CVE-2024-53185

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix NULL ptr deref in crypto_aead_setkey()<br /> <br /> Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so<br /> when SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response,<br /> the client uses AES-128-CCM as the default cipher. See MS-SMB2<br /> 3.3.5.4.<br /> <br /> Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added<br /> a @server-&gt;cipher_type check to conditionally call<br /> smb3_crypto_aead_allocate(), but that check would always be false as<br /> @server-&gt;cipher_type is unset for SMB3.02.<br /> <br /> Fix the following KASAN splat by setting @server-&gt;cipher_type for<br /> SMB3.02 as well.<br /> <br /> mount.cifs //srv/share /mnt -o vers=3.02,seal,...<br /> <br /> BUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130<br /> Read of size 8 at addr 0000000000000020 by task mount.cifs/1095<br /> CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41<br /> 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x5d/0x80<br /> ? crypto_aead_setkey+0x2c/0x130<br /> kasan_report+0xda/0x110<br /> ? crypto_aead_setkey+0x2c/0x130<br /> crypto_aead_setkey+0x2c/0x130<br /> crypt_message+0x258/0xec0 [cifs]<br /> ? __asan_memset+0x23/0x50<br /> ? __pfx_crypt_message+0x10/0x10 [cifs]<br /> ? mark_lock+0xb0/0x6a0<br /> ? hlock_class+0x32/0xb0<br /> ? mark_lock+0xb0/0x6a0<br /> smb3_init_transform_rq+0x352/0x3f0 [cifs]<br /> ? lock_acquire.part.0+0xf4/0x2a0<br /> smb_send_rqst+0x144/0x230 [cifs]<br /> ? __pfx_smb_send_rqst+0x10/0x10 [cifs]<br /> ? hlock_class+0x32/0xb0<br /> ? smb2_setup_request+0x225/0x3a0 [cifs]<br /> ? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs]<br /> compound_send_recv+0x59b/0x1140 [cifs]<br /> ? __pfx_compound_send_recv+0x10/0x10 [cifs]<br /> ? __create_object+0x5e/0x90<br /> ? hlock_class+0x32/0xb0<br /> ? do_raw_spin_unlock+0x9a/0xf0<br /> cifs_send_recv+0x23/0x30 [cifs]<br /> SMB2_tcon+0x3ec/0xb30 [cifs]<br /> ? __pfx_SMB2_tcon+0x10/0x10 [cifs]<br /> ? lock_acquire.part.0+0xf4/0x2a0<br /> ? __pfx_lock_release+0x10/0x10<br /> ? do_raw_spin_trylock+0xc6/0x120<br /> ? lock_acquire+0x3f/0x90<br /> ? _get_xid+0x16/0xd0 [cifs]<br /> ? __pfx_SMB2_tcon+0x10/0x10 [cifs]<br /> ? cifs_get_smb_ses+0xcdd/0x10a0 [cifs]<br /> cifs_get_smb_ses+0xcdd/0x10a0 [cifs]<br /> ? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs]<br /> ? cifs_get_tcp_session+0xaa0/0xca0 [cifs]<br /> cifs_mount_get_session+0x8a/0x210 [cifs]<br /> dfs_mount_share+0x1b0/0x11d0 [cifs]<br /> ? __pfx___lock_acquire+0x10/0x10<br /> ? __pfx_dfs_mount_share+0x10/0x10 [cifs]<br /> ? lock_acquire.part.0+0xf4/0x2a0<br /> ? find_held_lock+0x8a/0xa0<br /> ? hlock_class+0x32/0xb0<br /> ? lock_release+0x203/0x5d0<br /> cifs_mount+0xb3/0x3d0 [cifs]<br /> ? do_raw_spin_trylock+0xc6/0x120<br /> ? __pfx_cifs_mount+0x10/0x10 [cifs]<br /> ? lock_acquire+0x3f/0x90<br /> ? find_nls+0x16/0xa0<br /> ? smb3_update_mnt_flags+0x372/0x3b0 [cifs]<br /> cifs_smb3_do_mount+0x1e2/0xc80 [cifs]<br /> ? __pfx_vfs_parse_fs_string+0x10/0x10<br /> ? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs]<br /> smb3_get_tree+0x1bf/0x330 [cifs]<br /> vfs_get_tree+0x4a/0x160<br /> path_mount+0x3c1/0xfb0<br /> ? kasan_quarantine_put+0xc7/0x1d0<br /> ? __pfx_path_mount+0x10/0x10<br /> ? kmem_cache_free+0x118/0x3e0<br /> ? user_path_at+0x74/0xa0<br /> __x64_sys_mount+0x1a6/0x1e0<br /> ? __pfx___x64_sys_mount+0x10/0x10<br /> ? mark_held_locks+0x1a/0x90<br /> do_syscall_64+0xbb/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f