mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-29 13:53:33 +00:00
cifs: fix double-fault crash during ntlmssp
commitb854b4ee66
upstream. The crash occurred because we were calling memzero_explicit() on an already freed sess_data::iov[1] (ntlmsspblob) in sess_free_buffer(). Fix this by not calling memzero_explicit() on sess_data::iov[1] as it's already by handled by callers. Fixes:a4e430c8c8
("cifs: replace kfree() with kfree_sensitive() for sensitive data") Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de> Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
7ee97ad170
commit
983ec6379b
1 changed files with 9 additions and 7 deletions
|
@ -1214,16 +1214,18 @@ sess_alloc_buffer(struct sess_data *sess_data, int wct)
|
|||
static void
|
||||
sess_free_buffer(struct sess_data *sess_data)
|
||||
{
|
||||
int i;
|
||||
struct kvec *iov = sess_data->iov;
|
||||
|
||||
/* zero the session data before freeing, as it might contain sensitive info (keys, etc) */
|
||||
for (i = 0; i < 3; i++)
|
||||
if (sess_data->iov[i].iov_base)
|
||||
memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len);
|
||||
/*
|
||||
* Zero the session data before freeing, as it might contain sensitive info (keys, etc).
|
||||
* Note that iov[1] is already freed by caller.
|
||||
*/
|
||||
if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base)
|
||||
memzero_explicit(iov[0].iov_base, iov[0].iov_len);
|
||||
|
||||
free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
|
||||
free_rsp_buf(sess_data->buf0_type, iov[0].iov_base);
|
||||
sess_data->buf0_type = CIFS_NO_BUFFER;
|
||||
kfree(sess_data->iov[2].iov_base);
|
||||
kfree_sensitive(iov[2].iov_base);
|
||||
}
|
||||
|
||||
static int
|
||||
|
|
Loading…
Reference in a new issue