From: Wang Zhaolong <wangzhaolong1@huawei.com>
To: Paulo Alcantara <pc@manguebit.com>, <smfrench@gmail.com>
Cc: <linux-cifs@vger.kernel.org>, Frank Sorenson <sorenson@redhat.com>
Subject: Re: [PATCH 2/4] smb: client: fix use-after-free bug in cifs_debug_data_proc_show()
Date: Sat, 1 Jun 2024 19:50:44 +0800 [thread overview]
Message-ID: <60fcd1b4-c9d3-c072-a5d1-64a8b3d7cc1d@huawei.com> (raw)
In-Reply-To: <20231030201956.2660-2-pc@manguebit.com>
Hello,
I encountered some confusion while reviewing the source code related to
CVE-2023-52752.
I was able to reproduce the issue, and the original problem seems to be:
---
process 1 process 2(read /proc/fs/cifs/DebugData)
cifs_umount
cifs_put_tlink
cifs_put_tcon
cifs_put_smb_ses cifs_debug_data_proc_show
spin_unlock(&cifs_tcp_ses_lock)
spin_lock(&cifs_tcp_ses_lock);
list_for_each...(ses,server->smb_ses_list,...)
cifs_free_ipc
tconInfoFree(tcon)
if (ses->tcon_ipc)
cifs_debug_tcon(m,ses->tcon_ipc)
// UAF
ses->tcon_ipc = NULLl
spin_unlock(&cifs_tcp_ses_lock);
spin_lock(&cifs_tcp_ses_lock)
list_del_init(&ses->smb_ses_list)
spin_unlock(&cifs_tcp_ses_lock)
---
In commit ff7d80a9f271 ("cifs: fix session state transition to avoid use-after-free
issue"), setting ses_status to SES_EXITING was moved under the protection of
cifs_tcp_ses_lock.
In cifs_debug_data_proc_show(), the logic that checks ses->ses_status == SES_EXITING
already seems sufficient to avoid this issue. Therefore, it appears that ses->ses_lock
might not be necessary. Additionally, I am curious why ses->ses_lock needs to cover
such a large scope.
> diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c
> index 76922fcc4bc6..9a0ccd87468e 100644
> --- a/fs/smb/client/cifs_debug.c
> +++ b/fs/smb/client/cifs_debug.c
> @@ -452,6 +452,11 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v)
> seq_printf(m, "\n\n\tSessions: ");
> i = 0;
> list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
> + spin_lock(&ses->ses_lock);
> + if (ses->ses_status == SES_EXITING) {
> + spin_unlock(&ses->ses_lock);
> + continue;
> + }
> i++;
> if ((ses->serverDomain == NULL) ||
> (ses->serverOS == NULL) ||
> @@ -472,6 +477,7 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v)
> ses->ses_count, ses->serverOS, ses->serverNOS,
> ses->capabilities, ses->ses_status);
> }
> + spin_unlock(&ses->ses_lock);
>
> seq_printf(m, "\n\tSecurity type: %s ",
> get_security_type_str(server->ops->select_sectype(server, ses->sectype)));
I believe in the latest mainline, this could potentially be modified to:
```
diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c
index c71ae5c04306..2d9e83b71643 100644
--- a/fs/smb/client/cifs_debug.c
+++ b/fs/smb/client/cifs_debug.c
@@ -485,11 +485,8 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v)
seq_printf(m, "\n\n\tSessions: ");
i = 0;
list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
- spin_lock(&ses->ses_lock);
- if (ses->ses_status == SES_EXITING) {
- spin_unlock(&ses->ses_lock);
+ if (cifs_ses_exiting(ses))
continue;
- }
i++;
if ((ses->serverDomain == NULL) ||
(ses->serverOS == NULL) ||
@@ -512,7 +509,6 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v)
}
if (ses->expired_pwd)
seq_puts(m, "password no longer valid ");
- spin_unlock(&ses->ses_lock);
seq_printf(m, "\n\tSecurity type: %s ",
get_security_type_str(server->ops->select_sectype(server, ses->sectype)));
```
Best regards,
Wang Zhaolong
next prev parent reply other threads:[~2024-06-01 11:50 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-30 20:19 [PATCH 1/4] smb: client: remove extra @chan_count check in __cifs_put_smb_ses() Paulo Alcantara
2023-10-30 20:19 ` [PATCH 2/4] smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Paulo Alcantara
2023-10-31 3:17 ` Steve French
2024-06-01 11:50 ` Wang Zhaolong [this message]
2023-10-30 20:19 ` [PATCH 3/4] smb: client: fix potential deadlock when releasing mids Paulo Alcantara
2023-10-31 3:23 ` Steve French
2023-10-30 20:19 ` [PATCH 4/4] smb: client: fix use-after-free in smb2_query_info_compound() Paulo Alcantara
2023-10-31 3:09 ` Steve French
2023-11-04 12:23 ` Shyam Prasad N
2023-10-31 3:24 ` [PATCH 1/4] smb: client: remove extra @chan_count check in __cifs_put_smb_ses() Steve French
2023-11-02 12:30 ` Shyam Prasad N
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=60fcd1b4-c9d3-c072-a5d1-64a8b3d7cc1d@huawei.com \
--to=wangzhaolong1@huawei.com \
--cc=linux-cifs@vger.kernel.org \
--cc=pc@manguebit.com \
--cc=smfrench@gmail.com \
--cc=sorenson@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox