Patch "ksmbd: fix uninitialized pointer read in ksmbd_vfs_rename()" has been added to the 6.3-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 26 Jun 2023 16:35:14 +0200

This is a note to let you know that I've just added the patch titled

    ksmbd: fix uninitialized pointer read in ksmbd_vfs_rename()

to the 6.3-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ksmbd-fix-uninitialized-pointer-read-in-ksmbd_vfs_rename.patch
and it can be found in the queue-6.3 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 48b47f0caaa8a9f05ed803cb4f335fa3a7bfc622 Mon Sep 17 00:00:00 2001
From: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Date: Fri, 12 May 2023 17:05:41 +0900
Subject: ksmbd: fix uninitialized pointer read in ksmbd_vfs_rename()

From: Namjae Jeon <linkinjeon@xxxxxxxxxx>

commit 48b47f0caaa8a9f05ed803cb4f335fa3a7bfc622 upstream.

Uninitialized rd.delegated_inode can be used in vfs_rename().
Fix this by setting rd.delegated_inode to NULL to avoid the uninitialized
read.

Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name")
Reported-by: Coverity Scan <scan-admin@xxxxxxxxxxxx>
Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/ksmbd/vfs.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/ksmbd/vfs.c
+++ b/fs/ksmbd/vfs.c
@@ -769,6 +769,7 @@ retry:
 	rd.new_dir		= new_path.dentry->d_inode,
 	rd.new_dentry		= new_dentry,
 	rd.flags		= flags,
+	rd.delegated_inode	= NULL,
 	err = vfs_rename(&rd);
 	if (err)
 		ksmbd_debug(VFS, "vfs_rename failed err %d\n", err);


Patches currently in stable-queue which might be from linkinjeon@xxxxxxxxxx are

queue-6.3/ksmbd-validate-session-id-and-tree-id-in-the-compound-request.patch
queue-6.3/ksmbd-add-mnt_want_write-to-ksmbd-vfs-functions.patch
queue-6.3/ksmbd-remove-internal.h-include.patch
queue-6.3/ksmbd-validate-command-payload-size.patch
queue-6.3/fs-introduce-lock_rename_child-helper.patch
queue-6.3/ksmbd-call-putname-after-using-the-last-component.patch
queue-6.3/ksmbd-fix-out-of-bound-read-in-smb2_write.patch
queue-6.3/ksmbd-fix-uninitialized-pointer-read-in-ksmbd_vfs_rename.patch
queue-6.3/ksmbd-fix-uninitialized-pointer-read-in-smb2_create_link.patch
queue-6.3/ksmbd-fix-racy-issue-from-using-d_parent-and-d_name.patch






