lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4ba67095-4075-688f-d3fb-157847aee4d9@csail.mit.edu>
Date:   Wed, 3 Jan 2018 18:15:01 -0800
From:   "Srivatsa S. Bhat" <srivatsa@...il.mit.edu>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Thomas Backlund <tmb@...eia.org>,
        Steve French <smfrench@...il.com>
Cc:     linux-kernel@...r.kernel.org, stable@...r.kernel.org,
        lsahlber@...hat.com, pshilov@...rosoft.com,
        linux-cifs@...r.kernel.org
Subject: Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always
 be signed

On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote:
> On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
>> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
>>> 4.13-stable review patch.  If anyone has any objections, please let me know.
>>>
>>> ------------------
>>>
>>> From: Steve French <smfrench@...il.com>
>>>
>>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
>>>
>>> According to MS-SMB2 3.2.55 validate_negotiate request must
>>> always be signed. Some Windows can fail the request if you send it unsigned
>>>
>>> See kernel bugzilla bug 197311
>>>
>>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
>>> Signed-off-by: Steve French <smfrench@...il.com>
>>> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
>>>
>>> ---
>>>   fs/cifs/smb2pdu.c |    3 +++
>>>   1 file changed, 3 insertions(+)
>>>
>>> --- a/fs/cifs/smb2pdu.c
>>> +++ b/fs/cifs/smb2pdu.c
>>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
>>>   	} else
>>>   		iov[0].iov_len = get_rfc1002_length(req) + 4;
>>> +	/* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
>>> +	if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
>>> +		req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
>>>   	rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
>>>   	cifs_small_buf_release(req);
>>>
>>>
>>>
>>
>> This one needs to be backported to all stable kernels as the commit that
>> introduced the regression:
>> '
>> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>> SMB: Validate negotiate (to protect against downgrade) even if signing off
>>
>> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73
> 
> Oh wait, it breaks the builds on older kernels, that's why I didn't
> apply it :)
> 
> Can you provide me with a working backport?
> 

Hi Steve,

Is there a version of this fix available for stable kernels?

I tried applying this patch to 4.4.109 (and a similar one for 4.9.74),
but it didn't fix the problem.  Instead, I actually got a NULL pointer
dereference when I tried to mount an SMB3 share.

Here is the patch I tried on 4.4.109:

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index f2ff60e..3963bd2 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1559,6 +1559,9 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
        } else
                iov[0].iov_len = get_rfc1002_length(req) + 4;
 
+       /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
+       if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
+               req->hdr.Flags |= SMB2_FLAGS_SIGNED;
 
        rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
        rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;


This results in the following NULL pointer dereference when I try
mounting:

# mount -vvv -t cifs -o vers=3.0,credentials=.smbcred //<ip_addr>/TestSMB/ testdir

[   53.073057] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
[   53.073511] IP: [<ffffffff8138ee9a>] crypto_shash_setkey+0x1a/0xc0
[   53.073973] PGD 0 
[   53.074427] Oops: 0000 [#1] SMP 
[   53.074946] Modules linked in: arc4(E) ecb(E) md4(E) cifs(E) dns_resolver(E) vmw_vsock_vmci_transport(E) vsock(E) hid_generic(E) usbhid(E) hid(E) xt_conntrack(E) mousedev(E) iptable_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) nf_nat(E) iptable_filter(E) ip_tables(E) crc32c_intel(E) xt_LOG(E) nf_conntrack(E) jitterentropy_rng(E) hmac(E) sha256_ssse3(E) sha256_generic(E) drbg(E) vmw_balloon(E) ansi_cprng(E) aesni_intel(E) aes_x86_64(E) glue_helper(E) lrw(E) gf128mul(E) ablk_helper(E) cryptd(E) psmouse(E) evdev(E) uhci_hcd(E) ehci_pci(E) ehci_hcd(E) usbcore(E) intel_agp(E) usb_common(E) vmw_vmci(E) i2c_piix4(E) intel_gtt(E) nfit(E) battery(E) tpm_tis(E) tpm(E) ac(E) button(E) sch_fq_codel(E) autofs4(E)
[   53.079435] CPU: 3 PID: 829 Comm: mount.cifs Tainted: G            E   4.4.109-possible-fix1+ #21
[   53.079983] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016
[   53.081086] task: ffff8800b4f41940 ti: ffff8800b92ac000 task.ti: ffff8800b92ac000
[   53.081667] RIP: 0010:[<ffffffff8138ee9a>]  [<ffffffff8138ee9a>] crypto_shash_setkey+0x1a/0xc0
[   53.082247] RSP: 0018:ffff8800b92af9a8  EFLAGS: 00010282
[   53.082604] systemd-journald[284]: Compressed data object 721 -> 468 using XZ
[   53.083419] RAX: ffff8800af5943c0 RBX: ffff8800b484a800 RCX: 00000000ffff0ec7
[   53.084001] RDX: 0000000000000010 RSI: ffff8800b900af18 RDI: 0000000000000000
[   53.084602] RBP: ffff8800b92af9e0 R08: ffff8800b92afb64 R09: 0000000000000000
[   53.085184] R10: 3031322e3030312e R11: 00000000000007f5 R12: 0000000000000002
[   53.085755] R13: 0000000000000000 R14: ffff8800b900af18 R15: 0000000000000010
[   53.086333] FS:  00007fb659b45740(0000) GS:ffff88013fcc0000(0000) knlGS:0000000000000000
[   53.086907] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   53.087480] CR2: 0000000000000050 CR3: 00000000b7970000 CR4: 00000000001606e0
[   53.088107] Stack:
[   53.088681]  ffff8800bba5d8c0 ffff8800b92afa08 ffff8800b484a800 0000000000000002
[   53.089281]  ffff8800b92afac8 000008012400007d ffff8800b484a800 ffff8800b92afa50
[   53.089871]  ffffffffa02194a6 ffff8800b92afb70 ffff8800af5943c0 ffff8800b7a2f800
[   53.090457] Call Trace:
[   53.091054]  [<ffffffffa02194a6>] smb3_calc_signature+0xb6/0x290 [cifs]
[   53.091650]  [<ffffffffa0218b5b>] smb2_sign_rqst+0x2b/0x40 [cifs]
[   53.092244]  [<ffffffffa0219981>] smb2_setup_request+0xd1/0x170 [cifs]
[   53.092838]  [<ffffffffa02082a7>] SendReceive2+0xc7/0x450 [cifs]
[   53.093435]  [<ffffffffa02057d5>] ? cifs_small_buf_get+0x15/0x30 [cifs]
[   53.094030]  [<ffffffffa021b83f>] ? small_smb2_init+0xdf/0x200 [cifs]
[   53.094616]  [<ffffffffa021d6d7>] SMB2_ioctl+0x147/0x310 [cifs]
[   53.095203]  [<ffffffffa021d99e>] smb3_validate_negotiate+0xfe/0x2d0 [cifs]
[   53.095792]  [<ffffffffa021b196>] SMB2_tcon+0x296/0x500 [cifs]
[   53.096362]  [<ffffffff817d7b49>] ? _raw_spin_unlock_irqrestore+0x9/0x10
[   53.096930]  [<ffffffffa01efe0b>] cifs_get_tcon+0x1bb/0x560 [cifs]
[   53.097486]  [<ffffffffa01f2b10>] cifs_mount+0x690/0xde0 [cifs]
[   53.098032]  [<ffffffff817d7b49>] ? _raw_spin_unlock_irqrestore+0x9/0x10
[   53.098570]  [<ffffffffa01de6eb>] cifs_do_mount+0xcb/0x5a0 [cifs]
[   53.099089]  [<ffffffff81193ef7>] ? alloc_pages_current+0x87/0x110
[   53.099598]  [<ffffffff811b7b03>] mount_fs+0x33/0x160
[   53.100091]  [<ffffffff811d1b62>] vfs_kern_mount+0x62/0x100
[   53.100574]  [<ffffffff811d3f1b>] do_mount+0x21b/0xd30
[   53.101050]  [<ffffffff81193ef7>] ? alloc_pages_current+0x87/0x110
[   53.101511]  [<ffffffff811d4d47>] SyS_mount+0x87/0xd0
[   53.101959]  [<ffffffff817d806e>] entry_SYSCALL_64_fastpath+0x12/0x71
[   53.102400] Code: 89 e5 8b 12 e8 78 d2 04 00 31 c0 5d c3 0f 1f 40 00 55 48 89 e5 41 57 41 56 41 55 41 54 49 89 fd 53 49 89 f6 41 89 d7 48 83 ec 10 <4c> 8b 67 50 41 8b 5c 24 2c 48 85 de 75 14 41 ff 54 24 e8 48 83 
[   53.103820] RIP  [<ffffffff8138ee9a>] crypto_shash_setkey+0x1a/0xc0
[   53.104288]  RSP <ffff8800b92af9a8>
[   53.104745] CR2: 0000000000000050
[   53.105225] ---[ end trace fc2de0ad7f229314 ]---


The CIFS config options enabled are:

CONFIG_CIFS=m
CONFIG_CIFS_STATS=y
CONFIG_CIFS_STATS2=y
CONFIG_CIFS_WEAK_PW_HASH=y
CONFIG_CIFS_UPCALL=y
CONFIG_CIFS_XATTR=y
CONFIG_CIFS_POSIX=y
CONFIG_CIFS_ACL=y
CONFIG_CIFS_DEBUG=y
CONFIG_CIFS_DEBUG2=y
CONFIG_CIFS_DFS_UPCALL=y
CONFIG_CIFS_SMB2=y
# CONFIG_CIFS_SMB311 is not set
# CONFIG_CIFS_FSCACHE is not set


The problem seems to be that crypto_shash_setkey() is called without
calling smb3_crypto_shash_allocate() first.  So I looked up how mainline
avoids this issue, and it looks like the following commit makes a call
to generate_signingkey() even when server->sign == false, and this path
eventually calls smb3_crytpto_shash_allocate()), thus avoiding the NULL
pointer dereference.

cabfb3680f78 (CIFS: Enable encryption during session setup phase)


So, I adopted this change, and now my resulting patch looks like this:

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index f2ff60e..19cc92c 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -833,7 +833,7 @@ ssetup_exit:
 
        if (!rc) {
                mutex_lock(&server->srv_mutex);
-               if (server->sign && server->ops->generate_signingkey) {
+               if (server->ops->generate_signingkey) {
                        rc = server->ops->generate_signingkey(ses);
                        kfree(ses->auth_key.response);
                        ses->auth_key.response = NULL;
@@ -1559,6 +1559,9 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
        } else
                iov[0].iov_len = get_rfc1002_length(req) + 4;
 
+       /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
+       if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
+               req->hdr.Flags |= SMB2_FLAGS_SIGNED;
 
        rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
        rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;



This fixes the NULL pointer dereference, but the mount still fails, but
this time for a different reason -- due to STATUS_ACCESS_DENIED:


# mount -vvv -t cifs -o vers=3.0,credentials=.smbcred //<ip_addr>/TestSMB/ testdir

mount.cifs kernel mount options: ip=<ip_addr>,unc=\\<ip_addr>\TestSMB,vers=3.0,user=srivatsa,pass=********
mount error(5): Input/output error
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Here is the dmesg output:

[   48.192141] fs/cifs/cifsfs.c: Devname: //<ip_addr>/TestSMB/ flags: 0
[   48.192178] address conversion returned 1 for <ip_addr>
[   48.192205] fs/cifs/connect.c: Username: srivatsa
[   48.192222] fs/cifs/connect.c: file mode: 0x1ed  dir mode: 0x1ed
[   48.192280] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 0 with uid: 0
[   48.192302] fs/cifs/connect.c: UNC: \\<ip_addr>\TestSMB
[   48.192335] fs/cifs/connect.c: Socket created
[   48.192349] fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x6d6
[   48.193453] fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 1 with uid: 0
[   48.193462] fs/cifs/connect.c: Demultiplex PID: 829
[   48.193492] fs/cifs/connect.c: Existing smb sess not found
[   48.193510] fs/cifs/smb2pdu.c: Negotiate protocol
[   48.193531] fs/cifs/transport.c: Sending smb: smb_len=102
[   48.194301] fs/cifs/connect.c: RFC1002 header 0xaa
[   48.194321] fs/cifs/smb2misc.c: smb2_check_message length: 0xae, smb_buf_length: 0xaa
[   48.194349] fs/cifs/smb2misc.c: SMB2 data length 42 offset 128
[   48.194367] fs/cifs/smb2misc.c: SMB2 len 174
[   48.194393] fs/cifs/transport.c: cifs_sync_mid_result: cmd=0 mid=0 state=4
[   48.194415] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
[   48.194436] fs/cifs/smb2pdu.c: mode 0x1
[   48.194448] fs/cifs/smb2pdu.c: negotiated smb3.0 dialect
[   48.194466] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
[   48.194484] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
[   48.194502] fs/cifs/connect.c: Security Mode: 0x1 Capabilities: 0x300007 TimeAdjust: 0
[   48.194525] fs/cifs/smb2pdu.c: Session Setup
[   48.194539] fs/cifs/transport.c: Sending smb: smb_len=120
[   48.194817] fs/cifs/connect.c: RFC1002 header 0x136
[   48.194836] fs/cifs/smb2misc.c: smb2_check_message length: 0x13a, smb_buf_length: 0x136
[   48.194859] fs/cifs/smb2misc.c: SMB2 data length 238 offset 72
[   48.195306] fs/cifs/smb2misc.c: SMB2 len 314
[   48.195740] fs/cifs/transport.c: cifs_sync_mid_result: cmd=1 mid=1 state=4
[   48.196174] Status code returned 0xc0000016 STATUS_MORE_PROCESSING_REQUIRED
[   48.196605] fs/cifs/smb2maperror.c: Mapping SMB2 status code -1073741802 to POSIX err -5
[   48.197043] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
[   48.210008] fs/cifs/transport.c: Sending smb: smb_len=412
[   48.211625] fs/cifs/connect.c: RFC1002 header 0x48
[   48.212060] fs/cifs/smb2misc.c: smb2_check_message length: 0x4c, smb_buf_length: 0x48
[   48.212494] fs/cifs/smb2misc.c: SMB2 data length 0 offset 72
[   48.212919] fs/cifs/smb2misc.c: SMB2 len 77
[   48.213364] fs/cifs/smb2misc.c: Calculated size 77 length 76 mismatch mid 2
[   48.213807] fs/cifs/transport.c: cifs_sync_mid_result: cmd=1 mid=2 state=4
[   48.214242] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
[   48.219385] fs/cifs/smb2pdu.c: SMB2/3 session established successfully
[   48.219831] fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 1) rc = 0
[   48.220276] fs/cifs/connect.c: CIFS VFS: in cifs_get_tcon as Xid: 2 with uid: 0
[   48.220724] fs/cifs/smb2pdu.c: TCON
[   48.221182] fs/cifs/transport.c: Sending smb: smb_len=122
[   48.221830] fs/cifs/connect.c: RFC1002 header 0x50
[   48.222280] fs/cifs/smb2misc.c: smb2_check_message length: 0x54, smb_buf_length: 0x50
[   48.222734] fs/cifs/smb2misc.c: SMB2 len 84
[   48.223199] fs/cifs/transport.c: cifs_sync_mid_result: cmd=3 mid=3 state=4
[   48.223656] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
[   48.224107] fs/cifs/smb2pdu.c: connection to disk share
[   48.224560] fs/cifs/smb2pdu.c: validate negotiate
[   48.225015] fs/cifs/smb2pdu.c: SMB2 IOCTL
[   48.225456] fs/cifs/transport.c: Sending smb: smb_len=146
[   48.226049] fs/cifs/connect.c: RFC1002 header 0x49
[   48.226498] fs/cifs/smb2misc.c: smb2_check_message length: 0x4d, smb_buf_length: 0x49
[   48.226951] fs/cifs/smb2misc.c: SMB2 data length 0 offset 0
[   48.227408] fs/cifs/smb2misc.c: SMB2 len 77
[   48.227863] fs/cifs/transport.c: cifs_sync_mid_result: cmd=11 mid=4 state=4
[   48.228318] Status code returned 0xc0000022 STATUS_ACCESS_DENIED
[   48.228780] fs/cifs/smb2maperror.c: Mapping SMB2 status code -1073741790 to POSIX err -13
[   48.229265] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
[   48.229732] CIFS VFS: validate protocol negotiate failed: -13
[   48.230197] fs/cifs/connect.c: CIFS VFS: leaving cifs_get_tcon (xid = 2) rc = -5
[   48.230681] fs/cifs/connect.c: Tcon rc = -5
[   48.231150] fs/cifs/connect.c: build_unc_path_to_root: full_path=\\<ip_addr>\TestSMB
[   48.231634] fs/cifs/connect.c: cifs_put_smb_ses: ses_count=1
[   48.232101] fs/cifs/connect.c: CIFS VFS: in cifs_put_smb_ses as Xid: 3 with uid: 0
[   48.232569] fs/cifs/smb2pdu.c: disconnect session ffff8800b9189e00
[   48.233053] fs/cifs/transport.c: Sending smb: smb_len=68
[   48.233651] fs/cifs/connect.c: RFC1002 header 0x44
[   48.234116] fs/cifs/smb2misc.c: smb2_check_message length: 0x48, smb_buf_length: 0x44
[   48.234585] fs/cifs/smb2misc.c: SMB2 len 72
[   48.235063] fs/cifs/transport.c: cifs_sync_mid_result: cmd=2 mid=5 state=4
[   48.235541] SendRcvNoRsp flags 64 rc 0
[   48.236075] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 0) rc = -5
[   48.236556] CIFS VFS: cifs_mount failed w/return code = -5


Any thoughts on what is the right fix for stable kernels? Mounting SMB3
shares works great on mainline (v4.15-rc5). It also works on 4.4.109 if
I pass the sec=ntlmsspi option to the mount command (as opposed to the
default: sec=ntlmssp). Please let me know if you need any other info.

Thank you!

Regards,
Srivatsa

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