]> git.baikalelectronics.ru Git - kernel.git/commitdiff
cifs: fix memory leaks in session setup
authorPaulo Alcantara <pc@cjr.nz>
Wed, 19 Oct 2022 14:25:37 +0000 (11:25 -0300)
committerSteve French <stfrench@microsoft.com>
Wed, 19 Oct 2022 22:57:51 +0000 (17:57 -0500)
We were only zeroing out the ntlmssp blob but forgot to free the
allocated buffer in the end of SMB2_sess_auth_rawntlmssp_negotiate()
and SMB2_sess_auth_rawntlmssp_authenticate() functions.

This fixes below kmemleak reports:

unreferenced object 0xffff88800ddcfc60 (size 96):
  comm "mount.cifs", pid 758, jiffies 4294696066 (age 42.967s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000d0beeb29>] __kmalloc+0x39/0xa0
    [<00000000e3834047>] build_ntlmssp_smb3_negotiate_blob+0x2c/0x110 [cifs]
    [<00000000e85f5ab2>] SMB2_sess_auth_rawntlmssp_negotiate+0xd3/0x230 [cifs]
    [<0000000080fdb897>] SMB2_sess_setup+0x16c/0x2a0 [cifs]
    [<000000009af320a8>] cifs_setup_session+0x13b/0x370 [cifs]
    [<00000000f15d5982>] cifs_get_smb_ses+0x643/0xb90 [cifs]
    [<00000000fe15eb90>] mount_get_conns+0x63/0x3e0 [cifs]
    [<00000000768aba03>] mount_get_dfs_conns+0x16/0xa0 [cifs]
    [<00000000cf1cf146>] cifs_mount+0x1c2/0x9a0 [cifs]
    [<000000000d66b51e>] cifs_smb3_do_mount+0x10e/0x710 [cifs]
    [<0000000077a996c5>] smb3_get_tree+0xf4/0x200 [cifs]
    [<0000000094dbd041>] vfs_get_tree+0x23/0xc0
    [<000000003a8561de>] path_mount+0x2d3/0xb50
    [<00000000ed5c86d6>] __x64_sys_mount+0x102/0x140
    [<00000000142142f3>] do_syscall_64+0x3b/0x90
    [<00000000e2b89731>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
unreferenced object 0xffff88801437f000 (size 512):
  comm "mount.cifs", pid 758, jiffies 4294696067 (age 42.970s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000d0beeb29>] __kmalloc+0x39/0xa0
    [<00000000004f53d2>] build_ntlmssp_auth_blob+0x4f/0x340 [cifs]
    [<000000005f333084>] SMB2_sess_auth_rawntlmssp_authenticate+0xd4/0x250 [cifs]
    [<0000000080fdb897>] SMB2_sess_setup+0x16c/0x2a0 [cifs]
    [<000000009af320a8>] cifs_setup_session+0x13b/0x370 [cifs]
    [<00000000f15d5982>] cifs_get_smb_ses+0x643/0xb90 [cifs]
    [<00000000fe15eb90>] mount_get_conns+0x63/0x3e0 [cifs]
    [<00000000768aba03>] mount_get_dfs_conns+0x16/0xa0 [cifs]
    [<00000000cf1cf146>] cifs_mount+0x1c2/0x9a0 [cifs]
    [<000000000d66b51e>] cifs_smb3_do_mount+0x10e/0x710 [cifs]
    [<0000000077a996c5>] smb3_get_tree+0xf4/0x200 [cifs]
    [<0000000094dbd041>] vfs_get_tree+0x23/0xc0
    [<000000003a8561de>] path_mount+0x2d3/0xb50
    [<00000000ed5c86d6>] __x64_sys_mount+0x102/0x140
    [<00000000142142f3>] do_syscall_64+0x3b/0x90
    [<00000000e2b89731>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Fixes: 51865fc04b82 ("cifs: replace kfree() with kfree_sensitive() for sensitive data")
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/cifs/smb2pdu.c

index c930b63bc422fa9e24c01ee89030ef2d18f26630..a5695748a89b17aaf60ef3c454ed64273fccd9a7 100644 (file)
@@ -1341,14 +1341,13 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_data *sess_data)
 static void
 SMB2_sess_free_buffer(struct SMB2_sess_data *sess_data)
 {
-       int i;
+       struct kvec *iov = sess_data->iov;
 
-       /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */
-       for (i = 0; i < 2; i++)
-               if (sess_data->iov[i].iov_base)
-                       memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len);
+       /* iov[1] is already freed by caller */
+       if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base)
+               memzero_explicit(iov[0].iov_base, iov[0].iov_len);
 
-       free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
+       free_rsp_buf(sess_data->buf0_type, iov[0].iov_base);
        sess_data->buf0_type = CIFS_NO_BUFFER;
 }
 
@@ -1578,7 +1577,7 @@ SMB2_sess_auth_rawntlmssp_negotiate(struct SMB2_sess_data *sess_data)
        }
 
 out:
-       memzero_explicit(ntlmssp_blob, blob_length);
+       kfree_sensitive(ntlmssp_blob);
        SMB2_sess_free_buffer(sess_data);
        if (!rc) {
                sess_data->result = 0;
@@ -1662,7 +1661,7 @@ SMB2_sess_auth_rawntlmssp_authenticate(struct SMB2_sess_data *sess_data)
        }
 #endif
 out:
-       memzero_explicit(ntlmssp_blob, blob_length);
+       kfree_sensitive(ntlmssp_blob);
        SMB2_sess_free_buffer(sess_data);
        kfree_sensitive(ses->ntlmssp);
        ses->ntlmssp = NULL;