1. 20 7月, 2016 2 次提交
    • R
      cifs: fix crash due to race in hmac(md5) handling · bd975d1e
      Rabin Vincent 提交于
      The secmech hmac(md5) structures are present in the TCP_Server_Info
      struct and can be shared among multiple CIFS sessions.  However, the
      server mutex is not currently held when these structures are allocated
      and used, which can lead to a kernel crashes, as in the scenario below:
      
      mount.cifs(8) #1				mount.cifs(8) #2
      
      Is secmech.sdeschmaccmd5 allocated?
      // false
      
      						Is secmech.sdeschmaccmd5 allocated?
      						// false
      
      secmech.hmacmd = crypto_alloc_shash..
      secmech.sdeschmaccmd5 = kzalloc..
      sdeschmaccmd5->shash.tfm = &secmec.hmacmd;
      
      						secmech.sdeschmaccmd5 = kzalloc
      						// sdeschmaccmd5->shash.tfm
      						// not yet assigned
      
      crypto_shash_update()
       deref NULL sdeschmaccmd5->shash.tfm
      
       Unable to handle kernel paging request at virtual address 00000030
       epc   : 8027ba34 crypto_shash_update+0x38/0x158
       ra    : 8020f2e8 setup_ntlmv2_rsp+0x4bc/0xa84
       Call Trace:
        crypto_shash_update+0x38/0x158
        setup_ntlmv2_rsp+0x4bc/0xa84
        build_ntlmssp_auth_blob+0xbc/0x34c
        sess_auth_rawntlmssp_authenticate+0xac/0x248
        CIFS_SessSetup+0xf0/0x178
        cifs_setup_session+0x4c/0x84
        cifs_get_smb_ses+0x2c8/0x314
        cifs_mount+0x38c/0x76c
        cifs_do_mount+0x98/0x440
        mount_fs+0x20/0xc0
        vfs_kern_mount+0x58/0x138
        do_mount+0x1e8/0xccc
        SyS_mount+0x88/0xd4
        syscall_common+0x30/0x54
      
      Fix this by locking the srv_mutex around the code which uses these
      hmac(md5) structures.  All the other secmech algos already have similar
      locking.
      
      Fixes: 95dc8dd1 ("Limit allocation of crypto mechanisms to dialect which requires")
      Signed-off-by: NRabin Vincent <rabinv@axis.com>
      Acked-by: NSachin Prabhu <sprabhu@redhat.com>
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      bd975d1e
    • R
      cifs: unbreak TCP session reuse · b782fcc1
      Rabin Vincent 提交于
      adfeb3e0 ("cifs: Make echo interval tunable") added a comparison of
      vol->echo_interval to server->echo_interval as a criterium to
      match_server(), but:
      
       (1) A default value is set for server->echo_interval but not for
       vol->echo_interval, meaning these can never match if the echo_interval
       option is not specified.
      
       (2) vol->echo_interval is in seconds but server->echo_interval is in
       jiffies, meaning these can never match even if the echo_interval option
       is specified.
      
      This broke TCP session reuse since match_server() can never return 1.
      Fix it.
      
      Fixes: adfeb3e0 ("cifs: Make echo interval tunable")
      Signed-off-by: NRabin Vincent <rabinv@axis.com>
      Acked-by: NSachin Prabhu <sprabhu@redhat.com>
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      b782fcc1
  2. 13 7月, 2016 1 次提交
  3. 12 7月, 2016 1 次提交
  4. 11 7月, 2016 3 次提交
  5. 09 7月, 2016 8 次提交
  6. 08 7月, 2016 18 次提交
  7. 07 7月, 2016 7 次提交