Patch "cifs: prevent use-after-free by freeing the cfile later" has been added to the 6.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    cifs: prevent use-after-free by freeing the cfile later

to the 6.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cifs-prevent-use-after-free-by-freeing-the-cfile-lat.patch
and it can be found in the queue-6.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 30bd0e7f7fdf783ca47b8252b0fa867b464f3372
Author: Shyam Prasad N <sprasad@xxxxxxxxxxxxx>
Date:   Thu Jun 22 18:16:03 2023 +0000

    cifs: prevent use-after-free by freeing the cfile later
    
    [ Upstream commit 33f736187d08f6bc822117629f263b97d3df4165 ]
    
    In smb2_compound_op we have a possible use-after-free
    which can cause hard to debug problems later on.
    
    This was revealed during stress testing with KASAN enabled
    kernel. Fixing it by moving the cfile free call to
    a few lines below, after the usage.
    
    Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+")
    Reviewed-by: Paulo Alcantara (SUSE) <pc@xxxxxxxxxxxxx>
    Signed-off-by: Shyam Prasad N <sprasad@xxxxxxxxxxxxx>
    Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
index 163a03298430d..7e3ac4cb4efa6 100644
--- a/fs/smb/client/smb2inode.c
+++ b/fs/smb/client/smb2inode.c
@@ -398,9 +398,6 @@ static int smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon,
 					rsp_iov);
 
  finished:
-	if (cfile)
-		cifsFileInfo_put(cfile);
-
 	SMB2_open_free(&rqst[0]);
 	if (rc == -EREMCHG) {
 		pr_warn_once("server share %s deleted\n", tcon->tree_name);
@@ -529,6 +526,9 @@ static int smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon,
 		break;
 	}
 
+	if (cfile)
+		cifsFileInfo_put(cfile);
+
 	if (rc && err_iov && err_buftype) {
 		memcpy(err_iov, rsp_iov, 3 * sizeof(*err_iov));
 		memcpy(err_buftype, resp_buftype, 3 * sizeof(*err_buftype));



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux