From patchwork Sat Mar 19 03:20:25 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Enzo Matsumiya <ematsumiya@suse.de>
X-Patchwork-Id: 1607306
Return-Path: <linux-cifs-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (1024-bit key;
 unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256
 header.s=susede2_rsa header.b=bNb23TSI;
	dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256
 header.s=susede2_ed25519 header.b=iaG9qMJd;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org
 (client-ip=2620:137:e000::1:20; helo=out1.vger.email;
 envelope-from=linux-cifs-owner@vger.kernel.org; receiver=<UNKNOWN>)
Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20])
	by bilbo.ozlabs.org (Postfix) with ESMTP id 4KL5k05VN3z9s5V
	for <incoming@patchwork.ozlabs.org>; Sat, 19 Mar 2022 14:20:40 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231569AbiCSDVy (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
        Fri, 18 Mar 2022 23:21:54 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55376 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230247AbiCSDVx (ORCPT
        <rfc822;linux-cifs@vger.kernel.org>); Fri, 18 Mar 2022 23:21:53 -0400
Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 778D5DD963
        for <linux-cifs@vger.kernel.org>;
 Fri, 18 Mar 2022 20:20:33 -0700 (PDT)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
 [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest
 SHA512)
        (No client certificate requested)
        by smtp-out1.suse.de (Postfix) with ESMTPS id 8E7BB210FD;
        Sat, 19 Mar 2022 03:20:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_rsa;
        t=1647660031;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type;
        bh=P5HVMst4XokfGKAJRjIs1cTmZO3fVYAodwoctjMKPfQ=;
        b=bNb23TSIRlsbZCu3Vh6STEuRsnhmLndGfnHCpuP7x1hgM4Rwjdjtbd+3gDAMb59SIWCugB
        oIYT2q273lfVDs9c2TasubyZAkysMlLlZ0dyhAmtmN/6cpiWcfHSnrS1rOWQcWbQqujPSQ
        iadHIN/vHcu09onAVdNMcOCqWaP5td0=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
        s=susede2_ed25519; t=1647660031;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type;
        bh=P5HVMst4XokfGKAJRjIs1cTmZO3fVYAodwoctjMKPfQ=;
        b=iaG9qMJdhJl4jLpvtNUAx9Yoxin0t+B+m4yPJOlLT9s+T0ttctN4J4fbwWyikqRllHZYXJ
        DJSbEyCVwzCoBlDQ==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
 [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest
 SHA512)
        (No client certificate requested)
        by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 0B2D1132C1;
        Sat, 19 Mar 2022 03:20:30 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
        by imap2.suse-dmz.suse.de with ESMTPSA
        id f1JdL/5LNWKQRgAAMHmgww
        (envelope-from <ematsumiya@suse.de>); Sat, 19 Mar 2022 03:20:30 +0000
Date: Sat, 19 Mar 2022 00:20:25 -0300
From: Enzo Matsumiya <ematsumiya@suse.de>
To: samba-technical@lists.samba.org, linux-cifs@vger.kernel.org
Cc: smfrench@gmail.com
Subject: Signature check for LOGOFF response
Message-ID: <20220319032012.46ezg2pxjlrsdlpq@cyberdelia>
MIME-Version: 1.0
Content-Disposition: inline
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
        SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-cifs.vger.kernel.org>
X-Mailing-List: linux-cifs@vger.kernel.org

Hi,

The LOGOFF command response is not signed (=> signature is 0x0), but we
check it anyway, displaying "sign fail" errors in ring buffer.

As far as I checked, an explicit LOGOUT is only sent when tlink pruning
happens (i.e. TLINK_IDLE_EXPIRE expires), but we have a case of this
causing issues on production env.

I didn't find LOGOFF being a signature check exception in MS-SMB2 rev64.
Relevant sections:

2.2.7 SMB2 LOGOFF Request
2.2.8 SMB2 LOGOFF Response
3.2.5.4 Receiving an SMB2 LOGOFF Response
3.3.5.6 Receiving an SMB2 LOGOFF Request

If this is implementation defined, maybe something like this could work?
(100% untested)


Thoughts?


Enzo

--- a/fs/cifs/smb2transport.c
+++ b/fs/cifs/smb2transport.c
@@ -667,6 +667,7 @@ smb2_verify_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server)
         if ((shdr->Command == SMB2_NEGOTIATE) ||
             (shdr->Command == SMB2_SESSION_SETUP) ||
             (shdr->Command == SMB2_OPLOCK_BREAK) ||
+           (shdr->Command == SMB2_LOGOFF) ||
             server->ignore_signature ||
             (!server->session_estab))
                 return 0;