[PATCH] smb: client: fix potential UAF and double free it smb2_open

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] smb: client: fix potential UAF and double free it smb2_open_file()
@ 2026-02-05 16:19 Paulo Alcantara
  2026-02-05 18:41 ` ChenXiaoSong
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Paulo Alcantara @ 2026-02-05 16:19 UTC (permalink / raw)
  To: smfrench; +Cc: David Howells, Paulo Alcantara (Red Hat), ChenXiaoSong,
	linux-cifs

Zero out @err_iov and @err_buftype before retrying SMB2_open() to
prevent an UAF bug if @data != NULL, otherwise a double free.

Fixes: e3a43633023e ("smb/client: fix memory leak in smb2_open_file()")
Reported-by: David Howells <dhowells@redhat.com>
Closes: https://lore.kernel.org/r/2892312.1770306653@warthog.procyon.org.uk
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Cc: ChenXiaoSong <chenxiaosong@kylinos.cn>
Cc: linux-cifs@vger.kernel.org
---
 fs/smb/client/smb2file.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c
index 2dd08388ea87..1f7f284a7844 100644
--- a/fs/smb/client/smb2file.c
+++ b/fs/smb/client/smb2file.c
@@ -179,6 +179,8 @@ int smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms,
 		       &err_buftype);
 	if (rc == -EACCES && retry_without_read_attributes) {
 		free_rsp_buf(err_buftype, err_iov.iov_base);
+		memset(&err_iov, 0, sizeof(err_iov));
+		err_buftype = CIFS_NO_BUFFER;
 		oparms->desired_access &= ~FILE_READ_ATTRIBUTES;
 		rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov,
 			       &err_buftype);
-- 
2.52.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] smb: client: fix potential UAF and double free it smb2_open_file()
  2026-02-05 16:19 [PATCH] smb: client: fix potential UAF and double free it smb2_open_file() Paulo Alcantara
@ 2026-02-05 18:41 ` ChenXiaoSong
  2026-02-05 19:10 ` ChenXiaoSong
  2026-02-05 20:13 ` Steve French
  2 siblings, 0 replies; 5+ messages in thread
From: ChenXiaoSong @ 2026-02-05 18:41 UTC (permalink / raw)
  To: Paulo Alcantara, smfrench; +Cc: David Howells, linux-cifs

Looks good. Feel free to add:

Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>

On 2/6/26 12:19 AM, Paulo Alcantara wrote:
> Zero out @err_iov and @err_buftype before retrying SMB2_open() to
> prevent an UAF bug if @data != NULL, otherwise a double free.
> 
> Fixes: e3a43633023e ("smb/client: fix memory leak in smb2_open_file()")
> Reported-by: David Howells <dhowells@redhat.com>
> Closes: https://lore.kernel.org/r/2892312.1770306653@warthog.procyon.org.uk
> Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
> Reviewed-by: David Howells <dhowells@redhat.com>
> Cc: ChenXiaoSong <chenxiaosong@kylinos.cn>
> Cc: linux-cifs@vger.kernel.org
> ---
>   fs/smb/client/smb2file.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c
> index 2dd08388ea87..1f7f284a7844 100644
> --- a/fs/smb/client/smb2file.c
> +++ b/fs/smb/client/smb2file.c
> @@ -179,6 +179,8 @@ int smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms,
>   		       &err_buftype);
>   	if (rc == -EACCES && retry_without_read_attributes) {
>   		free_rsp_buf(err_buftype, err_iov.iov_base);
> +		memset(&err_iov, 0, sizeof(err_iov));
> +		err_buftype = CIFS_NO_BUFFER;
>   		oparms->desired_access &= ~FILE_READ_ATTRIBUTES;
>   		rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov,
>   			       &err_buftype);


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] smb: client: fix potential UAF and double free it smb2_open_file()
  2026-02-05 16:19 [PATCH] smb: client: fix potential UAF and double free it smb2_open_file() Paulo Alcantara
  2026-02-05 18:41 ` ChenXiaoSong
@ 2026-02-05 19:10 ` ChenXiaoSong
  2026-02-05 19:15   ` Steve French
  2026-02-05 20:13 ` Steve French
  2 siblings, 1 reply; 5+ messages in thread
From: ChenXiaoSong @ 2026-02-05 19:10 UTC (permalink / raw)
  To: Paulo Alcantara, smfrench; +Cc: David Howells, linux-cifs

Is there a typo in the subject? Should it be "in ..." instead of "it ..."?

