cve/published/2024/CVE-2024-50047.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50047: smb: client: fix UAF in async decryption

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 smb: client: fix UAF in async decryption

 Doing an async decryption (large read) crashes with a
 slab-use-after-free way down in the crypto API.

 Reproducer:
     # mount.cifs -o ...,seal,esize=1 //srv/share /mnt
     # dd if=/mnt/largefile of=/dev/null
     ...
     [  194.196391] ==================================================================
     [  194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110
     [  194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899
     [  194.197707]
     [  194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43
     [  194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014
     [  194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs]
     [  194.200032] Call Trace:
     [  194.200191]  <TASK>
     [  194.200327]  dump_stack_lvl+0x4e/0x70
     [  194.200558]  ? gf128mul_4k_lle+0xc1/0x110
     [  194.200809]  print_report+0x174/0x505
     [  194.201040]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
     [  194.201352]  ? srso_return_thunk+0x5/0x5f
     [  194.201604]  ? __virt_addr_valid+0xdf/0x1c0
     [  194.201868]  ? gf128mul_4k_lle+0xc1/0x110
     [  194.202128]  kasan_report+0xc8/0x150
     [  194.202361]  ? gf128mul_4k_lle+0xc1/0x110
     [  194.202616]  gf128mul_4k_lle+0xc1/0x110
     [  194.202863]  ghash_update+0x184/0x210
     [  194.203103]  shash_ahash_update+0x184/0x2a0
     [  194.203377]  ? __pfx_shash_ahash_update+0x10/0x10
     [  194.203651]  ? srso_return_thunk+0x5/0x5f
     [  194.203877]  ? crypto_gcm_init_common+0x1ba/0x340
     [  194.204142]  gcm_hash_assoc_remain_continue+0x10a/0x140
     [  194.204434]  crypt_message+0xec1/0x10a0 [cifs]
     [  194.206489]  ? __pfx_crypt_message+0x10/0x10 [cifs]
     [  194.208507]  ? srso_return_thunk+0x5/0x5f
     [  194.209205]  ? srso_return_thunk+0x5/0x5f
     [  194.209925]  ? srso_return_thunk+0x5/0x5f
     [  194.210443]  ? srso_return_thunk+0x5/0x5f
     [  194.211037]  decrypt_raw_data+0x15f/0x250 [cifs]
     [  194.212906]  ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]
     [  194.214670]  ? srso_return_thunk+0x5/0x5f
     [  194.215193]  smb2_decrypt_offload+0x12a/0x6c0 [cifs]

 This is because TFM is being used in parallel.

 Fix this by allocating a new AEAD TFM for async decryption, but keep
 the existing one for synchronous READ cases (similar to what is done
 in smb3_calc_signature()).

 Also remove the calls to aead_request_set_callback() and
 crypto_wait_req() since it's always going to be a synchronous operation.

 The Linux kernel CVE team has assigned CVE-2024-50047 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.10.237 with commit 8f14a476abba13144df5434871a7225fd29af633
 	Fixed in 5.15.181 with commit ef51c0d544b1518b35364480317ab6d3468f205d
 	Fixed in 6.1.128 with commit bce966530fd5542bbb422cb45ecb775f7a1a6bc3
 	Fixed in 6.6.57 with commit 0809fb86ad13b29e1d6d491364fc7ea4fb545995
 	Fixed in 6.11.4 with commit 538c26d9bf70c90edc460d18c81008a4e555925a
 	Fixed in 6.12 with commit b0abcd65ec545701b8793e12bc27dc98042b151a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50047
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/smb/client/smb2ops.c
 	fs/smb/client/smb2pdu.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8f14a476abba13144df5434871a7225fd29af633
 	https://git.kernel.org/stable/c/ef51c0d544b1518b35364480317ab6d3468f205d
 	https://git.kernel.org/stable/c/bce966530fd5542bbb422cb45ecb775f7a1a6bc3
 	https://git.kernel.org/stable/c/0809fb86ad13b29e1d6d491364fc7ea4fb545995
 	https://git.kernel.org/stable/c/538c26d9bf70c90edc460d18c81008a4e555925a
 	https://git.kernel.org/stable/c/b0abcd65ec545701b8793e12bc27dc98042b151a
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50047: smb: client: fix UAF in async decryption

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	smb: client: fix UAF in async decryption

	Doing an async decryption (large read) crashes with a
	slab-use-after-free way down in the crypto API.

	Reproducer:
	# mount.cifs -o ...,seal,esize=1 //srv/share /mnt
	# dd if=/mnt/largefile of=/dev/null
	...
	[ 194.196391] ==================================================================
	[ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110
	[ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899
	[ 194.197707]
	[ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43
	[ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014
	[ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs]
	[ 194.200032] Call Trace:
	[ 194.200191] <TASK>
	[ 194.200327] dump_stack_lvl+0x4e/0x70
	[ 194.200558] ? gf128mul_4k_lle+0xc1/0x110
	[ 194.200809] print_report+0x174/0x505
	[ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
	[ 194.201352] ? srso_return_thunk+0x5/0x5f
	[ 194.201604] ? __virt_addr_valid+0xdf/0x1c0
	[ 194.201868] ? gf128mul_4k_lle+0xc1/0x110
	[ 194.202128] kasan_report+0xc8/0x150
	[ 194.202361] ? gf128mul_4k_lle+0xc1/0x110
	[ 194.202616] gf128mul_4k_lle+0xc1/0x110
	[ 194.202863] ghash_update+0x184/0x210
	[ 194.203103] shash_ahash_update+0x184/0x2a0
	[ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10
	[ 194.203651] ? srso_return_thunk+0x5/0x5f
	[ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340
	[ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140
	[ 194.204434] crypt_message+0xec1/0x10a0 [cifs]
	[ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs]
	[ 194.208507] ? srso_return_thunk+0x5/0x5f
	[ 194.209205] ? srso_return_thunk+0x5/0x5f
	[ 194.209925] ? srso_return_thunk+0x5/0x5f
	[ 194.210443] ? srso_return_thunk+0x5/0x5f
	[ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs]
	[ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]
	[ 194.214670] ? srso_return_thunk+0x5/0x5f
	[ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs]

	This is because TFM is being used in parallel.

	Fix this by allocating a new AEAD TFM for async decryption, but keep
	the existing one for synchronous READ cases (similar to what is done
	in smb3_calc_signature()).

	Also remove the calls to aead_request_set_callback() and
	crypto_wait_req() since it's always going to be a synchronous operation.

	The Linux kernel CVE team has assigned CVE-2024-50047 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.10.237 with commit 8f14a476abba13144df5434871a7225fd29af633
	Fixed in 5.15.181 with commit ef51c0d544b1518b35364480317ab6d3468f205d
	Fixed in 6.1.128 with commit bce966530fd5542bbb422cb45ecb775f7a1a6bc3
	Fixed in 6.6.57 with commit 0809fb86ad13b29e1d6d491364fc7ea4fb545995
	Fixed in 6.11.4 with commit 538c26d9bf70c90edc460d18c81008a4e555925a
	Fixed in 6.12 with commit b0abcd65ec545701b8793e12bc27dc98042b151a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50047
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/smb/client/smb2ops.c
	fs/smb/client/smb2pdu.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8f14a476abba13144df5434871a7225fd29af633
	https://git.kernel.org/stable/c/ef51c0d544b1518b35364480317ab6d3468f205d
	https://git.kernel.org/stable/c/bce966530fd5542bbb422cb45ecb775f7a1a6bc3
	https://git.kernel.org/stable/c/0809fb86ad13b29e1d6d491364fc7ea4fb545995
	https://git.kernel.org/stable/c/538c26d9bf70c90edc460d18c81008a4e555925a
	https://git.kernel.org/stable/c/b0abcd65ec545701b8793e12bc27dc98042b151a