CIFS: Enable encryption for SMB3

Bug #1670508 reported by Stephen A. Zarkos on 2017-03-06
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Tim Gardner
Xenial
Medium
Joseph Salisbury
Yakkety
Medium
Joseph Salisbury
Zesty
Medium
Tim Gardner

Bug Description

There has been work upstream to enable encryption support for SMB3 connections. This is a particularly valuable (and commonly requested) feature with the Azure Files service as encryption is required to connect to an Azure Files storage share from on-prem or from a different Azure region.

The relevant commits are as follows:

CIFS: Fix possible use after free in demultiplex thread
Commit 61cfac6f267dabcf2740a7ec8a0295833b28b5f5

CIFS: Allow to switch on encryption with seal mount option
Commit ae6f8dd4d0c87bfb72da9d9b56342adf53e69c31

CIFS: Add capability to decrypt big read responses
Commit c42a6abe3012832a68a371dabe17c2ced97e62ad

CIFS: Decrypt and process small encrypted packets
Commit 4326ed2f6a16ae9d33e4209b540dc9a371aba840

CIFS: Add copy into pages callback for a read operation
Commit d70b9104b1ca586f73aaf59426756cec3325a40e

CIFS: Add mid handle callback
Commit 9b7c18a2d4b798963ea80f6769701dcc4c24b55e

CIFS: Add transform header handling callbacks
Commit 9bb17e0916a03ab901fb684e874d77a1e96b3d1e

CIFS: Encrypt SMB3 requests before sending
Commit 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398

CIFS: Enable encryption during session setup phase
Commit cabfb3680f78981d26c078a26e5c748531257ebb

CIFS: Add capability to transform requests before sending
Commit 7fb8986e7449d0a5cebd84d059927afa423fbf85

CIFS: Separate RFC1001 length processing for SMB2 read
Commit b8f57ee8aad414a3122bff72d7968a94baacb9b6

CIFS: Separate SMB2 sync header processing
Commit cb200bd6264a80c04e09e8635fa4f3901cabdaef

CIFS: Send RFC1001 length in a separate iov
Commit 738f9de5cdb9175c19d24cfdf90b4543fc3b47bf

CIFS: Make send_cancel take rqst as argument
Commit fb2036d817584df42504910fe104f68517e8990e

CIFS: Make SendReceive2() takes resp iov
Commit da502f7df03d2d0b416775f92ae022f3f82bedd5

CIFS: Separate SMB2 header structure
Commit 31473fc4f9653b73750d3792ffce6a6e1bdf0da7

cifs: Add soft dependencies
Commit b9be76d585d48cb25af8db0d35e1ef9030fbe13a

cifs: Only select the required crypto modules
Commit 3692304bba6164be3810afd41b84ecb0e1e41db1

cifs: Simplify SMB2 and SMB311 dependencies
Commit c1ecea87471bbb614f8121e00e5787f363140365

CVE References

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1670508

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Stephen A. Zarkos (stevez) wrote :

No logs needed. Thanks.

description: updated
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Tim Gardner (timg-tpi) on 2017-03-07
Changed in linux (Ubuntu Zesty):
assignee: nobody → Tim Gardner (timg-tpi)
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.10.0-13.15

---------------
linux (4.10.0-13.15) zesty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1671614

  * ehci-platform needed in usb-modules udeb (LP: #1671589)
    - d-i: add ehci-platform to usb-modules

  * irqchip/gic-v3-its: Enable cacheable attribute Read-allocate hints
    (LP: #1671598)
    - irqchip/gic-v3-its: Enable cacheable attribute Read-allocate hints

  * iommu: Fix static checker warning in iommu_insert_device_resv_regions
    (LP: #1671599)
    - iommu: Fix static checker warning in iommu_insert_device_resv_regions

  * QDF2400: Fix panic introduced by erratum 1003 (LP: #1671602)
    - arm64: Avoid clobbering mm in erratum workaround on QDF2400

  * QDF2400 PCI ports require ACS quirk (LP: #1671601)
    - PCI: Add ACS quirk for Qualcomm QDF2400 and QDF2432

