CIFS: Enable encryption for SMB3

Bug #1670508 reported by Stephen A. Zarkos on 2017-03-06
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Tim Gardner
Xenial
Medium
Joseph Salisbury
Yakkety
Medium
Joseph Salisbury
Zesty
Medium
Tim Gardner

Bug Description

There has been work upstream to enable encryption support for SMB3 connections. This is a particularly valuable (and commonly requested) feature with the Azure Files service as encryption is required to connect to an Azure Files storage share from on-prem or from a different Azure region.

The relevant commits are as follows:

CIFS: Fix possible use after free in demultiplex thread
Commit 61cfac6f267dabcf2740a7ec8a0295833b28b5f5

CIFS: Allow to switch on encryption with seal mount option
Commit ae6f8dd4d0c87bfb72da9d9b56342adf53e69c31

CIFS: Add capability to decrypt big read responses
Commit c42a6abe3012832a68a371dabe17c2ced97e62ad

CIFS: Decrypt and process small encrypted packets
Commit 4326ed2f6a16ae9d33e4209b540dc9a371aba840

CIFS: Add copy into pages callback for a read operation
Commit d70b9104b1ca586f73aaf59426756cec3325a40e

CIFS: Add mid handle callback
Commit 9b7c18a2d4b798963ea80f6769701dcc4c24b55e

CIFS: Add transform header handling callbacks
Commit 9bb17e0916a03ab901fb684e874d77a1e96b3d1e

CIFS: Encrypt SMB3 requests before sending
Commit 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398

CIFS: Enable encryption during session setup phase
Commit cabfb3680f78981d26c078a26e5c748531257ebb

CIFS: Add capability to transform requests before sending
Commit 7fb8986e7449d0a5cebd84d059927afa423fbf85

CIFS: Separate RFC1001 length processing for SMB2 read
Commit b8f57ee8aad414a3122bff72d7968a94baacb9b6

CIFS: Separate SMB2 sync header processing
Commit cb200bd6264a80c04e09e8635fa4f3901cabdaef

CIFS: Send RFC1001 length in a separate iov
Commit 738f9de5cdb9175c19d24cfdf90b4543fc3b47bf

CIFS: Make send_cancel take rqst as argument
Commit fb2036d817584df42504910fe104f68517e8990e

CIFS: Make SendReceive2() takes resp iov
Commit da502f7df03d2d0b416775f92ae022f3f82bedd5

CIFS: Separate SMB2 header structure
Commit 31473fc4f9653b73750d3792ffce6a6e1bdf0da7

cifs: Add soft dependencies
Commit b9be76d585d48cb25af8db0d35e1ef9030fbe13a

cifs: Only select the required crypto modules
Commit 3692304bba6164be3810afd41b84ecb0e1e41db1

cifs: Simplify SMB2 and SMB311 dependencies
Commit c1ecea87471bbb614f8121e00e5787f363140365

CVE References

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1670508

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Stephen A. Zarkos (stevez) wrote :

No logs needed. Thanks.

description: updated
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Tim Gardner (timg-tpi) on 2017-03-07
Changed in linux (Ubuntu Zesty):
assignee: nobody → Tim Gardner (timg-tpi)
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.10.0-13.15

---------------
linux (4.10.0-13.15) zesty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1671614

  * ehci-platform needed in usb-modules udeb (LP: #1671589)
    - d-i: add ehci-platform to usb-modules

  * irqchip/gic-v3-its: Enable cacheable attribute Read-allocate hints
    (LP: #1671598)
    - irqchip/gic-v3-its: Enable cacheable attribute Read-allocate hints

  * iommu: Fix static checker warning in iommu_insert_device_resv_regions
    (LP: #1671599)
    - iommu: Fix static checker warning in iommu_insert_device_resv_regions

  * QDF2400: Fix panic introduced by erratum 1003 (LP: #1671602)
    - arm64: Avoid clobbering mm in erratum workaround on QDF2400

  * QDF2400 PCI ports require ACS quirk (LP: #1671601)
    - PCI: Add ACS quirk for Qualcomm QDF2400 and QDF2432

  * tty: pl011: Work around QDF2400 E44 stuck BUSY bit (LP: #1671600)
    - tty: pl011: Work around QDF2400 E44 stuck BUSY bit

  * CVE-2017-2636
    - tty: n_hdlc: get rid of racy n_hdlc.tbuf

  * Sync virtualbox to 5.1.16-dfsg-1 in zesty (LP: #1671470)
    - ubuntu: vbox -- Update to 5.1.16-dfsg-1

 -- Tim Gardner <email address hidden> Thu, 09 Mar 2017 06:16:24 -0700

Changed in linux (Ubuntu Zesty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu Xenial):
status: New → Confirmed
Joshua R. Poulson (jrp) on 2017-03-16
Changed in linux (Ubuntu Yakkety):
status: New → Confirmed
Changed in linux (Ubuntu Zesty):
importance: Undecided → Medium
Changed in linux (Ubuntu Yakkety):
importance: Undecided → Medium
Changed in linux (Ubuntu Xenial):
importance: Undecided → Medium
tags: added: kernel-da-key kernel-hyper-v
Changed in linux (Ubuntu Xenial):
assignee: nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Yakkety):
assignee: nobody → Joseph Salisbury (jsalisbury)
status: Confirmed → In Progress
Changed in linux (Ubuntu Xenial):
status: Confirmed → In Progress
Joseph Salisbury (jsalisbury) wrote :

I built a Yakkety and a Xenial test kernel with the requested cifs commits.

The following prereq commits were required:
8b217fe7fcad Prereq for X and Y - v4.10-rc1~9^2~9
166cea4dc3a4 Prereq for X and Y - v4.9-rc1~6^2~4
3baf1a7b9215 Prereq for X and Y - v4.9-rc1~6^2~5
141891f4727c Prereq for X and Y - v4.9-rc1~6^2~10
4214ebf46547 Prereq for X - v4.8-rc7~9^2~2
a6137305a8c4 Prereq for X - v4.7-rc1~145^2~1
71335664c38f Prereq for X - v4.7-rc1~145^2
09aab880f7c5 Prereq for X - v4.7-rc1~145^2~2
16c568efff82 Prereq for X - v4.7-rc1~145^2~4
2da62906b1e2 Prereq for X - v4.7-rc1~145^2~5
373512ec5c10 Prereq for X - v4.5-rc1~6^2~2
adfeb3e00e8e Prereq for X - v4.5-rc1~6^2~4

The test kernels can be downloaded from:
Xenial: http://kernel.ubuntu.com/~jsalisbury/lp1670508/xenial
Yakkety: http://kernel.ubuntu.com/~jsalisbury/lp1670508/yakkety

Can these kernels be tested to see if they resolve this bug?

Christian Rank (c-rank) wrote :

I tested the Yakkety test kernel on Ubuntu 16.04 (with HWE):

root@u1604:/tmp/mnt# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial

root@u1604:/tmp/mnt# uname -a
Linux u1604 4.8.0-44-generic #47~lp1670508 SMP Fri Mar 24 19:45:44 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

I was able to perform an encrypted SMB mount successfully => bug for this configuration resolved.

Christian Rank (c-rank) wrote :

Another test: Xenial test kernel on Ubuntu 14.04 (with HWE):

root@u1404:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty

root@u1404:~# uname -a
Linux u1404 4.4.0-71-generic #92~lp1670508 SMP Fri Mar 24 19:02:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Encrypted SMB mount is successful => bug for this configuration resolved.

Pavel Shilovsky (pshilovsky) wrote :

Successfully tested the patched kernel for Xenial with xfstests and cthon test suites.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial

$ uname -a
Linux ubuntu-vm 4.4.0-71-generic #92~lp1670508 SMP Fri Mar 24 19:02:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Changed in linux (Ubuntu Yakkety):
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers