diff options
author | Jeff Layton <jlayton@redhat.com> | 2013-07-31 13:48:00 -0400 |
---|---|---|
committer | Steve French <smfrench@gmail.com> | 2013-07-31 14:44:59 -0400 |
commit | ba48202932de455566868a065874279688c9241f (patch) | |
tree | 8a89a57979c95b2dad9750ca2c8c2b4a09627aa5 | |
parent | fe090e4e44bac1d7d8c0ebd1dfa4e6007e1b2762 (diff) |
cifs: fix bad error handling in crypto code
Jarod reported an Oops like when testing with fips=1:
CIFS VFS: could not allocate crypto hmacmd5
CIFS VFS: could not crypto alloc hmacmd5 rc -2
CIFS VFS: Error -2 during NTLMSSP authentication
CIFS VFS: Send error in SessSetup = -2
BUG: unable to handle kernel NULL pointer dereference at 000000000000004e
IP: [<ffffffff812b5c7a>] crypto_destroy_tfm+0x1a/0x90
PGD 0
Oops: 0000 [#1] SMP
Modules linked in: md4 nls_utf8 cifs dns_resolver fscache kvm serio_raw virtio_balloon virtio_net mperf i2c_piix4 cirrus drm_kms_helper ttm drm i2c_core virtio_blk ata_generic pata_acpi
CPU: 1 PID: 639 Comm: mount.cifs Not tainted 3.11.0-0.rc3.git0.1.fc20.x86_64 #1
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff88007bf496e0 ti: ffff88007b080000 task.ti: ffff88007b080000
RIP: 0010:[<ffffffff812b5c7a>] [<ffffffff812b5c7a>] crypto_destroy_tfm+0x1a/0x90
RSP: 0018:ffff88007b081d10 EFLAGS: 00010282
RAX: 0000000000001f1f RBX: ffff880037422000 RCX: ffff88007b081fd8
RDX: 000000000000001f RSI: 0000000000000006 RDI: fffffffffffffffe
RBP: ffff88007b081d30 R08: ffff880037422000 R09: ffff88007c090100
R10: 0000000000000000 R11: 00000000fffffffe R12: fffffffffffffffe
R13: ffff880037422000 R14: ffff880037422000 R15: 00000000fffffffe
FS: 00007fc322f4f780(0000) GS:ffff88007fc80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 000000000000004e CR3: 000000007bdaa000 CR4: 00000000000006e0
Stack:
ffffffff81085845 ffff880037422000 ffff8800375e7400 ffff880037422000
ffff88007b081d48 ffffffffa0176022 ffff880037422000 ffff88007b081d60
ffffffffa015c07b ffff880037600600 ffff88007b081dc8 ffffffffa01610e1
Call Trace:
[<ffffffff81085845>] ? __cancel_work_timer+0x75/0xf0
[<ffffffffa0176022>] cifs_crypto_shash_release+0x82/0xf0 [cifs]
[<ffffffffa015c07b>] cifs_put_tcp_session+0x8b/0xe0 [cifs]
[<ffffffffa01610e1>] cifs_mount+0x9d1/0xad0 [cifs]
[<ffffffffa014ff50>] cifs_do_mount+0xa0/0x4d0 [cifs]
[<ffffffff811ab6e9>] mount_fs+0x39/0x1b0
[<ffffffff811c466f>] vfs_kern_mount+0x5f/0xf0
[<ffffffff811c6a9e>] do_mount+0x23e/0xa20
[<ffffffff811c66e6>] ? copy_mount_options+0x36/0x170
[<ffffffff811c7303>] SyS_mount+0x83/0xc0
[<ffffffff8165c8d9>] system_call_fastpath+0x16/0x1b
Code: eb 9e 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 41 55 41 54 49 89 fc 53 48 83 ec 08 48 85 ff 74 46 <48> 83 7e 48 00 48 8b 5e 50 74 4b 48 89 f7 e8 83 fc ff ff 4c 8b
RIP [<ffffffff812b5c7a>] crypto_destroy_tfm+0x1a/0x90
RSP <ffff88007b081d10>
CR2: 000000000000004e
The cifs code allocates some crypto structures. If that fails, it
returns an error, but it leaves the pointers set to their PTR_ERR
values. Then later when it tries to clean up, it sees that those values
are non-NULL and then passes them to the routine that frees them.
Fix this by setting the pointers to NULL after collecting the error code
in this situation.
Cc: Sachin Prabhu <sprabhu@redhat.com>
Reported-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
-rw-r--r-- | fs/cifs/cifsencrypt.c | 12 | ||||
-rw-r--r-- | fs/cifs/smb2transport.c | 9 |
2 files changed, 15 insertions, 6 deletions
diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c index 194f9cce5d83..fc6f4f3a1a9d 100644 --- a/fs/cifs/cifsencrypt.c +++ b/fs/cifs/cifsencrypt.c | |||
@@ -43,17 +43,18 @@ cifs_crypto_shash_md5_allocate(struct TCP_Server_Info *server) | |||
43 | server->secmech.md5 = crypto_alloc_shash("md5", 0, 0); | 43 | server->secmech.md5 = crypto_alloc_shash("md5", 0, 0); |
44 | if (IS_ERR(server->secmech.md5)) { | 44 | if (IS_ERR(server->secmech.md5)) { |
45 | cifs_dbg(VFS, "could not allocate crypto md5\n"); | 45 | cifs_dbg(VFS, "could not allocate crypto md5\n"); |
46 | return PTR_ERR(server->secmech.md5); | 46 | rc = PTR_ERR(server->secmech.md5); |
47 | server->secmech.md5 = NULL; | ||
48 | return rc; | ||
47 | } | 49 | } |
48 | 50 | ||
49 | size = sizeof(struct shash_desc) + | 51 | size = sizeof(struct shash_desc) + |
50 | crypto_shash_descsize(server->secmech.md5); | 52 | crypto_shash_descsize(server->secmech.md5); |
51 | server->secmech.sdescmd5 = kmalloc(size, GFP_KERNEL); | 53 | server->secmech.sdescmd5 = kmalloc(size, GFP_KERNEL); |
52 | if (!server->secmech.sdescmd5) { | 54 | if (!server->secmech.sdescmd5) { |
53 | rc = -ENOMEM; | ||
54 | crypto_free_shash(server->secmech.md5); | 55 | crypto_free_shash(server->secmech.md5); |
55 | server->secmech.md5 = NULL; | 56 | server->secmech.md5 = NULL; |
56 | return rc; | 57 | return -ENOMEM; |
57 | } | 58 | } |
58 | server->secmech.sdescmd5->shash.tfm = server->secmech.md5; | 59 | server->secmech.sdescmd5->shash.tfm = server->secmech.md5; |
59 | server->secmech.sdescmd5->shash.flags = 0x0; | 60 | server->secmech.sdescmd5->shash.flags = 0x0; |
@@ -591,6 +592,7 @@ CalcNTLMv2_response(const struct cifs_ses *ses, char *ntlmv2_hash) | |||
591 | 592 | ||
592 | static int crypto_hmacmd5_alloc(struct TCP_Server_Info *server) | 593 | static int crypto_hmacmd5_alloc(struct TCP_Server_Info *server) |
593 | { | 594 | { |
595 | int rc; | ||
594 | unsigned int size; | 596 | unsigned int size; |
595 | 597 | ||
596 | /* check if already allocated */ | 598 | /* check if already allocated */ |
@@ -600,7 +602,9 @@ static int crypto_hmacmd5_alloc(struct TCP_Server_Info *server) | |||
600 | server->secmech.hmacmd5 = crypto_alloc_shash("hmac(md5)", 0, 0); | 602 | server->secmech.hmacmd5 = crypto_alloc_shash("hmac(md5)", 0, 0); |
601 | if (IS_ERR(server->secmech.hmacmd5)) { | 603 | if (IS_ERR(server->secmech.hmacmd5)) { |
602 | cifs_dbg(VFS, "could not allocate crypto hmacmd5\n"); | 604 | cifs_dbg(VFS, "could not allocate crypto hmacmd5\n"); |
603 | return PTR_ERR(server->secmech.hmacmd5); | 605 | rc = PTR_ERR(server->secmech.hmacmd5); |
606 | server->secmech.hmacmd5 = NULL; | ||
607 | return rc; | ||
604 | } | 608 | } |
605 | 609 | ||
606 | size = sizeof(struct shash_desc) + | 610 | size = sizeof(struct shash_desc) + |
diff --git a/fs/cifs/smb2transport.c b/fs/cifs/smb2transport.c index 301b191270b9..4f2300d020c7 100644 --- a/fs/cifs/smb2transport.c +++ b/fs/cifs/smb2transport.c | |||
@@ -42,6 +42,7 @@ | |||
42 | static int | 42 | static int |
43 | smb2_crypto_shash_allocate(struct TCP_Server_Info *server) | 43 | smb2_crypto_shash_allocate(struct TCP_Server_Info *server) |
44 | { | 44 | { |
45 | int rc; | ||
45 | unsigned int size; | 46 | unsigned int size; |
46 | 47 | ||
47 | if (server->secmech.sdeschmacsha256 != NULL) | 48 | if (server->secmech.sdeschmacsha256 != NULL) |
@@ -50,7 +51,9 @@ smb2_crypto_shash_allocate(struct TCP_Server_Info *server) | |||
50 | server->secmech.hmacsha256 = crypto_alloc_shash("hmac(sha256)", 0, 0); | 51 | server->secmech.hmacsha256 = crypto_alloc_shash("hmac(sha256)", 0, 0); |
51 | if (IS_ERR(server->secmech.hmacsha256)) { | 52 | if (IS_ERR(server->secmech.hmacsha256)) { |
52 | cifs_dbg(VFS, "could not allocate crypto hmacsha256\n"); | 53 | cifs_dbg(VFS, "could not allocate crypto hmacsha256\n"); |
53 | return PTR_ERR(server->secmech.hmacsha256); | 54 | rc = PTR_ERR(server->secmech.hmacsha256); |
55 | server->secmech.hmacsha256 = NULL; | ||
56 | return rc; | ||
54 | } | 57 | } |
55 | 58 | ||
56 | size = sizeof(struct shash_desc) + | 59 | size = sizeof(struct shash_desc) + |
@@ -87,7 +90,9 @@ smb3_crypto_shash_allocate(struct TCP_Server_Info *server) | |||
87 | server->secmech.sdeschmacsha256 = NULL; | 90 | server->secmech.sdeschmacsha256 = NULL; |
88 | crypto_free_shash(server->secmech.hmacsha256); | 91 | crypto_free_shash(server->secmech.hmacsha256); |
89 | server->secmech.hmacsha256 = NULL; | 92 | server->secmech.hmacsha256 = NULL; |
90 | return PTR_ERR(server->secmech.cmacaes); | 93 | rc = PTR_ERR(server->secmech.cmacaes); |
94 | server->secmech.cmacaes = NULL; | ||
95 | return rc; | ||
91 | } | 96 | } |
92 | 97 | ||
93 | size = sizeof(struct shash_desc) + | 98 | size = sizeof(struct shash_desc) + |