510 [cifs]
[985673.541025]  [<ffffffffa09d5331>] build_ntlmssp_auth_blob+0x91/0x290 [cifs]
[985673.541047]  [<ffffffffa09e06a0>] SMB2_sess_setup+0x1f0/0x590 [cifs]
[...]

Commit applies to 3.18-rc1 and various preceding stable versions.

Signed-off-by: Dan Aloni <dan@kernelim.com>
CC: Steve French <smfrench@gmail.com>
CC: linux-cifs@vger.kernel.org
CC: linux-kernel@vger.kernel.org
---
 fs/cifs/smb2pdu.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 8f1672bb82d5..e0304f258533 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -551,6 +551,7 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
 	 */
 	kfree(ses->auth_key.response);
 	ses->auth_key.response = NULL;
+	ses->auth_key.len = 0;
 
 	/*
 	 * If memory allocation is successful, caller of this function
@@ -713,6 +714,7 @@ ssetup_exit:
 			rc = server->ops->generate_signingkey(ses);
 			kfree(ses->auth_key.response);
 			ses->auth_key.response = NULL;
+			ses->auth_key.len = 0;
 			if (rc) {
 				cifs_dbg(FYI,
 					"SMB3 session key generation failed\n");
@@ -737,6 +739,7 @@ keygen_exit:
 	if (!server->sign) {
 		kfree(ses->auth_key.response);
 		ses->auth_key.response = NULL;
+		ses->auth_key.len = 0;
 	}
 	kfree(ses->ntlmssp);