shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-09 12:17:12 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
1fab0233720fe9751777c17a17628b5f7402e310
linux/fs
History
Enzo Matsumiya 0809fb86ad smb: client: fix UAF in async decryption 
[ Upstream commit b0abcd65ec545701b8793e12bc27dc98042b151a ]

Doing an async decryption (large read) crashes with a
slab-use-after-free way down in the crypto API.

Reproducer:
    # mount.cifs -o ...,seal,esize=1 //srv/share /mnt
    # dd if=/mnt/largefile of=/dev/null
    ...
    [  194.196391] ==================================================================
    [  194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110
    [  194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899
    [  194.197707]
    [  194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43
    [  194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014
    [  194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs]
    [  194.200032] Call Trace:
    [  194.200191]  <TASK>
    [  194.200327]  dump_stack_lvl+0x4e/0x70
    [  194.200558]  ? gf128mul_4k_lle+0xc1/0x110
    [  194.200809]  print_report+0x174/0x505
    [  194.201040]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
    [  194.201352]  ? srso_return_thunk+0x5/0x5f
    [  194.201604]  ? __virt_addr_valid+0xdf/0x1c0
    [  194.201868]  ? gf128mul_4k_lle+0xc1/0x110
    [  194.202128]  kasan_report+0xc8/0x150
    [  194.202361]  ? gf128mul_4k_lle+0xc1/0x110
    [  194.202616]  gf128mul_4k_lle+0xc1/0x110
    [  194.202863]  ghash_update+0x184/0x210
    [  194.203103]  shash_ahash_update+0x184/0x2a0
    [  194.203377]  ? __pfx_shash_ahash_update+0x10/0x10
    [  194.203651]  ? srso_return_thunk+0x5/0x5f
    [  194.203877]  ? crypto_gcm_init_common+0x1ba/0x340
    [  194.204142]  gcm_hash_assoc_remain_continue+0x10a/0x140
    [  194.204434]  crypt_message+0xec1/0x10a0 [cifs]
    [  194.206489]  ? __pfx_crypt_message+0x10/0x10 [cifs]
    [  194.208507]  ? srso_return_thunk+0x5/0x5f
    [  194.209205]  ? srso_return_thunk+0x5/0x5f
    [  194.209925]  ? srso_return_thunk+0x5/0x5f
    [  194.210443]  ? srso_return_thunk+0x5/0x5f
    [  194.211037]  decrypt_raw_data+0x15f/0x250 [cifs]
    [  194.212906]  ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]
    [  194.214670]  ? srso_return_thunk+0x5/0x5f
    [  194.215193]  smb2_decrypt_offload+0x12a/0x6c0 [cifs]

This is because TFM is being used in parallel.

Fix this by allocating a new AEAD TFM for async decryption, but keep
the existing one for synchronous READ cases (similar to what is done
in smb3_calc_signature()).

Also remove the calls to aead_request_set_callback() and
crypto_wait_req() since it's always going to be a synchronous operation.

Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-10-17 15:24:21 +02:00
..
9p
9p: add missing locking around taking dentry fid list
2024-06-16 13:47:37 +02:00
adfs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
affs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
afs
afs: fix __afs_break_callback() / afs_drop_open_mmap() race
2024-08-29 17:33:32 +02:00
autofs
Merge tag 'v6.6-vfs.autofs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2023-08-28 11:39:14 -07:00
befs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
bfs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
btrfs
btrfs: drop the backref cache during relocation if we commit
2024-10-10 11:58:06 +02:00
cachefiles
cachefiles: fix dentry leak in cachefiles_open_file()
2024-10-10 11:57:57 +02:00
ceph
ceph: fix cap ref leak via netfs init_request
2024-10-10 11:57:59 +02:00
coda
Merge tag 'v6.6-vfs.ctime' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2023-08-28 09:31:32 -07:00
configfs
configfs: convert to ctime accessor functions
2023-07-13 10:28:05 +02:00
cramfs
fs: Convert to bdev_open_by_dev()
2024-08-19 06:04:25 +02:00
crypto
fs: Create a generic is_dot_dotdot() utility
2024-10-04 16:29:48 +02:00
debugfs
debugfs: fix automount d_fsdata usage
2024-01-20 11:51:37 +01:00
devpts
Merge tag 'v6.6-vfs.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2023-08-28 10:17:14 -07:00
dlm
dlm: fix user space lock decision to copy lvb
2024-06-12 11:11:38 +02:00
ecryptfs
fs: Create a generic is_dot_dotdot() utility
2024-10-04 16:29:48 +02:00
efivarfs
efivarfs: Request at most 512 bytes for variable names
2024-03-06 14:48:41 +00:00
efs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
erofs
erofs: fix incorrect symlink detection in fast symlink
2024-10-04 16:29:00 +02:00
exfat
exfat: fix memory leak in exfat_load_bitmap()
2024-10-10 11:57:52 +02:00
exportfs
exportfs: remove kernel-doc warnings in exportfs
2023-08-29 17:45:22 -04:00
ext2
ext2: Verify bitmap and itable block numbers before using them
2024-08-03 08:54:15 +02:00
ext4
ext4: nested locking for xattr inode
2024-10-17 15:24:16 +02:00
f2fs
f2fs: fix to check atomic_file in f2fs ioctl interfaces
2024-10-04 16:29:54 +02:00
fat
fat: fix uninitialized field in nostale filehandles
2024-04-03 15:28:20 +02:00
freevxfs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
fscache
fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF
2024-09-12 11:11:27 +02:00
fuse
fuse: fix memory leak in fuse_create_open
2024-09-12 11:11:26 +02:00
gfs2
gfs2: Revert "ignore negated quota changes"
2024-10-17 15:24:08 +02:00
hfs
hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()
2024-08-03 08:54:15 +02:00
hfsplus
hfsplus: fix to avoid false alarm of circular locking
2024-08-03 08:53:21 +02:00
hostfs
hostfs: fix dev_t handling
2024-08-03 08:54:22 +02:00
hpfs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
hugetlbfs
mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE
2024-02-23 09:25:16 +01:00
iomap
iomap: handle a post-direct I/O invalidate race in iomap_write_delalloc_release
2024-10-10 11:57:39 +02:00
isofs
isofs: handle CDs with bad root inode but good Joliet root directory
2024-04-13 13:07:34 +02:00
jbd2
jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit
2024-10-10 11:57:50 +02:00
jffs2
jffs2: Fix potential illegal address access in jffs2_free_inode
2024-07-11 12:49:09 +02:00
jfs
jfs: Fix uninit-value access of new_ea in ea_buffer
2024-10-10 11:57:34 +02:00
kernfs
kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files
2024-08-29 17:33:33 +02:00
lockd
nfsd: stop setting ->pg_stats for unused stats
2024-08-19 06:04:23 +02:00
minix
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
