cve/published/2024/CVE-2024-46795.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46795: ksmbd: unset the binding mark of a reused connection

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ksmbd: unset the binding mark of a reused connection

 Steve French reported null pointer dereference error from sha256 lib.
 cifs.ko can send session setup requests on reused connection.
 If reused connection is used for binding session, conn->binding can
 still remain true and generate_preauth_hash() will not set
 sess->Preauth_HashValue and it will be NULL.
 It is used as a material to create an encryption key in
 ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer
 dereference error from crypto_shash_update().

 BUG: kernel NULL pointer dereference, address: 0000000000000000
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 0 P4D 0
 Oops: 0000 [#1] PREEMPT SMP PTI
 CPU: 8 PID: 429254 Comm: kworker/8:39
 Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 )
 Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
 RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
 <TASK>
 ? show_regs+0x6d/0x80
 ? __die+0x24/0x80
 ? page_fault_oops+0x99/0x1b0
 ? do_user_addr_fault+0x2ee/0x6b0
 ? exc_page_fault+0x83/0x1b0
 ? asm_exc_page_fault+0x27/0x30
 ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
 ? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
 ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
 ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
 _sha256_update+0x77/0xa0 [sha256_ssse3]
 sha256_avx2_update+0x15/0x30 [sha256_ssse3]
 crypto_shash_update+0x1e/0x40
 hmac_update+0x12/0x20
 crypto_shash_update+0x1e/0x40
 generate_key+0x234/0x380 [ksmbd]
 generate_smb3encryptionkey+0x40/0x1c0 [ksmbd]
 ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd]
 ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd]
 smb2_sess_setup+0x952/0xaa0 [ksmbd]
 __process_request+0xa3/0x1d0 [ksmbd]
 __handle_ksmbd_work+0x1c4/0x2f0 [ksmbd]
 handle_ksmbd_work+0x2d/0xa0 [ksmbd]
 process_one_work+0x16c/0x350
 worker_thread+0x306/0x440
 ? __pfx_worker_thread+0x10/0x10
 kthread+0xef/0x120
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x44/0x70
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1b/0x30
 </TASK>

 The Linux kernel CVE team has assigned CVE-2024-46795 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15 with commit f5a544e3bab78142207e0242d22442db85ba1eff and fixed in 5.15.167 with commit 9914f1bd61d5e838bb1ab15a71076d37a6db65d1
 	Issue introduced in 5.15 with commit f5a544e3bab78142207e0242d22442db85ba1eff and fixed in 6.1.110 with commit 93d54a4b59c4b3d803d20aa645ab5ca71f3b3b02
 	Issue introduced in 5.15 with commit f5a544e3bab78142207e0242d22442db85ba1eff and fixed in 6.6.51 with commit 41bc256da7e47b679df87c7fc7a5b393052b9cce
 	Issue introduced in 5.15 with commit f5a544e3bab78142207e0242d22442db85ba1eff and fixed in 6.10.10 with commit 4c8496f44f5bb5c06cdef5eb130ab259643392a1
 	Issue introduced in 5.15 with commit f5a544e3bab78142207e0242d22442db85ba1eff and fixed in 6.11 with commit 78c5a6f1f630172b19af4912e755e1da93ef0ab5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46795
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/smb/server/smb2pdu.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9914f1bd61d5e838bb1ab15a71076d37a6db65d1
 	https://git.kernel.org/stable/c/93d54a4b59c4b3d803d20aa645ab5ca71f3b3b02
 	https://git.kernel.org/stable/c/41bc256da7e47b679df87c7fc7a5b393052b9cce
 	https://git.kernel.org/stable/c/4c8496f44f5bb5c06cdef5eb130ab259643392a1
 	https://git.kernel.org/stable/c/78c5a6f1f630172b19af4912e755e1da93ef0ab5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46795: ksmbd: unset the binding mark of a reused connection

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ksmbd: unset the binding mark of a reused connection

	Steve French reported null pointer dereference error from sha256 lib.
	cifs.ko can send session setup requests on reused connection.
	If reused connection is used for binding session, conn->binding can
	still remain true and generate_preauth_hash() will not set
	sess->Preauth_HashValue and it will be NULL.
	It is used as a material to create an encryption key in
	ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer
	dereference error from crypto_shash_update().

	BUG: kernel NULL pointer dereference, address: 0000000000000000
	#PF: supervisor read access in kernel mode
	#PF: error_code(0x0000) - not-present page
	PGD 0 P4D 0
	Oops: 0000 [#1] PREEMPT SMP PTI
	CPU: 8 PID: 429254 Comm: kworker/8:39
	Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 )
	Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
	RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
	<TASK>
	? show_regs+0x6d/0x80
	? __die+0x24/0x80
	? page_fault_oops+0x99/0x1b0
	? do_user_addr_fault+0x2ee/0x6b0
	? exc_page_fault+0x83/0x1b0
	? asm_exc_page_fault+0x27/0x30
	? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
	? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
	? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
	? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
	_sha256_update+0x77/0xa0 [sha256_ssse3]
	sha256_avx2_update+0x15/0x30 [sha256_ssse3]
	crypto_shash_update+0x1e/0x40
	hmac_update+0x12/0x20
	crypto_shash_update+0x1e/0x40
	generate_key+0x234/0x380 [ksmbd]
	generate_smb3encryptionkey+0x40/0x1c0 [ksmbd]
	ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd]
	ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd]
	smb2_sess_setup+0x952/0xaa0 [ksmbd]
	__process_request+0xa3/0x1d0 [ksmbd]
	__handle_ksmbd_work+0x1c4/0x2f0 [ksmbd]
	handle_ksmbd_work+0x2d/0xa0 [ksmbd]
	process_one_work+0x16c/0x350
	worker_thread+0x306/0x440
	? __pfx_worker_thread+0x10/0x10
	kthread+0xef/0x120
	? __pfx_kthread+0x10/0x10
	ret_from_fork+0x44/0x70
	? __pfx_kthread+0x10/0x10
	ret_from_fork_asm+0x1b/0x30
	</TASK>

	The Linux kernel CVE team has assigned CVE-2024-46795 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15 with commit f5a544e3bab78142207e0242d22442db85ba1eff and fixed in 5.15.167 with commit 9914f1bd61d5e838bb1ab15a71076d37a6db65d1
	Issue introduced in 5.15 with commit f5a544e3bab78142207e0242d22442db85ba1eff and fixed in 6.1.110 with commit 93d54a4b59c4b3d803d20aa645ab5ca71f3b3b02
	Issue introduced in 5.15 with commit f5a544e3bab78142207e0242d22442db85ba1eff and fixed in 6.6.51 with commit 41bc256da7e47b679df87c7fc7a5b393052b9cce
	Issue introduced in 5.15 with commit f5a544e3bab78142207e0242d22442db85ba1eff and fixed in 6.10.10 with commit 4c8496f44f5bb5c06cdef5eb130ab259643392a1
	Issue introduced in 5.15 with commit f5a544e3bab78142207e0242d22442db85ba1eff and fixed in 6.11 with commit 78c5a6f1f630172b19af4912e755e1da93ef0ab5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46795
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/smb/server/smb2pdu.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9914f1bd61d5e838bb1ab15a71076d37a6db65d1
	https://git.kernel.org/stable/c/93d54a4b59c4b3d803d20aa645ab5ca71f3b3b02
	https://git.kernel.org/stable/c/41bc256da7e47b679df87c7fc7a5b393052b9cce
	https://git.kernel.org/stable/c/4c8496f44f5bb5c06cdef5eb130ab259643392a1
	https://git.kernel.org/stable/c/78c5a6f1f630172b19af4912e755e1da93ef0ab5