Thanks,
ChenXiaoSong <chenxiaosong@kylinos.cn>

On 2/6/26 12:19 AM, Paulo Alcantara wrote:
> [PATCH] smb: client: fix potential UAF and double free it smb2_open_file()


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] smb: client: fix potential UAF and double free it smb2_open_file()
  2026-02-05 19:10 ` ChenXiaoSong
@ 2026-02-05 19:15   ` Steve French
  0 siblings, 0 replies; 5+ messages in thread
From: Steve French @ 2026-02-05 19:15 UTC (permalink / raw)
  To: ChenXiaoSong; +Cc: Paulo Alcantara, David Howells, linux-cifs

On Thu, Feb 5, 2026 at 1:10 PM ChenXiaoSong
<chenxiaosong.chenxiaosong@linux.dev> wrote:
>
> Is there a typo in the subject? Should it be "in ..." instead of "it ..."?

Yes - I will fix the typo

> Thanks,
> ChenXiaoSong <chenxiaosong@kylinos.cn>
>
> On 2/6/26 12:19 AM, Paulo Alcantara wrote:
> > [PATCH] smb: client: fix potential UAF and double free it smb2_open_file()
>


-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] smb: client: fix potential UAF and double free it smb2_open_file()
  2026-02-05 16:19 [PATCH] smb: client: fix potential UAF and double free it smb2_open_file() Paulo Alcantara
  2026-02-05 18:41 ` ChenXiaoSong
  2026-02-05 19:10 ` ChenXiaoSong
@ 2026-02-05 20:13 ` Steve French
  2 siblings, 0 replies; 5+ messages in thread
From: Steve French @ 2026-02-05 20:13 UTC (permalink / raw)
  To: Paulo Alcantara; +Cc: David Howells, ChenXiaoSong, linux-cifs

corrected typo and added Chen's Reviewed-by and merged into
cifs-2.6.git for-next

On Thu, Feb 5, 2026 at 10:19 AM Paulo Alcantara <pc@manguebit.org> wrote:
>
> Zero out @err_iov and @err_buftype before retrying SMB2_open() to
> prevent an UAF bug if @data != NULL, otherwise a double free.
>
> Fixes: e3a43633023e ("smb/client: fix memory leak in smb2_open_file()")
> Reported-by: David Howells <dhowells@redhat.com>
> Closes: https://lore.kernel.org/r/2892312.1770306653@warthog.procyon.org.uk
> Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
> Reviewed-by: David Howells <dhowells@redhat.com>
> Cc: ChenXiaoSong <chenxiaosong@kylinos.cn>
> Cc: linux-cifs@vger.kernel.org
> ---
>  fs/smb/client/smb2file.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c
> index 2dd08388ea87..1f7f284a7844 100644
> --- a/fs/smb/client/smb2file.c
> +++ b/fs/smb/client/smb2file.c
> @@ -179,6 +179,8 @@ int smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms,
>                        &err_buftype);
>         if (rc == -EACCES && retry_without_read_attributes) {
>                 free_rsp_buf(err_buftype, err_iov.iov_base);
> +               memset(&err_iov, 0, sizeof(err_iov));
> +               err_buftype = CIFS_NO_BUFFER;
>                 oparms->desired_access &= ~FILE_READ_ATTRIBUTES;
>                 rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov,
>                                &err_buftype);
> --
> 2.52.0
>


-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-02-05 20:13 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-05 16:19 [PATCH] smb: client: fix potential UAF and double free it smb2_open_file() Paulo Alcantara
2026-02-05 18:41 ` ChenXiaoSong
2026-02-05 19:10 ` ChenXiaoSong
2026-02-05 19:15   ` Steve French
2026-02-05 20:13 ` Steve French

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.