Commit e86e9134 authored by Sean Heelan's avatar Sean Heelan Committed by Steve French
Browse files

ksmbd: fix use-after-free in kerberos authentication 



Setting sess->user = NULL was introduced to fix the dangling pointer
created by ksmbd_free_user. However, it is possible another thread could
be operating on the session and make use of sess->user after it has been
passed to ksmbd_free_user but before sess->user is set to NULL.

Cc: stable@vger.kernel.org
Signed-off-by: default avatarSean Heelan <seanheelan@gmail.com>
Acked-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent a1f46c99

fs/smb/server/auth.c

+13 −1
Original line number Diff line number Diff line
@@ -550,7 +550,19 @@ int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob, 
		retval = -ENOMEM;

		goto out;

	}



	if (!sess->user) {

		/* First successful authentication */

		sess->user = user;

	} else {

		if (!ksmbd_compare_user(sess->user, user)) {

			ksmbd_debug(AUTH, "different user tried to reuse session\n");

			retval = -EPERM;

			ksmbd_free_user(user);

			goto out;

		}

		ksmbd_free_user(user);

	}



	memcpy(sess->sess_key, resp->payload, resp->session_key_len);

	memcpy(out_blob, resp->payload + resp->session_key_len,

fs/smb/server/smb2pdu.c

+0 −5
Original line number Diff line number Diff line
@@ -1607,11 +1607,6 @@ static int krb5_authenticate(struct ksmbd_work *work, 
	if (prev_sess_id && prev_sess_id != sess->id)

		destroy_previous_session(conn, sess->user, prev_sess_id);



	if (sess->state == SMB2_SESSION_VALID) {

		ksmbd_free_user(sess->user);

		sess->user = NULL;

	}



	retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,

					 out_blob, &out_len);

	if (retval) {