From: Wang Zhaolong <wangzhaolong1@huawei.com>
To: Paulo Alcantara <pc@manguebit.com>, <smfrench@gmail.com>
Cc: <linux-cifs@vger.kernel.org>
Subject: Re: [PATCH 01/12] smb: client: fix potential UAF in cifs_debug_files_proc_show()
Date: Sat, 1 Jun 2024 19:31:50 +0800 [thread overview]
Message-ID: <aaf165e4-a5ad-cb66-2c39-2ee6b39939d5@huawei.com> (raw)
In-Reply-To: <20240402193404.236159-1-pc@manguebit.com>
Hello,
I have some questions regarding CVE-2024-26928.
I would like to confirm whether the phrase "fix potential UAF in
cifs_debug_files_proc_show()" implies that the UAF issue does not
actually exist, correct?
Based on my analysis, `cifs_tcp_ses_lock` plays a crucial role in
preventing the UAF.
After adding `ses` to the `smb_ses_list` list, the only place where
the `ses` is freed is in the `__cifs_put_smb_ses` function:
```
__cifs_put_smb_ses()
...
spin_lock(&cifs_tcp_ses_lock);
list_del_init(&ses->smb_ses_list);
spin_unlock(&cifs_tcp_ses_lock);
...
sesInfoFree(ses);
```
The `ses` is freed only after it is removed from the list, and this
removal is protected by `cifs_tcp_ses_lock`.
In `cifs_debug_files_proc_show()`, the `cifs_tcp_ses_lock` is still
held, ensuring that during access to the `ses` that is about to be
destroyed, the `ses` will not be freed in `__cifs_put_smb_ses()`,
thus preventing a UAF issue.
```
cifs_debug_files_proc_show()
...
spin_lock(&cifs_tcp_ses_lock);
...
list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list)
...
spin_lock(&cifs_tcp_ses_lock);
```
Based on this understanding, I wonder if the issue addressed by
this CVE might not be a genuine problem. I am also curious about
the series of patches considered as fixes for this CVE.
Best regards,
Wang Zhaolong
> Skip sessions that are being teared down (status == SES_EXITING) to
> avoid UAF.
>
> Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
> ---
> fs/smb/client/cifs_debug.c | 2 ++
> fs/smb/client/cifsglob.h | 10 ++++++++++
> 2 files changed, 12 insertions(+)
>
> diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c
> index 226d4835c92d..c9aec9a38ad3 100644
> --- a/fs/smb/client/cifs_debug.c
> +++ b/fs/smb/client/cifs_debug.c
> @@ -250,6 +250,8 @@ static int cifs_debug_files_proc_show(struct seq_file *m, void *v)
> spin_lock(&cifs_tcp_ses_lock);
> list_for_each_entry(server, &cifs_tcp_ses_list, tcp_ses_list) {
> list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
> + if (cifs_ses_exiting(ses))
> + continue;
> list_for_each_entry(tcon, &ses->tcon_list, tcon_list) {
> spin_lock(&tcon->open_file_lock);
> list_for_each_entry(cfile, &tcon->openFileList, tlist) {
> diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h
> index 286afbe346be..f67607319c43 100644
> --- a/fs/smb/client/cifsglob.h
> +++ b/fs/smb/client/cifsglob.h
> @@ -2322,4 +2322,14 @@ struct smb2_compound_vars {
> struct kvec ea_iov;
> };
>
> +static inline bool cifs_ses_exiting(struct cifs_ses *ses)
> +{
> + bool ret;
> +
> + spin_lock(&ses->ses_lock);
> + ret = ses->ses_status == SES_EXITING;
> + spin_unlock(&ses->ses_lock);
> + return ret;
> +}
> +
> #endif /* _CIFS_GLOB_H */
next prev parent reply other threads:[~2024-06-01 11:31 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-02 19:33 [PATCH 01/12] smb: client: fix potential UAF in cifs_debug_files_proc_show() Paulo Alcantara
2024-04-02 19:33 ` [PATCH 02/12] smb: client: fix potential UAF in cifs_dump_full_key() Paulo Alcantara
2024-04-02 19:33 ` [PATCH 03/12] smb: client: fix potential UAF in cifs_stats_proc_write() Paulo Alcantara
2024-04-02 19:33 ` [PATCH 04/12] smb: client: fix potential UAF in cifs_stats_proc_show() Paulo Alcantara
2024-04-02 19:33 ` [PATCH 05/12] smb: client: fix potential UAF in smb2_check_message() Paulo Alcantara
2024-04-02 19:33 ` [PATCH 06/12] smb: client: fix potential UAF in smb2_is_valid_lease_break() Paulo Alcantara
2024-04-02 19:33 ` [PATCH 07/12] smb: client: fix potential UAF in smb2_is_valid_oplock_break() Paulo Alcantara
2024-04-02 19:34 ` [PATCH 08/12] smb: client: fix potential UAF in is_valid_oplock_break() Paulo Alcantara
2024-04-02 19:34 ` [PATCH 09/12] smb: client: fix potential UAF in smb2_get_sign_key() Paulo Alcantara
2024-04-02 22:02 ` Paulo Alcantara
2024-04-02 19:34 ` [PATCH 10/12] smb: client: fix potential UAF in smb2_is_network_name_deleted() Paulo Alcantara
2024-04-02 19:34 ` [PATCH 11/12] smb: client: fix potential UAF in smb2_get_enc_key() Paulo Alcantara
2024-04-02 21:40 ` Steve French
2024-04-02 21:48 ` Paulo Alcantara
2024-04-02 22:43 ` Paulo Alcantara
2024-04-02 19:34 ` [PATCH 12/12] smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect() Paulo Alcantara
2024-06-01 11:31 ` Wang Zhaolong [this message]
2024-06-01 21:14 ` [PATCH 01/12] smb: client: fix potential UAF in cifs_debug_files_proc_show() Paulo Alcantara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aaf165e4-a5ad-cb66-2c39-2ee6b39939d5@huawei.com \
--to=wangzhaolong1@huawei.com \
--cc=linux-cifs@vger.kernel.org \
--cc=pc@manguebit.com \
--cc=smfrench@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox