linux/fs/cifs
Zeng Heng 153695d36e cifs: fix use-after-free caused by invalid pointer hostname
`hostname` needs to be set as null-pointer after free in
`cifs_put_tcp_session` function, or when `cifsd` thread attempts
to resolve hostname and reconnect the host, the thread would deref
the invalid pointer.

Here is one of practical backtrace examples as reference:

Task 477
---------------------------
 do_mount
  path_mount
   do_new_mount
    vfs_get_tree
     smb3_get_tree
      smb3_get_tree_common
       cifs_smb3_do_mount
        cifs_mount
         mount_put_conns
          cifs_put_tcp_session
          --> kfree(server->hostname)

cifsd
---------------------------
 kthread
  cifs_demultiplex_thread
   cifs_reconnect
    reconn_set_ipaddr_from_hostname
    --> if (!server->hostname)
    --> if (server->hostname[0] == '\0')  // !! UAF fault here

CIFS: VFS: cifs_mount failed w/return code = -112
mount error(112): Host is down
BUG: KASAN: use-after-free in reconn_set_ipaddr_from_hostname+0x2ba/0x310
Read of size 1 at addr ffff888108f35380 by task cifsd/480
CPU: 2 PID: 480 Comm: cifsd Not tainted 6.1.0-rc2-00106-gf705792f89dd-dirty #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x68/0x85
 print_report+0x16c/0x4a3
 kasan_report+0x95/0x190
 reconn_set_ipaddr_from_hostname+0x2ba/0x310
 __cifs_reconnect.part.0+0x241/0x800
 cifs_reconnect+0x65f/0xb60
 cifs_demultiplex_thread+0x1570/0x2570
 kthread+0x2c5/0x380
 ret_from_fork+0x22/0x30
 </TASK>
Allocated by task 477:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 __kasan_kmalloc+0x7e/0x90
 __kmalloc_node_track_caller+0x52/0x1b0
 kstrdup+0x3b/0x70
 cifs_get_tcp_session+0xbc/0x19b0
 mount_get_conns+0xa9/0x10c0
 cifs_mount+0xdf/0x1970
 cifs_smb3_do_mount+0x295/0x1660
 smb3_get_tree+0x352/0x5e0
 vfs_get_tree+0x8e/0x2e0
 path_mount+0xf8c/0x1990
 do_mount+0xee/0x110
 __x64_sys_mount+0x14b/0x1f0
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 477:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 kasan_save_free_info+0x2a/0x50
 __kasan_slab_free+0x10a/0x190
 __kmem_cache_free+0xca/0x3f0
 cifs_put_tcp_session+0x30c/0x450
 cifs_mount+0xf95/0x1970
 cifs_smb3_do_mount+0x295/0x1660
 smb3_get_tree+0x352/0x5e0
 vfs_get_tree+0x8e/0x2e0
 path_mount+0xf8c/0x1990
 do_mount+0xee/0x110
 __x64_sys_mount+0x14b/0x1f0
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff888108f35380
 which belongs to the cache kmalloc-16 of size 16
The buggy address is located 0 bytes inside of
 16-byte region [ffff888108f35380, ffff888108f35390)
The buggy address belongs to the physical page:
page:00000000333f8e58 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888108f350e0 pfn:0x108f35
flags: 0x200000000000200(slab|node=0|zone=2)
raw: 0200000000000200 0000000000000000 dead000000000122 ffff8881000423c0
raw: ffff888108f350e0 000000008080007a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
 ffff888108f35280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
 ffff888108f35300: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
>ffff888108f35380: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
                   ^
 ffff888108f35400: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888108f35480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

Fixes: 7be3248f31 ("cifs: To match file servers, make sure the server hostname matches")
Signed-off-by: Zeng Heng <zengheng4@huawei.com>
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
2022-10-27 23:59:13 -05:00
..
asn1.c cifs: decoding negTokenInit with generic ASN1 decoder 2021-06-20 21:28:17 -05:00
cached_dir.c cifs: drop the lease for cached directories on rmdir or rename 2022-10-19 17:57:41 -05:00
cached_dir.h cifs: drop the lease for cached directories on rmdir or rename 2022-10-19 17:57:41 -05:00
cifs_debug.c smb3: add dynamic trace points for tree disconnect 2022-10-05 01:31:18 -05:00
cifs_debug.h smb3: add dynamic trace points for tree disconnect 2022-10-05 01:31:18 -05:00
cifs_dfs_ref.c cifs: support nested dfs links over reconnect 2021-11-10 16:30:13 -06:00
cifs_fs_sb.h cifs: support nested dfs links over reconnect 2021-11-10 16:30:13 -06:00
cifs_ioctl.h smb3: improve SMB3 change notification support 2022-10-15 10:05:53 -05:00
cifs_spnego_negtokeninit.asn1 cifs: decoding negTokenInit with generic ASN1 decoder 2021-06-20 21:28:17 -05:00
cifs_spnego.c cifs: use the chans_need_reconnect bitmap for reconnect status 2022-01-02 20:38:46 -06:00
cifs_spnego.h cifs: use the chans_need_reconnect bitmap for reconnect status 2022-01-02 20:38:46 -06:00
cifs_swn.c smb3: add dynamic trace points for tree disconnect 2022-10-05 01:31:18 -05:00
cifs_swn.h cifs: simplify SWN code with dummy funcs instead of ifdefs 2021-04-25 16:28:22 -05:00
cifs_unicode.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
cifs_unicode.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifs_uniupr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifsacl.c cifs: when insecure legacy is disabled shrink amount of SMB1 code 2022-08-05 11:24:03 -05:00
cifsacl.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
cifsencrypt.c cifs: secmech: use shash_desc directly, remove sdesc 2022-10-07 23:08:39 -05:00
cifsfs.c cifs: Fix xid leak in cifs_copy_file_range() 2022-10-18 11:33:43 -05:00
cifsfs.h cifs: update internal module number 2022-10-19 17:57:51 -05:00
cifsglob.h smb3: improve SMB3 change notification support 2022-10-15 10:05:53 -05:00
cifspdu.h cifs: Replace a couple of one-element arrays with flexible-array members 2022-10-05 17:42:38 -05:00
cifsproto.h cifs: improve symlink handling for smb2+ 2022-10-13 09:36:04 -05:00
cifsroot.c cifs: move from strlcpy with unused retval to strscpy 2022-08-19 11:02:26 -05:00
cifssmb.c cifs: use ALIGN() and round_up() macros 2022-10-13 09:36:39 -05:00
connect.c cifs: fix use-after-free caused by invalid pointer hostname 2022-10-27 23:59:13 -05:00
dfs_cache.c smb3: add dynamic trace points for tree disconnect 2022-10-05 01:31:18 -05:00
dfs_cache.h cifs: support share failover when remounting 2021-07-22 11:43:23 -05:00
dir.c cifs: Fix xid leak in cifs_create() 2022-10-18 11:33:43 -05:00
dns_resolve.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
dns_resolve.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
export.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
file.c cifs: Fix pages leak when writedata alloc failed in cifs_write_from_iter() 2022-10-23 17:50:10 -05:00
fs_context.c cifs: replace kfree() with kfree_sensitive() for sensitive data 2022-10-07 23:06:48 -05:00
fs_context.h smb3: allow deferred close timeout to be configurable 2022-08-11 20:03:04 -05:00
fscache.c smb3: add dynamic trace points for tree disconnect 2022-10-05 01:31:18 -05:00
fscache.h cifs: Remove {cifs,nfs}_fscache_release_page() 2022-08-10 21:26:08 -05:00
inode.c cifs: Fix xid leak in cifs_get_file_info_unix() 2022-10-18 11:33:43 -05:00
ioctl.c smb3: improve SMB3 change notification support 2022-10-15 10:05:53 -05:00
Kconfig cifs: Support fscache indexing rewrite 2022-01-19 11:21:08 -06:00
link.c cifs: improve symlink handling for smb2+ 2022-10-13 09:36:04 -05:00
Makefile cifs: Move cached-dir functions into a separate file 2022-08-11 10:33:18 -05:00
misc.c cifs: secmech: use shash_desc directly, remove sdesc 2022-10-07 23:08:39 -05:00
netlink.c genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
netlink.h cifs: Register generic netlink family 2020-12-14 09:16:22 -06:00
netmisc.c cifs: remove unused server parameter from calc_smb_size() 2022-08-17 18:07:13 -05:00
nterr.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
nterr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
ntlmssp.h treewide: Replace zero-length arrays with flexible-array members 2022-02-17 07:00:39 -06:00
readdir.c cifs: improve symlink handling for smb2+ 2022-10-13 09:36:04 -05:00
rfc1002pdu.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
sess.c cifs: Fix xid leak in cifs_ses_add_channel() 2022-10-18 11:33:43 -05:00
smb1ops.c cifs: improve symlink handling for smb2+ 2022-10-13 09:36:04 -05:00
smb2file.c cifs: fix static checker warning 2022-10-14 12:35:25 -05:00
smb2glob.h smb3: move defines for ioctl protocol header and SMB2 sizes to smbfs_common 2022-03-26 23:09:20 -05:00
smb2inode.c cifs: drop the lease for cached directories on rmdir or rename 2022-10-19 17:57:41 -05:00
smb2maperror.c cifs: Create a new shared file holding smb2 pdu definitions 2021-11-05 09:50:57 -05:00
smb2misc.c cifs: use ALIGN() and round_up() macros 2022-10-13 09:36:39 -05:00
smb2ops.c smb3: interface count displayed incorrectly 2022-10-19 10:06:23 -05:00
smb2pdu.c cifs: fix memory leaks in session setup 2022-10-19 17:57:51 -05:00
smb2pdu.h cifs: improve symlink handling for smb2+ 2022-10-13 09:36:04 -05:00
smb2proto.h smb3: improve SMB3 change notification support 2022-10-15 10:05:53 -05:00
smb2status.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
smb2transport.c smb3: fix oops in calculating shash_setkey 2022-10-07 23:08:41 -05:00
smbdirect.c Fix formatting of client smbdirect RDMA logging 2022-10-05 01:31:04 -05:00
smbdirect.h Decrease the number of SMB3 smbdirect client SGEs 2022-10-05 01:29:21 -05:00
smbencrypt.c cifs: rename cifs_common to smbfs_common 2021-09-08 23:59:26 -05:00
smberr.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
trace.c
trace.h smb3: add dynamic trace points for tree disconnect 2022-10-05 01:31:18 -05:00
transport.c Scheduler changes for v6.1: 2022-10-10 09:10:28 -07:00
unc.c cifs: don't cargo-cult strndup() 2021-04-25 16:28:23 -05:00
winucase.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
xattr.c cifs: when insecure legacy is disabled shrink amount of SMB1 code 2022-08-05 11:24:03 -05:00