diff mbox series

cifs: Fix preauth hash corruption

Message ID 20210310122040.17515-1-vincent.whitchurch@axis.com (mailing list archive)
State New, archived
Headers show
Series cifs: Fix preauth hash corruption | expand

Commit Message

Vincent Whitchurch March 10, 2021, 12:20 p.m. UTC
smb311_update_preauth_hash() uses the shash in server->secmech without
appropriate locking, and this can lead to sessions corrupting each
other's preauth hashes.

The following script can easily trigger the problem:

	#!/bin/sh -e

	NMOUNTS=10
	for i in $(seq $NMOUNTS);
		mkdir -p /tmp/mnt$i
		umount /tmp/mnt$i 2>/dev/null || :
	done
	while :; do
		for i in $(seq $NMOUNTS); do
			mount -t cifs //192.168.0.1/test /tmp/mnt$i -o ... &
		done
		wait
		for i in $(seq $NMOUNTS); do
			umount /tmp/mnt$i
		done
	done

Usually within seconds this leads to one or more of the mounts failing
with the following errors, and a "Bad SMB2 signature for message" is
seen in the server logs:

 CIFS: VFS: \\192.168.0.1 failed to connect to IPC (rc=-13)
 CIFS: VFS: cifs_mount failed w/return code = -13

Fix it by holding the server mutex just like in the other places where
the shashes are used.

Fixes: 8bd68c6e47abff34e4 ("CIFS: implement v3.11 preauth integrity")
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
---
 fs/cifs/transport.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Comments

Aurélien Aptel March 10, 2021, 3:15 p.m. UTC | #1
Good catch, thanks Vincent.
Reviewed-by: Aurelien Aptel <aaptel@suse.com>

Cheers,
Steve French March 10, 2021, 6:51 p.m. UTC | #2
cc: stable?

On Wed, Mar 10, 2021 at 6:21 AM Vincent Whitchurch
<vincent.whitchurch@axis.com> wrote:
>
> smb311_update_preauth_hash() uses the shash in server->secmech without
> appropriate locking, and this can lead to sessions corrupting each
> other's preauth hashes.
>
> The following script can easily trigger the problem:
>
>         #!/bin/sh -e
>
>         NMOUNTS=10
>         for i in $(seq $NMOUNTS);
>                 mkdir -p /tmp/mnt$i
>                 umount /tmp/mnt$i 2>/dev/null || :
>         done
>         while :; do
>                 for i in $(seq $NMOUNTS); do
>                         mount -t cifs //192.168.0.1/test /tmp/mnt$i -o ... &
>                 done
>                 wait
>                 for i in $(seq $NMOUNTS); do
>                         umount /tmp/mnt$i
>                 done
>         done
>
> Usually within seconds this leads to one or more of the mounts failing
> with the following errors, and a "Bad SMB2 signature for message" is
> seen in the server logs:
>
>  CIFS: VFS: \\192.168.0.1 failed to connect to IPC (rc=-13)
>  CIFS: VFS: cifs_mount failed w/return code = -13
>
> Fix it by holding the server mutex just like in the other places where
> the shashes are used.
>
> Fixes: 8bd68c6e47abff34e4 ("CIFS: implement v3.11 preauth integrity")
> Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
> ---
>  fs/cifs/transport.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c
> index e90a1d1380b0..aa9c0f6bc263 100644
> --- a/fs/cifs/transport.c
> +++ b/fs/cifs/transport.c
> @@ -1196,9 +1196,12 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses,
>         /*
>          * Compounding is never used during session establish.
>          */
> -       if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP) || (optype & CIFS_SESS_OP))
> +       if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP) || (optype & CIFS_SESS_OP)) {
> +               mutex_lock(&server->srv_mutex);
>                 smb311_update_preauth_hash(ses, rqst[0].rq_iov,
>                                            rqst[0].rq_nvec);
> +               mutex_unlock(&server->srv_mutex);
> +       }
>
>         for (i = 0; i < num_rqst; i++) {
>                 rc = wait_for_response(server, midQ[i]);
> @@ -1266,7 +1269,9 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses,
>                         .iov_base = resp_iov[0].iov_base,
>                         .iov_len = resp_iov[0].iov_len
>                 };
> +               mutex_lock(&server->srv_mutex);
>                 smb311_update_preauth_hash(ses, &iov, 1);
> +               mutex_unlock(&server->srv_mutex);
>         }
>
>  out:
> --
> 2.28.0
>
Aurélien Aptel March 11, 2021, 10 a.m. UTC | #3
Steve French <smfrench@gmail.com> writes:
> cc: stable?

Sounds good

Cheers,
Pavel Shilovsky March 12, 2021, 6 p.m. UTC | #4
Thanks for the patch! Agree with a stable tag.
--
Best regards,
Pavel Shilovsky

чт, 11 мар. 2021 г. в 02:01, Aurélien Aptel <aaptel@suse.com>:
>
> Steve French <smfrench@gmail.com> writes:
> > cc: stable?
>
> Sounds good
>
> Cheers,
> --
> Aurélien Aptel / SUSE Labs Samba Team
> GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
> SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
> GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)
>
diff mbox series

Patch

diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c
index e90a1d1380b0..aa9c0f6bc263 100644
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -1196,9 +1196,12 @@  compound_send_recv(const unsigned int xid, struct cifs_ses *ses,
 	/*
 	 * Compounding is never used during session establish.
 	 */
-	if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP) || (optype & CIFS_SESS_OP))
+	if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP) || (optype & CIFS_SESS_OP)) {
+		mutex_lock(&server->srv_mutex);
 		smb311_update_preauth_hash(ses, rqst[0].rq_iov,
 					   rqst[0].rq_nvec);
+		mutex_unlock(&server->srv_mutex);
+	}
 
 	for (i = 0; i < num_rqst; i++) {
 		rc = wait_for_response(server, midQ[i]);
@@ -1266,7 +1269,9 @@  compound_send_recv(const unsigned int xid, struct cifs_ses *ses,
 			.iov_base = resp_iov[0].iov_base,
 			.iov_len = resp_iov[0].iov_len
 		};
+		mutex_lock(&server->srv_mutex);
 		smb311_update_preauth_hash(ses, &iov, 1);
+		mutex_unlock(&server->srv_mutex);
 	}
 
 out: