A critical issue identified as CVE-2021-46960 affected the Linux kernel's CIFS (Common Internet File System) module, which is used to access shared files and resources over the network, especially via Windows SMB/CIFS protocols. This vulnerability stemmed from improper error code handling when CIFS tried to fetch an SMB2 encryption key, potentially leading to confusing or even unsafe kernel states and loud kernel warnings. In this article, we break down the issue, explain how it looks in real-world logs, explore the problematic code, describe the resolution, and help you stay secure.
The Vulnerability: What Happened?
The problem originates from the function smb2_get_enc_key() inside the CIFS/SMB2 code. When this function failed to retrieve an encryption key, it returned a success () by mistake — even though there was an error. This led to later parts of the kernel assuming everything was fine, but subsequently running into inconsistency and triggering kernel warnings.
Key Point:
*Returning the wrong error code confused the kernel about the file system's status after encryption failure.*
When users hit this bug, dmesg logs and kernel traces looked similar to the following
[440700.376476] CIFS VFS: \\otters.example.com crypt_message: Could not get encryption key
[440700.386947] ------------[ cut here ]------------
[440700.386948] err = 1
[440700.386977] WARNING: CPU: 11 PID: 2733 at /build/linux-hwe-5.4-p6lk6L/linux-hwe-5.4-5.4./lib/errseq.c:74 errseq_set+x5c/x70
...
[440700.397334] Call Trace:
[440700.397346] __filemap_set_wb_err+x1a/x70
[440700.397419] cifs_writepages+x9c7/xb30 [cifs]
[440700.397426] do_writepages+x4b/xe
[440700.397486] cifs_setattr+x68b/xf30 [cifs]
...
This happens when, for example, you're copying files across an SMB share with encryption enabled and there’s some error fetching the encryption key (maybe due to a server glitch, network trouble, or misconfiguration).
Prior to the fix, the code in smb2_get_enc_key() didn't return the actual error up the stack
int smb2_get_enc_key(struct cifs_ses *ses, ...)
{
...
if (something_failed) {
// Oops, forget to return a real error!
return ;
}
...
}
This misled calling functions into thinking it was successful.
After the patch, the code now properly forwards error codes upward
int smb2_get_enc_key(struct cifs_ses *ses, ...)
{
...
if (something_failed) {
// Return the real error code
return -EKEYREJECTED; // Or whichever errno is correct
}
...
}
This change allows the rest of the kernel to treat the encryption-key fetch as a real failure and handle it properly, avoiding dangerous follow-up actions and verbose warnings.
Why Does This Matter?
When a kernel module returns the wrong error codes, other devices, drivers, or filesystem functions don't know there's a problem. They might proceed with operations that should not continue, potentially corrupting files, causing data loss, or (as here) filling logs with warnings and confusing developers and administrators.
In this specific case, being unable to fetch an SMB2 encryption key — but acting like everything is fine — leads to:
Original References and Fix
- Original bug report and patch discussion on LKML.
- Commit: cifs: Return correct error code from smb2_get_enc_key (kernel.org patch)
- CVE entry on Mitre
Exploitation and Impact
Exploitation of this bug is mostly a problem for stability and reliability rather than a direct security risk like privilege escalation. However, because improper error handling can leave filesystems inconsistent or allow operations to proceed without required encryption, there's _potential_ for unintended data exposure or corruption.
An attacker might purposely provoke encryption failures (e.g., by setting up intermittent network conditions or server misconfigurations), causing log spam and possible denial-of-service due to hung or warn-locked processes.
### Example Exploit Scenario (for research/lab environments)
Suppose you have a CIFS/SMB2 share set for encryption. By interrupting the SMB server or manipulating key material availability, the kernel’s smb2_get_enc_key() can be forced to fail. On an unpatched system, file operations behave unpredictably — logs fill with the stack trace above and write operations may fail non-obviously.
Proof of Concept script (adjust for your lab setup)
# On Client (Linux):
mount -t cifs //server/share /mnt -o username=foo,password=bar,vers=3.,seal
# On Server:
# Simulate key not available: block or kill the process or restrict key access
# On Client:
tar czf /mnt/test.tar.gz /some/local/folder
# Watch dmesg output: should see kernel warnings and errors if unpatched
A patched kernel will halt the operation and return a user-facing error instead.
How to Protect Yourself
1. Update your kernel: Make sure you're running a version that includes the patch for CVE-2021-46960. Most distributions have published security updates for this issue.
2. Monitor for kernel warnings: Use dmesg or journalctl -k to make sure your system isn't hitting this or similar filesystem issues.
Disable unneeded SMB features if not using encrypted shares.
4. Test your environment with error conditions to see if file operations fail gracefully, especially after applying updates.
Summary
CVE-2021-46960 was a subtle but important bug in the Linux kernel’s CIFS code, where failing to return the proper error code when fetching an SMB2 encryption key could break normal kernel operation, fill logs with warnings, and potentially corrupt data. The fix is straightforward: return the right error, handle failures properly, and avoid “silent failure” of crucial filesystem operations.
For more, see the Linux kernel patch discussion and the official CVE-2021-46960 page.
Timeline
Published on: 02/27/2024 19:04:06 UTC
Last modified on: 12/11/2024 14:47:28 UTC