CVE-2024-53185

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix NULL ptr deref in cryptoaeadsetkey()

Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so when SMB2GLOBALCAP_ENCRYPTION flag is set in the negotiate response, the client uses AES-128-CCM as the default cipher. See MS-SMB2 3.3.5.4.

Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added a @server->ciphertype check to conditionally call smb3cryptoaeadallocate(), but that check would always be false as @server->cipher_type is unset for SMB3.02.

Fix the following KASAN splat by setting @server->cipher_type for SMB3.02 as well.

mount.cifs //srv/share /mnt -o vers=3.02,seal,...

BUG: KASAN: null-ptr-deref in cryptoaeadsetkey+0x2c/0x130 Read of size 8 at addr 0000000000000020 by task mount.cifs/1095 CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x5d/0x80 ? cryptoaeadsetkey+0x2c/0x130 kasanreport+0xda/0x110 ? cryptoaeadsetkey+0x2c/0x130 cryptoaeadsetkey+0x2c/0x130 cryptmessage+0x258/0xec0 [cifs] ? asanmemset+0x23/0x50 ? _pfxcryptmessage+0x10/0x10 [cifs] ? marklock+0xb0/0x6a0 ? hlockclass+0x32/0xb0 ? marklock+0xb0/0x6a0 smb3inittransformrq+0x352/0x3f0 [cifs] ? lockacquire.part.0+0xf4/0x2a0 smbsendrqst+0x144/0x230 [cifs] ? _pfxsmbsendrqst+0x10/0x10 [cifs] ? hlockclass+0x32/0xb0 ? smb2setuprequest+0x225/0x3a0 [cifs] ? _pfxcifscompoundlastcallback+0x10/0x10 [cifs] compoundsendrecv+0x59b/0x1140 [cifs] ? _pfxcompoundsendrecv+0x10/0x10 [cifs] ? _createobject+0x5e/0x90 ? hlockclass+0x32/0xb0 ? dorawspinunlock+0x9a/0xf0 cifssendrecv+0x23/0x30 [cifs] SMB2tcon+0x3ec/0xb30 [cifs] ? _pfxSMB2tcon+0x10/0x10 [cifs] ? lockacquire.part.0+0xf4/0x2a0 ? _pfxlockrelease+0x10/0x10 ? dorawspintrylock+0xc6/0x120 ? lockacquire+0x3f/0x90 ? _getxid+0x16/0xd0 [cifs] ? _pfxSMB2tcon+0x10/0x10 [cifs] ? cifsgetsmbses+0xcdd/0x10a0 [cifs] cifsgetsmbses+0xcdd/0x10a0 [cifs] ? _pfxcifsgetsmbses+0x10/0x10 [cifs] ? cifsgettcpsession+0xaa0/0xca0 [cifs] cifsmountgetsession+0x8a/0x210 [cifs] dfsmountshare+0x1b0/0x11d0 [cifs] ? _pfxlockacquire+0x10/0x10 ? pfxdfsmountshare+0x10/0x10 [cifs] ? lockacquire.part.0+0xf4/0x2a0 ? findheldlock+0x8a/0xa0 ? hlockclass+0x32/0xb0 ? lockrelease+0x203/0x5d0 cifsmount+0xb3/0x3d0 [cifs] ? dorawspintrylock+0xc6/0x120 ? _pfxcifsmount+0x10/0x10 [cifs] ? lockacquire+0x3f/0x90 ? findnls+0x16/0xa0 ? smb3updatemntflags+0x372/0x3b0 [cifs] cifssmb3domount+0x1e2/0xc80 [cifs] ? _pfxvfsparsefsstring+0x10/0x10 ? _pfxcifssmb3domount+0x10/0x10 [cifs] smb3gettree+0x1bf/0x330 [cifs] vfsgettree+0x4a/0x160 pathmount+0x3c1/0xfb0 ? kasanquarantineput+0xc7/0x1d0 ? _pfxpathmount+0x10/0x10 ? kmemcachefree+0x118/0x3e0 ? userpathat+0x74/0xa0 _x64sysmount+0x1a6/0x1e0 ? _pfxx64sysmount+0x10/0x10 ? markheldlocks+0x1a/0x90 dosyscall64+0xbb/0x1d0 entrySYSCALL64after_hwframe+0x77/0x7f