From: <jianqi.ren.cn@windriver.com>
To: <pc@manguebit.com>, <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>, <sfrench@samba.org>, <pc@cjr.nz>,
<lsahlber@redhat.com>, <sprasad@microsoft.com>, <tom@talpey.com>,
<linux-cifs@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<samba-technical@lists.samba.org>
Subject: [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
Date: Mon, 9 Dec 2024 16:58:13 +0800 [thread overview]
Message-ID: <20241209085813.823573-1-jianqi.ren.cn@windriver.com> (raw)
From: Paulo Alcantara <pc@manguebit.com>
[ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
---
fs/smb/client/ioctl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c
index ae9905e2b9d4..7402070b7a06 100644
--- a/fs/smb/client/ioctl.c
+++ b/fs/smb/client/ioctl.c
@@ -246,7 +246,9 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
spin_lock(&cifs_tcp_ses_lock);
list_for_each_entry(server_it, &cifs_tcp_ses_list, tcp_ses_list) {
list_for_each_entry(ses_it, &server_it->smb_ses_list, smb_ses_list) {
- if (ses_it->Suid == out.session_id) {
+ spin_lock(&ses_it->ses_lock);
+ if (ses_it->ses_status != SES_EXITING &&
+ ses_it->Suid == out.session_id) {
ses = ses_it;
/*
* since we are using the session outside the crit
@@ -254,9 +256,11 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
* so increment its refcount
*/
ses->ses_count++;
+ spin_unlock(&ses_it->ses_lock);
found = true;
goto search_end;
}
+ spin_unlock(&ses_it->ses_lock);
}
}
search_end:
--
2.25.1
next reply other threads:[~2024-12-09 8:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-09 8:58 jianqi.ren.cn [this message]
2024-12-12 12:09 ` [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key() Greg KH
-- strict thread matches above, loose matches on Subject: below --
2025-03-19 2:37 jianqi.ren.cn
2024-12-11 10:15 jianqi.ren.cn
2024-12-11 9:59 jianqi.ren.cn
2024-12-09 4:22 jianqi.ren.cn
2024-12-09 6:00 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241209085813.823573-1-jianqi.ren.cn@windriver.com \
--to=jianqi.ren.cn@windriver.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lsahlber@redhat.com \
--cc=pc@cjr.nz \
--cc=pc@manguebit.com \
--cc=samba-technical@lists.samba.org \
--cc=sfrench@samba.org \
--cc=sprasad@microsoft.com \
--cc=stable@vger.kernel.org \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox