)]}'
{
  "commit": "7db6bd2ea31cd3c1ea2f6d24b7c8cb56c3459f1e",
  "tree": "dce1f5e023ef5515f09315eb55fa5caab8bdbfff",
  "parents": [
    "4cc6c2b5dc15b2271b554442f91d4fdf24177995"
  ],
  "author": {
    "name": "Enzo Matsumiya",
    "email": "ematsumiya@suse.de",
    "time": "Thu Sep 26 14:46:13 2024 -0300"
  },
  "committer": {
    "name": "Arnav Kansal",
    "email": "rnv@google.com",
    "time": "Fri Feb 07 15:38:17 2025 -0800"
  },
  "message": "smb: client: fix UAF in async decryption\n\ncommit b0abcd65ec545701b8793e12bc27dc98042b151a upstream.\n\nDoing an async decryption (large read) crashes with a\nslab-use-after-free way down in the crypto API.\n\nReproducer:\n    # mount.cifs -o ...,seal,esize\u003d1 //srv/share /mnt\n    # dd if\u003d/mnt/largefile of\u003d/dev/null\n    ...\n    [  194.196391] \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n    [  194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110\n    [  194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899\n    [  194.197707]\n    [  194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43\n    [  194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014\n    [  194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs]\n    [  194.200032] Call Trace:\n    [  194.200191]  \u003cTASK\u003e\n    [  194.200327]  dump_stack_lvl+0x4e/0x70\n    [  194.200558]  ? gf128mul_4k_lle+0xc1/0x110\n    [  194.200809]  print_report+0x174/0x505\n    [  194.201040]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n    [  194.201352]  ? srso_return_thunk+0x5/0x5f\n    [  194.201604]  ? __virt_addr_valid+0xdf/0x1c0\n    [  194.201868]  ? gf128mul_4k_lle+0xc1/0x110\n    [  194.202128]  kasan_report+0xc8/0x150\n    [  194.202361]  ? gf128mul_4k_lle+0xc1/0x110\n    [  194.202616]  gf128mul_4k_lle+0xc1/0x110\n    [  194.202863]  ghash_update+0x184/0x210\n    [  194.203103]  shash_ahash_update+0x184/0x2a0\n    [  194.203377]  ? __pfx_shash_ahash_update+0x10/0x10\n    [  194.203651]  ? srso_return_thunk+0x5/0x5f\n    [  194.203877]  ? crypto_gcm_init_common+0x1ba/0x340\n    [  194.204142]  gcm_hash_assoc_remain_continue+0x10a/0x140\n    [  194.204434]  crypt_message+0xec1/0x10a0 [cifs]\n    [  194.206489]  ? __pfx_crypt_message+0x10/0x10 [cifs]\n    [  194.208507]  ? srso_return_thunk+0x5/0x5f\n    [  194.209205]  ? srso_return_thunk+0x5/0x5f\n    [  194.209925]  ? srso_return_thunk+0x5/0x5f\n    [  194.210443]  ? srso_return_thunk+0x5/0x5f\n    [  194.211037]  decrypt_raw_data+0x15f/0x250 [cifs]\n    [  194.212906]  ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]\n    [  194.214670]  ? srso_return_thunk+0x5/0x5f\n    [  194.215193]  smb2_decrypt_offload+0x12a/0x6c0 [cifs]\n\nThis is because TFM is being used in parallel.\n\nFix this by allocating a new AEAD TFM for async decryption, but keep\nthe existing one for synchronous READ cases (similar to what is done\nin smb3_calc_signature()).\n\nAlso remove the calls to aead_request_set_callback() and\ncrypto_wait_req() since it\u0027s always going to be a synchronous operation.\n\nBUG\u003db/375368580\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2024-50047 in the Linux kernel.\n\ncos-patch: security-high\nChange-Id: Ie41159d596328040f9446ab72ed952f9afae0e6d\nSigned-off-by: Enzo Matsumiya \u003cematsumiya@suse.de\u003e\nSigned-off-by: Steve French \u003cstfrench@microsoft.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/92329\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Kevin Berry \u003ckpberry@google.com\u003e\nReviewed-by: Arnav Kansal \u003crnv@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "62935d61192aef09528d2f3a5aa8c36d8881fbc9",
      "old_mode": 33188,
      "old_path": "fs/smb/client/smb2ops.c",
      "new_id": "4b9cd9893ac61b32a8c039c031daa7d4d22c929e",
      "new_mode": 33188,
      "new_path": "fs/smb/client/smb2ops.c"
    },
    {
      "type": "modify",
      "old_id": "9975711236b26c1a2a6d327e1547bbed55037b2b",
      "old_mode": 33188,
      "old_path": "fs/smb/client/smb2pdu.c",
      "new_id": "ae38ba7f19669c24246fe590a84677bb7e7a5f7e",
      "new_mode": 33188,
      "new_path": "fs/smb/client/smb2pdu.c"
    }
  ]
}