  * tty: pl011: Work around QDF2400 E44 stuck BUSY bit (LP: #1671600)
    - tty: pl011: Work around QDF2400 E44 stuck BUSY bit

  * CVE-2017-2636
    - tty: n_hdlc: get rid of racy n_hdlc.tbuf

  * Sync virtualbox to 5.1.16-dfsg-1 in zesty (LP: #1671470)
    - ubuntu: vbox -- Update to 5.1.16-dfsg-1

 -- Tim Gardner <email address hidden> Thu, 09 Mar 2017 06:16:24 -0700

Changed in linux (Ubuntu Zesty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu Xenial):
status: New → Confirmed
Joshua R. Poulson (jrp) on 2017-03-16
Changed in linux (Ubuntu Yakkety):
status: New → Confirmed
Changed in linux (Ubuntu Zesty):
importance: Undecided → Medium
Changed in linux (Ubuntu Yakkety):
importance: Undecided → Medium
Changed in linux (Ubuntu Xenial):
importance: Undecided → Medium
tags: added: kernel-da-key kernel-hyper-v
Changed in linux (Ubuntu Xenial):
assignee: nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Yakkety):
assignee: nobody → Joseph Salisbury (jsalisbury)
status: Confirmed → In Progress
Changed in linux (Ubuntu Xenial):
status: Confirmed → In Progress
Joseph Salisbury (jsalisbury) wrote :

I built a Yakkety and a Xenial test kernel with the requested cifs commits.

The following prereq commits were required:
8b217fe7fcad Prereq for X and Y - v4.10-rc1~9^2~9
166cea4dc3a4 Prereq for X and Y - v4.9-rc1~6^2~4
3baf1a7b9215 Prereq for X and Y - v4.9-rc1~6^2~5
141891f4727c Prereq for X and Y - v4.9-rc1~6^2~10
4214ebf46547 Prereq for X - v4.8-rc7~9^2~2
a6137305a8c4 Prereq for X - v4.7-rc1~145^2~1
71335664c38f Prereq for X - v4.7-rc1~145^2
09aab880f7c5 Prereq for X - v4.7-rc1~145^2~2
16c568efff82 Prereq for X - v4.7-rc1~145^2~4
2da62906b1e2 Prereq for X - v4.7-rc1~145^2~5
373512ec5c10 Prereq for X - v4.5-rc1~6^2~2
adfeb3e00e8e Prereq for X - v4.5-rc1~6^2~4

The test kernels can be downloaded from:
Xenial: http://kernel.ubuntu.com/~jsalisbury/lp1670508/xenial
Yakkety: http://kernel.ubuntu.com/~jsalisbury/lp1670508/yakkety

Can these kernels be tested to see if they resolve this bug?

Christian Rank (c-rank) wrote :

I tested the Yakkety test kernel on Ubuntu 16.04 (with HWE):

root@u1604:/tmp/mnt# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial

root@u1604:/tmp/mnt# uname -a
Linux u1604 4.8.0-44-generic #47~lp1670508 SMP Fri Mar 24 19:45:44 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

I was able to perform an encrypted SMB mount successfully => bug for this configuration resolved.

Christian Rank (c-rank) wrote :

Another test: Xenial test kernel on Ubuntu 14.04 (with HWE):

root@u1404:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty

root@u1404:~# uname -a
Linux u1404 4.4.0-71-generic #92~lp1670508 SMP Fri Mar 24 19:02:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Encrypted SMB mount is successful => bug for this configuration resolved.

Pavel Shilovsky (pshilovsky) wrote :

Successfully tested the patched kernel for Xenial with xfstests and cthon test suites.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial

$ uname -a
Linux ubuntu-vm 4.4.0-71-generic #92~lp1670508 SMP Fri Mar 24 19:02:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Changed in linux (Ubuntu Yakkety):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-yakkety' to 'verification-done-yakkety'. If the problem still exists, change the tag 'verification-needed-yakkety' to 'verification-failed-yakkety'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-yakkety
Pavel Shilovsky (pshilovsky) wrote :

Successfully tested the patched kernel for Xenial with xfstests and cthon test suites.

