queue-5.15/ksmbd-fix-null-pointer-dereference-error-in-generate_encryptionkey.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From alvalan9@foxmail.com Wed Feb 25 11:34:13 2026
 From: Alva Lan <alvalan9@foxmail.com>
 Date: Wed, 25 Feb 2026 18:33:45 +0800
 Subject: ksmbd: fix null pointer dereference error in generate_encryptionkey
 To: stable@vger.kernel.org, gregkh@linuxfoundation.org
 Cc: Namjae Jeon <linkinjeon@kernel.org>, zdi-disclosures@trendmicro.com, Steve French <stfrench@microsoft.com>, Alva Lan <alvalan9@foxmail.com>
 Message-ID: <tencent_C3D62F38B3307E0DE0B470350C1FCD926008@qq.com>

 From: Namjae Jeon <linkinjeon@kernel.org>

 [ Upstream commit 9b493ab6f35178afd8d619800df9071992f715de ]

 If client send two session setups with krb5 authenticate to ksmbd,
 null pointer dereference error in generate_encryptionkey could happen.
 sess->Preauth_HashValue is set to NULL if session is valid.
 So this patch skip generate encryption key if session is valid.

 Cc: stable@vger.kernel.org
 Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27654
 Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
 Signed-off-by: Steve French <stfrench@microsoft.com>
 Signed-off-by: Alva Lan <alvalan9@foxmail.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  fs/ksmbd/smb2pdu.c |   18 ++++++++++++++++--
  1 file changed, 16 insertions(+), 2 deletions(-)

 --- a/fs/ksmbd/smb2pdu.c
 +++ b/fs/ksmbd/smb2pdu.c
 @@ -1628,11 +1628,24 @@ static int krb5_authenticate(struct ksmb
  	}
  	rsp->SecurityBufferLength = cpu_to_le16(out_len);

 -	if ((conn->sign || server_conf.enforced_signing) ||
 +	/*
 +	 * If session state is SMB2_SESSION_VALID, We can assume
 +	 * that it is reauthentication. And the user/password
 +	 * has been verified, so return it here.
 +	 */
 +	if (sess->state == SMB2_SESSION_VALID) {
 +		if (conn->binding)
 +			goto binding_session;
 +		return 0;
 +	}
 +
 +	if ((rsp->SessionFlags != SMB2_SESSION_FLAG_IS_GUEST_LE &&
 +	    (conn->sign || server_conf.enforced_signing)) ||
  	    (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED))
  		sess->sign = true;

 -	if (smb3_encryption_negotiated(conn)) {
 +	if (smb3_encryption_negotiated(conn) &&
 +	    !(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) {
  		retval = conn->ops->generate_encryptionkey(conn, sess);
  		if (retval) {
  			ksmbd_debug(SMB,
 @@ -1645,6 +1658,7 @@ static int krb5_authenticate(struct ksmb
  		sess->sign = false;
  	}

 +binding_session:
  	if (conn->dialect >= SMB30_PROT_ID) {
  		chann = lookup_chann_list(sess, conn);
  		if (!chann) {
	From alvalan9@foxmail.com Wed Feb 25 11:34:13 2026
	From: Alva Lan <alvalan9@foxmail.com>
	Date: Wed, 25 Feb 2026 18:33:45 +0800
	Subject: ksmbd: fix null pointer dereference error in generate_encryptionkey
	To: stable@vger.kernel.org, gregkh@linuxfoundation.org
	Cc: Namjae Jeon <linkinjeon@kernel.org>, zdi-disclosures@trendmicro.com, Steve French <stfrench@microsoft.com>, Alva Lan <alvalan9@foxmail.com>
	Message-ID: <tencent_C3D62F38B3307E0DE0B470350C1FCD926008@qq.com>

	From: Namjae Jeon <linkinjeon@kernel.org>

	[ Upstream commit 9b493ab6f35178afd8d619800df9071992f715de ]

	If client send two session setups with krb5 authenticate to ksmbd,
	null pointer dereference error in generate_encryptionkey could happen.
	sess->Preauth_HashValue is set to NULL if session is valid.
	So this patch skip generate encryption key if session is valid.

	Cc: stable@vger.kernel.org
	Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27654
	Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
	Signed-off-by: Steve French <stfrench@microsoft.com>
	Signed-off-by: Alva Lan <alvalan9@foxmail.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	fs/ksmbd/smb2pdu.c \| 18 ++++++++++++++++--
	1 file changed, 16 insertions(+), 2 deletions(-)

	--- a/fs/ksmbd/smb2pdu.c
	+++ b/fs/ksmbd/smb2pdu.c
	@@ -1628,11 +1628,24 @@ static int krb5_authenticate(struct ksmb
	}
	rsp->SecurityBufferLength = cpu_to_le16(out_len);

	- if ((conn->sign \|\| server_conf.enforced_signing) \|\|
	+ /*
	+ * If session state is SMB2_SESSION_VALID, We can assume
	+ * that it is reauthentication. And the user/password
	+ * has been verified, so return it here.
	+ */
	+ if (sess->state == SMB2_SESSION_VALID) {
	+ if (conn->binding)
	+ goto binding_session;
	+ return 0;
	+ }
	+
	+ if ((rsp->SessionFlags != SMB2_SESSION_FLAG_IS_GUEST_LE &&
	+ (conn->sign \|\| server_conf.enforced_signing)) \|\|
	(req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED))
	sess->sign = true;

	- if (smb3_encryption_negotiated(conn)) {
	+ if (smb3_encryption_negotiated(conn) &&
	+ !(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) {
	retval = conn->ops->generate_encryptionkey(conn, sess);
	if (retval) {
	ksmbd_debug(SMB,
	@@ -1645,6 +1658,7 @@ static int krb5_authenticate(struct ksmb
	sess->sign = false;
	}

	+binding_session:
	if (conn->dialect >= SMB30_PROT_ID) {
	chann = lookup_chann_list(sess, conn);
	if (!chann) {