release 6.14.5
This commit is contained in:
108
debian/patches/patchset-pf/smb/0001-ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch
vendored
Normal file
108
debian/patches/patchset-pf/smb/0001-ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch
vendored
Normal file
@@ -0,0 +1,108 @@
|
||||
From f9567920fca6215aed3fa0658c09ae57f3168ed0 Mon Sep 17 00:00:00 2001
|
||||
From: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Date: Thu, 17 Apr 2025 10:10:15 +0900
|
||||
Subject: ksmbd: fix use-after-free in ksmbd_session_rpc_open
|
||||
|
||||
A UAF issue can occur due to a race condition between
|
||||
ksmbd_session_rpc_open() and __session_rpc_close().
|
||||
Add rpc_lock to the session to protect it.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Norbert Szetei <norbert@doyensec.com>
|
||||
Tested-by: Norbert Szetei <norbert@doyensec.com>
|
||||
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
fs/smb/server/mgmt/user_session.c | 20 ++++++++++++++------
|
||||
fs/smb/server/mgmt/user_session.h | 1 +
|
||||
2 files changed, 15 insertions(+), 6 deletions(-)
|
||||
|
||||
--- a/fs/smb/server/mgmt/user_session.c
|
||||
+++ b/fs/smb/server/mgmt/user_session.c
|
||||
@@ -59,10 +59,12 @@ static void ksmbd_session_rpc_clear_list
|
||||
struct ksmbd_session_rpc *entry;
|
||||
long index;
|
||||
|
||||
+ down_write(&sess->rpc_lock);
|
||||
xa_for_each(&sess->rpc_handle_list, index, entry) {
|
||||
xa_erase(&sess->rpc_handle_list, index);
|
||||
__session_rpc_close(sess, entry);
|
||||
}
|
||||
+ up_write(&sess->rpc_lock);
|
||||
|
||||
xa_destroy(&sess->rpc_handle_list);
|
||||
}
|
||||
@@ -92,7 +94,7 @@ int ksmbd_session_rpc_open(struct ksmbd_
|
||||
{
|
||||
struct ksmbd_session_rpc *entry, *old;
|
||||
struct ksmbd_rpc_command *resp;
|
||||
- int method;
|
||||
+ int method, id;
|
||||
|
||||
method = __rpc_method(rpc_name);
|
||||
if (!method)
|
||||
@@ -102,26 +104,29 @@ int ksmbd_session_rpc_open(struct ksmbd_
|
||||
if (!entry)
|
||||
return -ENOMEM;
|
||||
|
||||
+ down_read(&sess->rpc_lock);
|
||||
entry->method = method;
|
||||
- entry->id = ksmbd_ipc_id_alloc();
|
||||
- if (entry->id < 0)
|
||||
+ entry->id = id = ksmbd_ipc_id_alloc();
|
||||
+ if (id < 0)
|
||||
goto free_entry;
|
||||
- old = xa_store(&sess->rpc_handle_list, entry->id, entry, KSMBD_DEFAULT_GFP);
|
||||
+ old = xa_store(&sess->rpc_handle_list, id, entry, KSMBD_DEFAULT_GFP);
|
||||
if (xa_is_err(old))
|
||||
goto free_id;
|
||||
|
||||
- resp = ksmbd_rpc_open(sess, entry->id);
|
||||
+ resp = ksmbd_rpc_open(sess, id);
|
||||
if (!resp)
|
||||
goto erase_xa;
|
||||
|
||||
+ up_read(&sess->rpc_lock);
|
||||
kvfree(resp);
|
||||
- return entry->id;
|
||||
+ return id;
|
||||
erase_xa:
|
||||
xa_erase(&sess->rpc_handle_list, entry->id);
|
||||
free_id:
|
||||
ksmbd_rpc_id_free(entry->id);
|
||||
free_entry:
|
||||
kfree(entry);
|
||||
+ up_read(&sess->rpc_lock);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
@@ -129,9 +134,11 @@ void ksmbd_session_rpc_close(struct ksmb
|
||||
{
|
||||
struct ksmbd_session_rpc *entry;
|
||||
|
||||
+ down_write(&sess->rpc_lock);
|
||||
entry = xa_erase(&sess->rpc_handle_list, id);
|
||||
if (entry)
|
||||
__session_rpc_close(sess, entry);
|
||||
+ up_write(&sess->rpc_lock);
|
||||
}
|
||||
|
||||
int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id)
|
||||
@@ -439,6 +446,7 @@ static struct ksmbd_session *__session_c
|
||||
sess->sequence_number = 1;
|
||||
rwlock_init(&sess->tree_conns_lock);
|
||||
atomic_set(&sess->refcnt, 2);
|
||||
+ init_rwsem(&sess->rpc_lock);
|
||||
|
||||
ret = __init_smb2_session(sess);
|
||||
if (ret)
|
||||
--- a/fs/smb/server/mgmt/user_session.h
|
||||
+++ b/fs/smb/server/mgmt/user_session.h
|
||||
@@ -63,6 +63,7 @@ struct ksmbd_session {
|
||||
rwlock_t tree_conns_lock;
|
||||
|
||||
atomic_t refcnt;
|
||||
+ struct rw_semaphore rpc_lock;
|
||||
};
|
||||
|
||||