$ uname -a
Linux ubuntu-vm 4.8.0-54-generic #57-Ubuntu SMP Wed May 24 10:21:44 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Thank you, pshilovsky!

tags: added: verification-done-yakkety
removed: verification-needed-yakkety
Launchpad Janitor (janitor) wrote :
Download full text (4.3 KiB)

This bug was fixed in the package linux - 4.8.0-54.57

---------------
linux (4.8.0-54.57) yakkety; urgency=low

  * linux: 4.8.0-54.57 -proposed tracker (LP: #1692589)

  * CVE-2017-0605
    - tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()

  * Populating Hyper-V MSR for Ubuntu 13.10 (LP: #1193172)
    - SAUCE: (no-up) hv: Supply vendor ID and package ABI

  * [Hyper-V] Implement Hyper-V PTP Source (LP: #1676635)
    - hv: allocate synic pages for all present CPUs
    - hv: init percpu_list in hv_synic_alloc()
    - Drivers: hv: vmbus: Prevent sending data on a rescinded channel
    - hv: switch to cpuhp state machine for synic init/cleanup
    - hv: make CPU offlining prevention fine-grained
    - Drivers: hv: vmbus: Fix a rescind handling bug
    - Drivers: hv: util: kvp: Fix a rescind processing issue
    - Drivers: hv: util: Fcopy: Fix a rescind processing issue
    - Drivers: hv: util: Backup: Fix a rescind processing issue
    - Drivers: hv: vmbus: Move the definition of hv_x64_msr_hypercall_contents
    - Drivers: hv: vmbus: Move the definition of generate_guest_id()
    - Revert "UBUNTU: SAUCE: (no-up) hv: Supply vendor ID and package ABI"
    - Drivers: hv vmbus: Move Hypercall page setup out of common code
    - Drivers: hv: vmbus: Move Hypercall invocation code out of common code
    - Drivers: hv: vmbus: Consolidate all Hyper-V specific clocksource code
    - Drivers: hv: vmbus: Move the extracting of Hypervisor version information
    - Drivers: hv: vmbus: Move the crash notification function
    - Drivers: hv: vmbus: Move the check for hypercall page setup
    - Drivers: hv: vmbus: Move the code to signal end of message
    - Drivers: hv: vmbus: Restructure the clockevents code
    - Drivers: hv: util: Use hv_get_current_tick() to get current tick
    - Drivers: hv: vmbus: Get rid of an unsused variable
    - Drivers: hv: vmbus: Define APIs to manipulate the message page
    - Drivers: hv: vmbus: Define APIs to manipulate the event page
    - Drivers: hv: vmbus: Define APIs to manipulate the synthetic interrupt
      controller
    - Drivers: hv: vmbus: Define an API to retrieve virtual processor index
    - Drivers: hv: vmbus: Define an APIs to manage interrupt state
    - Drivers: hv: vmbus: Cleanup hyperv_vmbus.h
    - hv_util: switch to using timespec64
    - Drivers: hv: restore hypervcall page cleanup before kexec
    - Drivers: hv: restore TSC page cleanup before kexec
    - Drivers: hv: balloon: add a fall through comment to hv_memory_notifier()
    - Drivers: hv: vmbus: Use all supported IC versions to negotiate
    - Drivers: hv: Log the negotiated IC versions.
    - Drivers: hv: Fix the bug in generating the guest ID
    - hv: export current Hyper-V clocksource
    - hv_utils: implement Hyper-V PTP source
    - SAUCE: (no-up) hv: Supply vendor ID and package ABI

  * CIFS: Enable encryption for SMB3 (LP: #1670508)
    - SMB3: Add mount parameter to allow user to override max credits
    - SMB2: Separate Kerberos authentication from SMB2_sess_setup
    - SMB2: Separate RawNTLMSSP authentication from SMB2_sess_setup
    - SMB3: parsing for new snapshot timestamp mount parm
    - cifs: Simplify SMB...

Read more...

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Joseph Salisbury (jsalisbury) wrote :

A new xenial test kernel has been built and uploaded to:

http://kernel.ubuntu.com/~jsalisbury/lp1670508/

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers