[PATCH OLK-5.10 09/18] ksmbd: fix deadlock in ksmbd_find_crypto_ctx()

10 Jun 2023

From: Namjae Jeon linkinjeon@kernel.org
mainline inclusion
from mainline-v6.4-rc1
commit 7b4323373d844954bb76e0e9f39c4e5fc785fa7b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I74FIN
CVE: CVE-2023-32253
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Deadlock is triggered by sending multiple concurrent session setup
requests. It should be reused after releasing when getting ctx for crypto.
Multiple consecutive ctx uses cause deadlock while waiting for releasing
due to the limited number of ctx.
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20591
Signed-off-by: Namjae Jeon linkinjeon@kernel.org
Signed-off-by: Steve French stfrench@microsoft.com
Signed-off-by: ZhaoLong Wang wangzhaolong1@huawei.com
---
 fs/ksmbd/auth.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c
index 0ac85a1a63c0..d8dabd19823f 100644
--- a/fs/ksmbd/auth.c
+++ b/fs/ksmbd/auth.c
@@ -220,22 +220,22 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn *conn, struct ksmbd_session *sess,
 {
    char ntlmv2_hash[CIFS_ENCPWD_SIZE];
    char ntlmv2_rsp[CIFS_HMAC_MD5_HASH_SIZE];
-	struct ksmbd_crypto_ctx *ctx;
+	struct ksmbd_crypto_ctx *ctx = NULL;
    char *construct = NULL;
    int rc, len;
-	ctx = ksmbd_crypto_ctx_find_hmacmd5();
-	if (!ctx) {
-		ksmbd_debug(AUTH, "could not crypto alloc hmacmd5\n");
-		return -ENOMEM;
-	}
-
    rc = calc_ntlmv2_hash(conn, sess, ntlmv2_hash, domain_name);
    if (rc) {
    	ksmbd_debug(AUTH, "could not get v2 hash rc %d\n", rc);
    	goto out;
    }
+	ctx = ksmbd_crypto_ctx_find_hmacmd5();
+	if (!ctx) {
+		ksmbd_debug(AUTH, "could not crypto alloc hmacmd5\n");
+		return -ENOMEM;
+	}
+
    rc = crypto_shash_setkey(CRYPTO_HMACMD5_TFM(ctx),
    			 ntlmv2_hash,
    			 CIFS_HMAC_MD5_HASH_SIZE);
@@ -271,6 +271,8 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn *conn, struct ksmbd_session *sess,
    	ksmbd_debug(AUTH, "Could not generate md5 hash\n");
    	goto out;
    }
+	ksmbd_release_crypto_ctx(ctx);
+	ctx = NULL;
rc = ksmbd_gen_sess_key(sess, ntlmv2_hash, ntlmv2_rsp);
    if (rc) {
@@ -281,7 +283,8 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn *conn, struct ksmbd_session *sess,
    if (memcmp(ntlmv2->ntlmv2_hash, ntlmv2_rsp, CIFS_HMAC_MD5_HASH_SIZE) != 0)
    	rc = -EINVAL;
 out:
-	ksmbd_release_crypto_ctx(ctx);
+	if (ctx)
+		ksmbd_release_crypto_ctx(ctx);
    kfree(construct);
    return rc;
 }
-- 
2.31.1


    

2024

2023

2022

2021

2020

2019

[PATCH OLK-5.10 09/18] ksmbd: fix deadlock in ksmbd_find_crypto_ctx()