netfs
netfs: Only call folio_start_fscache() one time for each folio
2023-09-18 12:03:46 -07:00
nfs
nfs: fix memory leak in error path of nfs4_do_reclaim
2024-10-04 16:29:56 +02:00
nfs_common
nfsd
NFSD: Fix NFSv4's PUTPUBFH operation
2024-10-10 11:57:53 +02:00
nilfs2
nilfs2: fix potential oob read in nilfs_btree_check_delete()
2024-10-04 16:29:22 +02:00
nls
nls: Hide new NLS_UCS2_UTILS
2023-08-31 12:07:34 -05:00
notify
fsnotify: clear PARENT_WATCHED flags lazily
2024-09-08 07:54:44 +02:00
ntfs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
ntfs3
ntfs3: Change to non-blocking allocation in ntfs_d_hash
2024-10-17 15:24:14 +02:00
ocfs2
ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate
2024-10-10 11:57:51 +02:00
omfs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
openpromfs
openpromfs: finish conversion to the new mount API
2024-06-12 11:11:30 +02:00
orangefs
orangefs: fix out-of-bounds fsid access
2024-07-11 12:49:08 +02:00
overlayfs
ovl: fail if trusted xattrs are needed but caller lacks permission
2024-10-10 11:57:44 +02:00
proc
proc: add config & param to block forcing mem writes
2024-10-10 11:57:27 +02:00
pstore
pstore/zone: Add a null pointer check to the psz_kmsg_read
2024-04-13 13:07:31 +02:00
qnx4
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
qnx6
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
quota
quota: Remove BUG_ON from dqget()
2024-08-29 17:33:33 +02:00
ramfs
ramfs: convert to ctime accessor functions
2023-07-24 10:30:04 +02:00
reiserfs
reiserfs: fix uninit-value in comp_keys
2024-08-19 06:04:26 +02:00
romfs
fs: Convert to bdev_open_by_dev()
2024-08-19 06:04:25 +02:00
smb
smb: client: fix UAF in async decryption
2024-10-17 15:24:21 +02:00
squashfs
Squashfs: sanity check symbolic link size
2024-09-12 11:11:39 +02:00
sysfs
fs: sysfs: Fix reference leak in sysfs_break_active_protection()
2024-04-27 17:11:41 +02:00
sysv
sysv: don't call sb_bread() with pointers_lock held
2024-04-13 13:07:34 +02:00
tracefs
eventfs: Use list_del_rcu() for SRCU protected list variable
2024-09-12 11:11:27 +02:00
ubifs
Revert "ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path"
2024-10-10 11:58:09 +02:00
udf
udf: Avoid excessive partition lengths
2024-09-12 11:11:30 +02:00
ufs
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
unicode
unicode: Don't special case ignorable code points
2024-10-17 15:24:07 +02:00
vboxsf
vboxsf: explicitly deny setlease attempts
2024-05-17 12:02:13 +02:00
verity
fsverity: use register_sysctl_init() to avoid kmemleak warning
2024-06-16 13:47:33 +02:00
xfs
xfs: fix log recovery buffer allocation for the legacy h_size fixup
2024-08-14 13:59:03 +02:00
zonefs
zonefs: Improve error handling
2024-02-23 09:25:13 +01:00
aio.c
fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion
2024-04-03 15:28:44 +02:00
anon_inodes.c
attr.c
Merge tag 'v6.6-vfs.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2023-08-28 10:17:14 -07:00
bad_inode.c
fs: drop the timespec64 argument from update_time
2023-08-11 09:04:57 +02:00
binfmt_elf_fdpic.c
fs: binfmt_elf_efpic: don't use missing interpreter's properties
2024-08-29 17:33:33 +02:00
binfmt_elf_test.c
binfmt_elf.c
ELF: fix kernel.randomize_va_space double read
2024-09-12 11:11:29 +02:00
binfmt_flat.c
binfmt_flat: Fix corruption when not offsetting data start
2024-08-19 06:04:30 +02:00
binfmt_misc.c
binfmt_misc: cleanup on filesystem umount
2024-08-29 17:33:27 +02:00
binfmt_script.c
buffer.c
ext4: sanity check for NULL pointer after ext4_force_shutdown
2024-08-19 06:04:29 +02:00
char_dev.c
compat_binfmt_elf.c
coredump.c
d_path.c
dax.c
iomap: constrain the file range passed to iomap_file_unshare
2024-10-10 11:57:18 +02:00
dcache.c
fs: better handle deep ancestor chains in is_subdir()
2024-07-25 09:50:54 +02:00
direct-io.c
Merge tag 'mm-stable-2023-06-24-19-15' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2023-06-28 10:28:11 -07:00
drop_caches.c
fs: drop_caches: draining pages before dropping caches
2023-08-18 10:12:11 -07:00
eventfd.c
eventfd: prevent underflow for eventfd semaphores
2023-07-11 11:41:34 +02:00
eventpoll.c
epoll: be better about file lifetimes
2024-06-12 11:11:30 +02:00
exec.c
parisc: Fix stack start for ADDR_NO_RANDOMIZE personality
2024-10-10 11:57:49 +02:00
fcntl.c
fs: Fix file_set_fowner LSM hook inconsistencies
2024-10-04 16:29:56 +02:00
fhandle.c
fs: Annotate struct file_handle with __counted_by() and use struct_size()
2024-08-19 06:04:28 +02:00
file_table.c
fs: use __fput_sync in close(2)
2023-08-08 19:36:51 +02:00
file.c
close_range(): fix the logics in descriptor table trimming
2024-10-10 11:58:00 +02:00
filesystems.c
fs_context.c
fs: factor out vfs_parse_monolithic_sep() helper
2023-10-12 18:53:36 +03:00
fs_parser.c
fs_pin.c
fs_struct.c
kill do_each_thread()
2023-08-21 13:46:25 -07:00
fs_types.c
fs-writeback.c
fs/writeback: bail out if there is no more inodes for IO and queued once
2024-06-27 13:49:00 +02:00
fsopen.c
fs: add FSCONFIG_CMD_CREATE_EXCL
2023-08-14 18:48:02 +02:00
init.c
inode.c
vfs: fix race between evice_inodes() and find_inode()&iput()
2024-10-04 16:29:56 +02:00
internal.h
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
ioctl.c
lsm: new security_file_ioctl_compat() hook
2024-01-31 16:18:54 -08:00
Kconfig
Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux
2023-08-29 20:21:42 -07:00
Kconfig.binfmt
riscv: support the elf-fdpic binfmt loader
2023-08-23 14:17:43 -07:00
kernel_read_file.c
fs: Fix kernel-doc warnings
2023-08-19 12:12:12 +02:00
libfs.c
fs: new accessor methods for atime and mtime
2024-01-05 15:19:40 +01:00
locks.c
filelock: Fix fcntl/close race recovery compat path
2024-07-27 11:34:10 +02:00
Makefile
fs: add CONFIG_BUFFER_HEAD
2023-08-02 09:13:09 -06:00
mbcache.c
mnt_idmapping.c
mount.h
mpage.c
namei.c
fs: Create a generic is_dot_dotdot() utility
2024-10-04 16:29:48 +02:00
namespace.c
mount: handle OOM on mnt_warn_timestamp_expiry
2024-10-04 16:28:51 +02:00
nsfs.c
fs: convert to ctime accessor functions
2023-07-13 10:28:04 +02:00
open.c
ftruncate: pass a signed offset
2024-07-05 09:34:04 +02:00
pipe.c
fs/pipe: Fix lockdep false-positive in watchqueue pipe_write()
2024-04-10 16:35:57 +02:00
pnode.c
pnode.h
posix_acl.c
fs: convert to ctime accessor functions
2023-07-13 10:28:04 +02:00
proc_namespace.c
read_write.c
fs: Fix one kernel-doc comment
2023-08-15 08:32:45 +02:00
readdir.c
vfs: get rid of old '->iterate' directory operation
2023-08-06 15:08:35 +02:00
remap_range.c
select.c
fs/select: rework stack allocation hack for clang
2024-03-26 18:19:17 -04:00
seq_file.c
signalfd.c
splice.c
Merge tag 'mm-stable-2023-08-28-18-26' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2023-08-29 14:25:26 -07:00
stack.c
fs: convert to ctime accessor functions
2023-07-13 10:28:04 +02:00
stat.c
fs: Pass AT_GETATTR_NOSEC flag to getattr interface function
2023-12-03 07:33:03 +01:00
statfs.c
super.c
fs: Convert to bdev_open_by_dev()
2024-08-19 06:04:25 +02:00
sync.c
sysctls.c
timerfd.c
userfaultfd.c
Fix userfaultfd_api to return EINVAL as expected
2024-07-18 13:21:22 +02:00
utimes.c
xattr.c
vfs: Fix potential circular locking through setxattr() and removexattr()
2024-09-12 11:11:38 +02:00