]> git.baikalelectronics.ru Git - kernel.git/commitdiff
cifs: fix double-fault crash during ntlmssp
authorPaulo Alcantara <pc@cjr.nz>
Fri, 14 Oct 2022 20:14:54 +0000 (17:14 -0300)
committerSteve French <stfrench@microsoft.com>
Sat, 15 Oct 2022 15:04:38 +0000 (10:04 -0500)
The crash occurred because we were calling memzero_explicit() on an
already freed sess_data::iov[1] (ntlmsspblob) in sess_free_buffer().

Fix this by not calling memzero_explicit() on sess_data::iov[1] as
it's already by handled by callers.

Fixes: 51865fc04b82 ("cifs: replace kfree() with kfree_sensitive() for sensitive data")
Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/cifs/sess.c

index c9edec7081de703eb7806dc7ccb513e8f6a6d938..0435d1dfa9e11fb998d140d11ea88a6fdd76f4d6 100644 (file)
@@ -1208,16 +1208,18 @@ out_free_smb_buf:
 static void
 sess_free_buffer(struct sess_data *sess_data)
 {
-       int i;
+       struct kvec *iov = sess_data->iov;
 
-       /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */
-       for (i = 0; i < 3; i++)
-               if (sess_data->iov[i].iov_base)
-                       memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len);
+       /*
+        * Zero the session data before freeing, as it might contain sensitive info (keys, etc).
+        * Note that iov[1] is already freed by caller.
+        */
+       if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base)
+               memzero_explicit(iov[0].iov_base, iov[0].iov_len);
 
-       free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
+       free_rsp_buf(sess_data->buf0_type, iov[0].iov_base);
        sess_data->buf0_type = CIFS_NO_BUFFER;
-       kfree(sess_data->iov[2].iov_base);
+       kfree_sensitive(iov[2].iov_base);
 }
 
 static int