Commit 3e789b90 authored by Namjae Jeon's avatar Namjae Jeon Committed by openeuler-sync-bot
Browse files

ksmbd: fix deadlock in ksmbd_find_crypto_ctx() 

mainline inclusion
from mainline-v6.4-rc1
commit 7b432337
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I74FIN
CVE: CVE-2023-32253

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7b4323373d844954bb76e0e9f39c4e5fc785fa7b



--------------------------------

Deadlock is triggered by sending multiple concurrent session setup
requests. It should be reused after releasing when getting ctx for crypto.
Multiple consecutive ctx uses cause deadlock while waiting for releasing
due to the limited number of ctx.

Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20591
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
Signed-off-by: default avatarZhaoLong Wang <wangzhaolong1@huawei.com>
(cherry picked from commit 5c18a2ed)
parent 3452089a

fs/ksmbd/auth.c

+11 −8
Original line number Diff line number Diff line
@@ -220,22 +220,22 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn *conn, struct ksmbd_session *sess, 
{

	char ntlmv2_hash[CIFS_ENCPWD_SIZE];

	char ntlmv2_rsp[CIFS_HMAC_MD5_HASH_SIZE];

	struct ksmbd_crypto_ctx *ctx;

	struct ksmbd_crypto_ctx *ctx = NULL;

	char *construct = NULL;

	int rc, len;



	ctx = ksmbd_crypto_ctx_find_hmacmd5();

	if (!ctx) {

		ksmbd_debug(AUTH, "could not crypto alloc hmacmd5\n");

		return -ENOMEM;

	}



	rc = calc_ntlmv2_hash(conn, sess, ntlmv2_hash, domain_name);

	if (rc) {

		ksmbd_debug(AUTH, "could not get v2 hash rc %d\n", rc);

		goto out;

	}



	ctx = ksmbd_crypto_ctx_find_hmacmd5();

	if (!ctx) {

		ksmbd_debug(AUTH, "could not crypto alloc hmacmd5\n");

		return -ENOMEM;

	}



	rc = crypto_shash_setkey(CRYPTO_HMACMD5_TFM(ctx),

				 ntlmv2_hash,

				 CIFS_HMAC_MD5_HASH_SIZE);
@@ -271,6 +271,8 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn *conn, struct ksmbd_session *sess, 
		ksmbd_debug(AUTH, "Could not generate md5 hash\n");

		goto out;

	}

	ksmbd_release_crypto_ctx(ctx);

	ctx = NULL;



	rc = ksmbd_gen_sess_key(sess, ntlmv2_hash, ntlmv2_rsp);

	if (rc) {
@@ -281,6 +283,7 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn *conn, struct ksmbd_session *sess, 
	if (memcmp(ntlmv2->ntlmv2_hash, ntlmv2_rsp, CIFS_HMAC_MD5_HASH_SIZE) != 0)

		rc = -EINVAL;

out:

	if (ctx)

		ksmbd_release_crypto_ctx(ctx);

	kfree(construct);

	return rc;