Paulo Alcantara 343d7fe6df smb: client: fix use-after-free of signing key ... Customers have reported use-after-free in @ses->auth_key.response with SMB2.1 + sign mounts which occurs due to following race: task A task B cifs_mount() dfs_mount_share() get_session() cifs_mount_get_session() cifs_send_recv() cifs_get_smb_ses() compound_send_recv() cifs_setup_session() smb2_setup_request() kfree_sensitive() smb2_calc_signature() crypto_shash_setkey() *UAF* Fix this by ensuring that we have a valid @ses->auth_key.response by checking whether @ses->ses_status is SES_GOOD or SES_EXITING with @ses->ses_lock held. After commit 24a9799aa8 ("smb: client: fix UAF in smb2_reconnect_server()"), we made sure to call ->logoff() only when @ses was known to be good (e.g. valid ->auth_key.response), so it's safe to access signing key when @ses->ses_status == SES_EXITING. Cc: stable@vger.kernel.org Reported-by: Jay Shin <jaeshin@redhat.com> Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com>		2024-11-17 22:20:54 -06:00
..
client	smb: client: fix use-after-free of signing key	2024-11-17 22:20:54 -06:00
common	smb: Update comments about some reparse point tags	2024-09-29 17:28:40 -05:00
server	ksmbd: check outstanding simultaneous SMB operations	2024-11-05 09:26:38 +09:00
Kconfig	smb: move client and server files to common directory fs/smb	2023-05-24 16:29:21 -05:00
Makefile	smb: move client and server files to common directory fs/smb	2023-05-24 16:29:21 -05:00