lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <c4f8959b-15c5-b32f-18fc-8befb4f75da2@samba.org>
Date:   Wed, 16 Nov 2022 09:36:04 +0100
From:   Stefan Metzmacher <metze@...ba.org>
To:     Namjae Jeon <linkinjeon@...nel.org>
Cc:     David Howells <dhowells@...hat.com>, smfrench@...il.com,
        tom@...pey.com, Long Li <longli@...rosoft.com>,
        linux-cifs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] cifs: Fix problem with encrypted RDMA data read

Am 16.11.22 um 06:19 schrieb Namjae Jeon:
> 2022-11-16 9:57 GMT+09:00, Stefan Metzmacher <metze@...ba.org>:
>> Hi David,
>>
>> see below...
>>
>>> When the cifs client is talking to the ksmbd server by RDMA and the ksmbd
>>> server has "smb3 encryption = yes" in its config file, the normal PDU
>>> stream is encrypted, but the directly-delivered data isn't in the stream
>>> (and isn't encrypted), but is rather delivered by DDP/RDMA packets (at
>>> least with IWarp).
>>>
>>> Currently, the direct delivery fails with:
>>>
>>>      buf can not contain only a part of read data
>>>      WARNING: CPU: 0 PID: 4619 at fs/cifs/smb2ops.c:4731
>>> handle_read_data+0x393/0x405
>>>      ...
>>>      RIP: 0010:handle_read_data+0x393/0x405
>>>      ...
>>>       smb3_handle_read_data+0x30/0x37
>>>       receive_encrypted_standard+0x141/0x224
>>>       cifs_demultiplex_thread+0x21a/0x63b
>>>       kthread+0xe7/0xef
>>>       ret_from_fork+0x22/0x30
>>>
>>> The problem apparently stemming from the fact that it's trying to manage
>>> the decryption, but the data isn't in the smallbuf, the bigbuf or the
>>> page
>>> array).
>>>
>>> This can be fixed simply by inserting an extra case into
>>> handle_read_data()
>>> that checks to see if use_rdma_mr is true, and if it is, just setting
>>> rdata->got_bytes to the length of data delivered and allowing normal
>>> continuation.
>>>
>>> This can be seen in an IWarp packet trace.  With the upstream code, it
>>> does
>>> a DDP/RDMA packet, which produces the warning above and then retries,
>>> retrieving the data inline, spread across several SMBDirect messages that
>>> get glued together into a single PDU.  With the patch applied, only the
>>> DDP/RDMA packet is seen.
>>>
>>> Note that this doesn't happen if the server isn't told to encrypt stuff
>>> and
>>> it does also happen with softRoCE.
>>>
>>> Signed-off-by: David Howells <dhowells@...hat.com>
>>> cc: Steve French <smfrench@...il.com>
>>> cc: Tom Talpey <tom@...pey.com>
>>> cc: Long Li <longli@...rosoft.com>
>>> cc: Namjae Jeon <linkinjeon@...nel.org>
>>> cc: Stefan Metzmacher <metze@...ba.org>
>>> cc: linux-cifs@...r.kernel.org
>>> ---
>>>
>>>    fs/cifs/smb2ops.c |    3 +++
>>>    1 file changed, 3 insertions(+)
>>>
>>> diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
>>> index 880cd494afea..8d459f60f27b 100644
>>> --- a/fs/cifs/smb2ops.c
>>> +++ b/fs/cifs/smb2ops.c
>>> @@ -4726,6 +4726,9 @@ handle_read_data(struct TCP_Server_Info *server,
>>> struct mid_q_entry *mid,
>>>    		iov.iov_base = buf + data_offset;
>>>    		iov.iov_len = data_len;
>>>    		iov_iter_kvec(&iter, WRITE, &iov, 1, data_len);
>>> +	} else if (use_rdma_mr) {
>>> +		/* The data was delivered directly by RDMA. */
>>> +		rdata->got_bytes = data_len;
>>>    	} else {
>>>    		/* read response payload cannot be in both buf and pages */
>>>    		WARN_ONCE(1, "buf can not contain only a part of read data");
>>
>> I'm not sure I understand why this would fix anything when encryption is
>> enabled.
>>
>> Is the payload still be offloaded as plaintext? Otherwise we wouldn't have
>> use_rdma_mr...
>> So this rather looks like a fix for the non encrypted case.
> ksmbd doesn't encrypt RDMA payload on read/write operation, Currently
> only smb2 response is encrypted for this. And as you pointed out, We
> need to implement SMB2 RDMA Transform to encrypt it.

I haven't tested against a windows server yet, but my hope would be that
and encrypted request with SMB2_CHANNEL_RDMA_V1* receive NT_STATUS_ACCESS_DENIED or something similar...

Is someone able to check that against Windows?

But the core of it is a client security problem, shown in David's capture in frame 100.

metze

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