smb: client: fix UAF in smb2_reconnect_server()

PlaidCat · PlaidCat · commit 4a3168748275 · 2025-11-06T14:30:36.000-05:00
jira LE-4669 cve CVE-2024-35870 Rebuild_History Non-Buildable kernel-4.18.0-553.82.1.el8_10 commit-author Paulo Alcantara <pc@manguebit.com> commit 24a9799 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.82.1.el8_10/24a9799a.failed The UAF bug is due to smb2_reconnect_server() accessing a session that is already being teared down by another thread that is executing __cifs_put_smb_ses(). This can happen when (a) the client has connection to the server but no session or (b) another thread ends up setting @ses->ses_status again to something different than SES_EXITING. To fix this, we need to make sure to unconditionally set @ses->ses_status to SES_EXITING and prevent any other threads from setting a new status while we're still tearing it down. The following can be reproduced by adding some delay to right after the ipc is freed in __cifs_put_smb_ses() - which will give smb2_reconnect_server() worker a chance to run and then accessing @ses->ipc: kinit ... mount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10 [disconnect srv] ls /mnt/1 &>/dev/null sleep 30 kdestroy [reconnect srv] sleep 10 umount /mnt/1 ... CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 Workqueue: cifsiod smb2_reconnect_server [cifs] RIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0 Code: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad de 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75 7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8 RSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83 RAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b RDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800 RBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000 R13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000 FS: 0000000000000000(0000) GS:ffff888157c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? die_addr+0x36/0x90 ? exc_general_protection+0x1c1/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? __list_del_entry_valid_or_report+0x33/0xf0 __cifs_put_smb_ses+0x1ae/0x500 [cifs] smb2_reconnect_server+0x4ed/0x710 [cifs] process_one_work+0x205/0x6b0 worker_thread+0x191/0x360 ? __pfx_worker_thread+0x10/0x10 kthread+0xe2/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Cc: stable@vger.kernel.org Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com> (cherry picked from commit 24a9799) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # fs/cifs/connect.c
diff --git a/ciq/ciq_backports/kernel-4.18.0-553.82.1.el8_10/24a9799a.failed b/ciq/ciq_backports/kernel-4.18.0-553.82.1.el8_10/24a9799a.failed
@@ -0,0 +1,395 @@
+smb: client: fix UAF in smb2_reconnect_server()
+
+jira LE-4669
+cve CVE-2024-35870
+Rebuild_History Non-Buildable kernel-4.18.0-553.82.1.el8_10
+commit-author Paulo Alcantara <pc@manguebit.com>
+commit 24a9799aa8efecd0eb55a75e35f9d8e6400063aa
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.82.1.el8_10/24a9799a.failed
+
+The UAF bug is due to smb2_reconnect_server() accessing a session that
+is already being teared down by another thread that is executing
+__cifs_put_smb_ses().  This can happen when (a) the client has
+connection to the server but no session or (b) another thread ends up
+setting @ses->ses_status again to something different than
+SES_EXITING.
+
+To fix this, we need to make sure to unconditionally set
+@ses->ses_status to SES_EXITING and prevent any other threads from
+setting a new status while we're still tearing it down.
+
+The following can be reproduced by adding some delay to right after
+the ipc is freed in __cifs_put_smb_ses() - which will give
+smb2_reconnect_server() worker a chance to run and then accessing
+@ses->ipc:
+
+kinit ...
+mount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10
+[disconnect srv]
+ls /mnt/1 &>/dev/null
+sleep 30
+kdestroy
+[reconnect srv]
+sleep 10
+umount /mnt/1
+...
+CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
+CIFS: VFS: \\srv Send error in SessSetup = -126
+CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
+CIFS: VFS: \\srv Send error in SessSetup = -126
+general protection fault, probably for non-canonical address
+0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI
+CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39
+04/01/2014
+Workqueue: cifsiod smb2_reconnect_server [cifs]
+RIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0
+Code: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad
+de 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75
+7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8
+RSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83
+RAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b
+RDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800
+RBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000
+R13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000
+FS: 0000000000000000(0000) GS:ffff888157c00000(0000)
+knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ ? die_addr+0x36/0x90
+ ? exc_general_protection+0x1c1/0x3f0
+ ? asm_exc_general_protection+0x26/0x30
+ ? __list_del_entry_valid_or_report+0x33/0xf0
+ __cifs_put_smb_ses+0x1ae/0x500 [cifs]
+ smb2_reconnect_server+0x4ed/0x710 [cifs]
+ process_one_work+0x205/0x6b0
+ worker_thread+0x191/0x360
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0xe2/0x110
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x34/0x50
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+	Cc: stable@vger.kernel.org
+	Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+	Signed-off-by: Steve French <stfrench@microsoft.com>
+(cherry picked from commit 24a9799aa8efecd0eb55a75e35f9d8e6400063aa)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	fs/cifs/connect.c
+diff --cc fs/cifs/connect.c
+index ca2926c7b59e,ee29bc57300c..000000000000
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@@ -164,39 -144,161 +164,132 @@@ static void smb2_query_server_interface
+  			   (SMB_INTERFACE_POLL_INTERVAL * HZ));
+  }
+  
+ -/*
+ - * Update the tcpStatus for the server.
+ - * This is used to signal the cifsd thread to call cifs_reconnect
+ - * ONLY cifsd thread should call cifs_reconnect. For any other
+ - * thread, use this function
+ - *
+ - * @server: the tcp ses for which reconnect is needed
+ - * @all_channels: if this needs to be done for all channels
+ - */
+ -void
+ -cifs_signal_cifsd_for_reconnect(struct TCP_Server_Info *server,
+ -				bool all_channels)
+ +static void cifs_resolve_server(struct work_struct *work)
+  {
+ -	struct TCP_Server_Info *pserver;
+ -	struct cifs_ses *ses;
+ -	int i;
+ +	int rc;
+ +	struct TCP_Server_Info *server = container_of(work,
+ +					struct TCP_Server_Info, resolve.work);
+  
+ -	/* If server is a channel, select the primary channel */
+ -	pserver = SERVER_IS_CHAN(server) ? server->primary_server : server;
+ +	mutex_lock(&server->srv_mutex);
+  
+ -	/* if we need to signal just this channel */
+ -	if (!all_channels) {
+ -		spin_lock(&server->srv_lock);
+ -		if (server->tcpStatus != CifsExiting)
+ -			server->tcpStatus = CifsNeedReconnect;
+ -		spin_unlock(&server->srv_lock);
+ -		return;
+ +	/*
+ +	 * Resolve the hostname again to make sure that IP address is up-to-date.
+ +	 */
+ +	rc = reconn_set_ipaddr_from_hostname(server);
+ +	if (rc) {
+ +		cifs_dbg(FYI, "%s: failed to resolve hostname: %d\n",
+ +				__func__, rc);
+  	}
+  
+ -	spin_lock(&cifs_tcp_ses_lock);
+ -	list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) {
+ -		spin_lock(&ses->chan_lock);
+ -		for (i = 0; i < ses->chan_count; i++) {
+ -			if (!ses->chans[i].server)
+ -				continue;
+ -
+ -			spin_lock(&ses->chans[i].server->srv_lock);
+ -			if (ses->chans[i].server->tcpStatus != CifsExiting)
+ -				ses->chans[i].server->tcpStatus = CifsNeedReconnect;
+ -			spin_unlock(&ses->chans[i].server->srv_lock);
+ -		}
+ -		spin_unlock(&ses->chan_lock);
+ -	}
+ -	spin_unlock(&cifs_tcp_ses_lock);
+ +	mutex_unlock(&server->srv_mutex);
+  }
+  
+ -/*
+ +/**
+   * Mark all sessions and tcons for reconnect.
+ - * IMPORTANT: make sure that this gets called only from
+ - * cifsd thread. For any other thread, use
+ - * cifs_signal_cifsd_for_reconnect
+   *
+ - * @server: the tcp ses for which reconnect is needed
+   * @server needs to be previously set to CifsNeedReconnect.
+ - * @mark_smb_session: whether even sessions need to be marked
+   */
+ -void
+ -cifs_mark_tcp_ses_conns_for_reconnect(struct TCP_Server_Info *server,
+ -				      bool mark_smb_session)
+ +static void cifs_mark_tcp_ses_conns_for_reconnect(struct TCP_Server_Info *server)
+  {
+ -	struct TCP_Server_Info *pserver;
+ -	struct cifs_ses *ses, *nses;
+ +	unsigned int num_sessions = 0;
+ +	struct cifs_ses *ses;
+  	struct cifs_tcon *tcon;
+++<<<<<<< HEAD:fs/cifs/connect.c
+++=======
++ 
++ 	/*
++ 	 * before reconnecting the tcp session, mark the smb session (uid) and the tid bad so they
++ 	 * are not used until reconnected.
++ 	 */
++ 	cifs_dbg(FYI, "%s: marking necessary sessions and tcons for reconnect\n", __func__);
++ 
++ 	/* If server is a channel, select the primary channel */
++ 	pserver = SERVER_IS_CHAN(server) ? server->primary_server : server;
++ 
++ 	/*
++ 	 * if the server has been marked for termination, there is a
++ 	 * chance that the remaining channels all need reconnect. To be
++ 	 * on the safer side, mark the session and trees for reconnect
++ 	 * for this scenario. This might cause a few redundant session
++ 	 * setup and tree connect requests, but it is better than not doing
++ 	 * a tree connect when needed, and all following requests failing
++ 	 */
++ 	if (server->terminate) {
++ 		mark_smb_session = true;
++ 		server = pserver;
++ 	}
++ 
++ 	spin_lock(&cifs_tcp_ses_lock);
++ 	list_for_each_entry_safe(ses, nses, &pserver->smb_ses_list, smb_ses_list) {
++ 		spin_lock(&ses->ses_lock);
++ 		if (ses->ses_status == SES_EXITING) {
++ 			spin_unlock(&ses->ses_lock);
++ 			continue;
++ 		}
++ 		spin_unlock(&ses->ses_lock);
++ 
++ 		spin_lock(&ses->chan_lock);
++ 		if (cifs_ses_get_chan_index(ses, server) ==
++ 		    CIFS_INVAL_CHAN_INDEX) {
++ 			spin_unlock(&ses->chan_lock);
++ 			continue;
++ 		}
++ 
++ 		if (!cifs_chan_is_iface_active(ses, server)) {
++ 			spin_unlock(&ses->chan_lock);
++ 			cifs_chan_update_iface(ses, server);
++ 			spin_lock(&ses->chan_lock);
++ 		}
++ 
++ 		if (!mark_smb_session && cifs_chan_needs_reconnect(ses, server)) {
++ 			spin_unlock(&ses->chan_lock);
++ 			continue;
++ 		}
++ 
++ 		if (mark_smb_session)
++ 			CIFS_SET_ALL_CHANS_NEED_RECONNECT(ses);
++ 		else
++ 			cifs_chan_set_need_reconnect(ses, server);
++ 
++ 		cifs_dbg(FYI, "%s: channel connect bitmap: 0x%lx\n",
++ 			 __func__, ses->chans_need_reconnect);
++ 
++ 		/* If all channels need reconnect, then tcon needs reconnect */
++ 		if (!mark_smb_session && !CIFS_ALL_CHANS_NEED_RECONNECT(ses)) {
++ 			spin_unlock(&ses->chan_lock);
++ 			continue;
++ 		}
++ 		spin_unlock(&ses->chan_lock);
++ 
++ 		spin_lock(&ses->ses_lock);
++ 		ses->ses_status = SES_NEED_RECON;
++ 		spin_unlock(&ses->ses_lock);
++ 
++ 		list_for_each_entry(tcon, &ses->tcon_list, tcon_list) {
++ 			tcon->need_reconnect = true;
++ 			spin_lock(&tcon->tc_lock);
++ 			tcon->status = TID_NEED_RECON;
++ 			spin_unlock(&tcon->tc_lock);
++ 
++ 			cancel_delayed_work(&tcon->query_interfaces);
++ 		}
++ 		if (ses->tcon_ipc) {
++ 			ses->tcon_ipc->need_reconnect = true;
++ 			spin_lock(&ses->tcon_ipc->tc_lock);
++ 			ses->tcon_ipc->status = TID_NEED_RECON;
++ 			spin_unlock(&ses->tcon_ipc->tc_lock);
++ 		}
++ 	}
++ 	spin_unlock(&cifs_tcp_ses_lock);
++ }
++ 
++ static void
++ cifs_abort_connection(struct TCP_Server_Info *server)
++ {
+++>>>>>>> 24a9799aa8ef (smb: client: fix UAF in smb2_reconnect_server()):fs/smb/client/connect.c
+  	struct mid_q_entry *mid, *nmid;
+  	struct list_head retry_list;
+ +	struct TCP_Server_Info *pserver;
+  
+  	server->maxBuf = 0;
+  	server->max_read = 0;
+@@@ -1774,54 -1976,70 +1842,97 @@@ cifs_find_smb_ses(struct TCP_Server_Inf
+  
+  	spin_lock(&cifs_tcp_ses_lock);
+  	list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
+ -		spin_lock(&ses->ses_lock);
+ -		if (ses->ses_status == SES_EXITING) {
+ -			spin_unlock(&ses->ses_lock);
+ +		if (ses->status == CifsExiting)
+  			continue;
+ -		}
+  		spin_lock(&ses->chan_lock);
+ -		if (match_session(ses, ctx)) {
+ +		if (!match_session(ses, ctx)) {
+  			spin_unlock(&ses->chan_lock);
+ -			spin_unlock(&ses->ses_lock);
+ -			ret = ses;
+ -			break;
+ +			continue;
+  		}
+  		spin_unlock(&ses->chan_lock);
+ -		spin_unlock(&ses->ses_lock);
+ +		++ses->ses_count;
+ +		spin_unlock(&cifs_tcp_ses_lock);
+ +		return ses;
+  	}
+ -	if (ret)
+ -		cifs_smb_ses_inc_refcount(ret);
+  	spin_unlock(&cifs_tcp_ses_lock);
+ -	return ret;
+ +	return NULL;
+  }
+  
+ -void __cifs_put_smb_ses(struct cifs_ses *ses)
+ +void cifs_put_smb_ses(struct cifs_ses *ses)
+  {
+ +	unsigned int rc, xid;
+ +	unsigned int chan_count;
+  	struct TCP_Server_Info *server = ses->server;
+ -	struct cifs_tcon *tcon;
+ -	unsigned int xid;
+ -	size_t i;
+ -	bool do_logoff;
+ -	int rc;
+++<<<<<<< HEAD:fs/cifs/connect.c
+  
+  	spin_lock(&cifs_tcp_ses_lock);
+ -	spin_lock(&ses->ses_lock);
+ -	cifs_dbg(FYI, "%s: id=0x%llx ses_count=%d ses_status=%u ipc=%s\n",
+ -		 __func__, ses->Suid, ses->ses_count, ses->ses_status,
+ +	if (ses->status == CifsExiting) {
+ +		spin_unlock(&cifs_tcp_ses_lock);
+ +		return;
+ +	}
+ +
+ +	cifs_dbg(FYI, "%s: ses_count=%d\n", __func__, ses->ses_count);
+ +	cifs_dbg(FYI, "%s: ses ipc: %s\n", __func__, ses->tcon_ipc ? ses->tcon_ipc->treeName : "NONE");
+ +
+ +	if (--ses->ses_count > 0) {
+ +		spin_unlock(&cifs_tcp_ses_lock);
+ +		return;
+ +	}
+ +	spin_unlock(&cifs_tcp_ses_lock);
+ +
+ +	/* ses_count can never go negative */
+ +	WARN_ON(ses->ses_count < 0);
+ +
+ +	spin_lock(&GlobalMid_Lock);
+ +	if (ses->status == CifsGood)
+ +		ses->status = CifsExiting;
+ +	spin_unlock(&GlobalMid_Lock);
+ +
+ +	cifs_free_ipc(ses);
+ +
+ +	if (ses->status == CifsExiting && server->ops->logoff) {
+++=======
+++	struct cifs_tcon *tcon;
+++	unsigned int xid;
+++	size_t i;
+++	bool do_logoff;
+++	int rc;
+++
+++	spin_lock(&cifs_tcp_ses_lock);
+++	spin_lock(&ses->ses_lock);
+++	cifs_dbg(FYI, "%s: id=0x%llx ses_count=%d ses_status=%u ipc=%s\n",
+++		 __func__, ses->Suid, ses->ses_count, ses->ses_status,
++ 		 ses->tcon_ipc ? ses->tcon_ipc->tree_name : "none");
++ 	if (ses->ses_status == SES_EXITING || --ses->ses_count > 0) {
++ 		spin_unlock(&ses->ses_lock);
++ 		spin_unlock(&cifs_tcp_ses_lock);
++ 		return;
++ 	}
++ 	/* ses_count can never go negative */
++ 	WARN_ON(ses->ses_count < 0);
++ 
++ 	spin_lock(&ses->chan_lock);
++ 	cifs_chan_clear_need_reconnect(ses, server);
++ 	spin_unlock(&ses->chan_lock);
++ 
++ 	do_logoff = ses->ses_status == SES_GOOD && server->ops->logoff;
++ 	ses->ses_status = SES_EXITING;
++ 	tcon = ses->tcon_ipc;
++ 	ses->tcon_ipc = NULL;
++ 	spin_unlock(&ses->ses_lock);
++ 	spin_unlock(&cifs_tcp_ses_lock);
++ 
++ 	/*
++ 	 * On session close, the IPC is closed and the server must release all
++ 	 * tcons of the session.  No need to send a tree disconnect here.
++ 	 *
++ 	 * Besides, it will make the server to not close durable and resilient
++ 	 * files on session close, as specified in MS-SMB2 3.3.5.6 Receiving an
++ 	 * SMB2 LOGOFF Request.
++ 	 */
++ 	tconInfoFree(tcon);
++ 	if (do_logoff) {
+++>>>>>>> 24a9799aa8ef (smb: client: fix UAF in smb2_reconnect_server()):fs/smb/client/connect.c
+  		xid = get_xid();
+  		rc = server->ops->logoff(xid, ses);
+  		if (rc)
+* Unmerged path fs/cifs/connect.c
