Re: [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Jianqi,

On 09/12/24 09:52, jianqi.ren.cn@xxxxxxxxxxxxx wrote:
From: Paulo Alcantara <pc@xxxxxxxxxxxxx>

[ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]

Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.

Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Paulo Alcantara (Red Hat) <pc@xxxxxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Jianqi Ren <jianqi.ren.cn@xxxxxxxxxxxxx>
---
  fs/smb/client/ioctl.c | 8 +++++++-
  1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c
index ae9905e2b9d4..173c8c76d31f 100644
--- a/fs/smb/client/ioctl.c
+++ b/fs/smb/client/ioctl.c
@@ -246,17 +246,23 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
  		spin_lock(&cifs_tcp_ses_lock);
  		list_for_each_entry(server_it, &cifs_tcp_ses_list, tcp_ses_list) {
  			list_for_each_entry(ses_it, &server_it->smb_ses_list, smb_ses_list) {
-				if (ses_it->Suid == out.session_id) {
+				spin_lock(&ses_it->ses_lock);
+				if (ses_it->ses_status != SES_EXITING &&
+				    ses_it->Suid == out.session_id) {
  					ses = ses_it;
  					/*
  					 * since we are using the session outside the crit
  					 * section, we need to make sure it won't be released
  					 * so increment its refcount
  					 */
+
+					lockdep_assert_held(&cifs_tcp_ses_lock);

^^ This doesn't exist in upstream commit, why is this needed ?

Thanks,
Harshit
  					ses->ses_count++;
+					spin_unlock(&ses_it->ses_lock);
  					found = true;
  					goto search_end;
  				}
+				spin_unlock(&ses_it->ses_lock);
  			}
  		}
  search_end:





[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux