diff options
authorVincent Whitchurch <vincent.whitchurch@axis.com>2021-03-10 13:20:40 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2021-03-24 11:07:39 +0100
commitb0834edc70e402244ed8da96664368c15d869582 (patch)
parentc18a5f637b147a27e79662325935fd7264108b4d (diff)
cifs: Fix preauth hash corruption
commit 05946d4b7a7349ae58bfa2d51ae832e64a394c2d upstream. smb311_update_preauth_hash() uses the shash in server->secmech without appropriate locking, and this can lead to sessions corrupting each other's preauth hashes. The following script can easily trigger the problem: #!/bin/sh -e NMOUNTS=10 for i in $(seq $NMOUNTS); mkdir -p /tmp/mnt$i umount /tmp/mnt$i 2>/dev/null || : done while :; do for i in $(seq $NMOUNTS); do mount -t cifs // /tmp/mnt$i -o ... & done wait for i in $(seq $NMOUNTS); do umount /tmp/mnt$i done done Usually within seconds this leads to one or more of the mounts failing with the following errors, and a "Bad SMB2 signature for message" is seen in the server logs: CIFS: VFS: \\ failed to connect to IPC (rc=-13) CIFS: VFS: cifs_mount failed w/return code = -13 Fix it by holding the server mutex just like in the other places where the shashes are used. Fixes: 8bd68c6e47abff34e4 ("CIFS: implement v3.11 preauth integrity") Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> CC: <stable@vger.kernel.org> Reviewed-by: Aurelien Aptel <aaptel@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com> [aaptel: backport to kernel without CIFS_SESS_OP and multichannel] Signed-off-by: Aurelien Aptel <aaptel@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 files changed, 6 insertions, 1 deletions
diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c
index 70412944b267..59643acb6d67 100644
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -891,9 +891,12 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses,
* Compounding is never used during session establish.
- if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP))
+ if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP)) {
+ mutex_lock(&ses->server->srv_mutex);
smb311_update_preauth_hash(ses, rqst[0].rq_iov,
+ mutex_unlock(&ses->server->srv_mutex);
+ }
if (timeout == CIFS_ASYNC_OP)
goto out;
@@ -964,7 +967,9 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses,
.iov_base = resp_iov[0].iov_base,
.iov_len = resp_iov[0].iov_len
+ mutex_lock(&ses->server->srv_mutex);
smb311_update_preauth_hash(ses, &iov, 1);
+ mutex_unlock(&ses->server->srv_mutex);