static inline int test_session_flag(struct ksmbd_session *sess, int bit)
|
||||
56
debian/patches/patchset-pf/smb/0002-ksmbd-fix-use-after-free-in-kerberos-authentication.patch
vendored
Normal file
56
debian/patches/patchset-pf/smb/0002-ksmbd-fix-use-after-free-in-kerberos-authentication.patch
vendored
Normal file
@@ -0,0 +1,56 @@
|
||||
From 6e367a428b98393cd5d0ab993983ba40dc748ca5 Mon Sep 17 00:00:00 2001
|
||||
From: Sean Heelan <seanheelan@gmail.com>
|
||||
Date: Sat, 19 Apr 2025 19:59:28 +0100
|
||||
Subject: ksmbd: fix use-after-free in kerberos authentication
|
||||
|
||||
Setting sess->user = NULL was introduced to fix the dangling pointer
|
||||
created by ksmbd_free_user. However, it is possible another thread could
|
||||
be operating on the session and make use of sess->user after it has been
|
||||
passed to ksmbd_free_user but before sess->user is set to NULL.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Sean Heelan <seanheelan@gmail.com>
|
||||
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
fs/smb/server/auth.c | 14 +++++++++++++-
|
||||
fs/smb/server/smb2pdu.c | 5 -----
|
||||
2 files changed, 13 insertions(+), 6 deletions(-)
|
||||
|
||||
--- a/fs/smb/server/auth.c
|
||||
+++ b/fs/smb/server/auth.c
|
||||
@@ -550,7 +550,19 @@ int ksmbd_krb5_authenticate(struct ksmbd
|
||||
retval = -ENOMEM;
|
||||
goto out;
|
||||
}
|
||||
- sess->user = user;
|
||||
+
|
||||
+ if (!sess->user) {
|
||||
+ /* First successful authentication */
|
||||
+ sess->user = user;
|
||||
+ } else {
|
||||
+ if (!ksmbd_compare_user(sess->user, user)) {
|
||||
+ ksmbd_debug(AUTH, "different user tried to reuse session\n");
|
||||
+ retval = -EPERM;
|
||||
+ ksmbd_free_user(user);
|
||||
+ goto out;
|
||||
+ }
|
||||
+ ksmbd_free_user(user);
|
||||
+ }
|
||||
|
||||
memcpy(sess->sess_key, resp->payload, resp->session_key_len);
|
||||
memcpy(out_blob, resp->payload + resp->session_key_len,
|
||||
--- a/fs/smb/server/smb2pdu.c
|
||||
+++ b/fs/smb/server/smb2pdu.c
|
||||
@@ -1602,11 +1602,6 @@ static int krb5_authenticate(struct ksmb
|
||||
if (prev_sess_id && prev_sess_id != sess->id)
|
||||
destroy_previous_session(conn, sess->user, prev_sess_id);
|
||||
|
||||
- if (sess->state == SMB2_SESSION_VALID) {
|
||||
- ksmbd_free_user(sess->user);
|
||||
- sess->user = NULL;
|
||||
- }
|
||||
-
|
||||
retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,
|
||||
out_blob, &out_len);
|
||||
if (retval) {
|
||||
31
debian/patches/patchset-pf/smb/0003-ksmbd-fix-use-after-free-in-session-logoff.patch
vendored
Normal file
31
debian/patches/patchset-pf/smb/0003-ksmbd-fix-use-after-free-in-session-logoff.patch
vendored
Normal file
@@ -0,0 +1,31 @@
|
||||
From 818b4d086f287e0a5cc6368eb72703b68b0603d0 Mon Sep 17 00:00:00 2001
|
||||
From: Sean Heelan <seanheelan@gmail.com>
|
||||
Date: Mon, 21 Apr 2025 15:39:29 +0000
|
||||
Subject: ksmbd: fix use-after-free in session logoff
|
||||
|
||||
The sess->user object can currently be in use by another thread, for
|
||||
example if another connection has sent a session setup request to
|
||||
bind to the session being free'd. The handler for that connection could
|
||||
be in the smb2_sess_setup function which makes use of sess->user.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Sean Heelan <seanheelan@gmail.com>
|
||||
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
fs/smb/server/smb2pdu.c | 4 ----
|
||||
1 file changed, 4 deletions(-)
|
||||
|
||||
--- a/fs/smb/server/smb2pdu.c
|
||||
+++ b/fs/smb/server/smb2pdu.c
|
||||
@@ -2244,10 +2244,6 @@ int smb2_session_logoff(struct ksmbd_wor
|
||||
sess->state = SMB2_SESSION_EXPIRED;
|
||||
up_write(&conn->session_lock);
|
||||
|
||||
- if (sess->user) {
|
||||
- ksmbd_free_user(sess->user);
|
||||
- sess->user = NULL;
|
||||
- }
|
||||
ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_SETUP);
|
||||
|
||||
rsp->StructureSize = cpu_to_le16(4);
|
||||
Reference in New Issue
Block a user