[PATCH 5.15.y 07/11] ksmbd: free ppace array on error in parse_dacl

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Namjae Jeon <linkinjeon@kernel.org>
To: gregkh@linuxfoundation.org, sashal@kernel.org
Cc: stable@vger.kernel.org, Fedor Pchelkin <pchelkin@ispras.ru>,
	Namjae Jeon <linkinjeon@kernel.org>,
	Steve French <stfrench@microsoft.com>
Subject: [PATCH 5.15.y 07/11] ksmbd: free ppace array on error in parse_dacl
Date: Sun, 21 Jan 2024 23:30:34 +0900	[thread overview]
Message-ID: <20240121143038.10589-8-linkinjeon@kernel.org> (raw)
In-Reply-To: <20240121143038.10589-1-linkinjeon@kernel.org>

From: Fedor Pchelkin <pchelkin@ispras.ru>

[ Upstream commit 8cf9bedfc3c47d24bb0de386f808f925dc52863e ]

The ppace array is not freed if one of the init_acl_state() calls inside
parse_dacl() fails. At the moment the function may fail only due to the
memory allocation errors so it's highly unlikely in this case but
nevertheless a fix is needed.

Move ppace allocation after the init_acl_state() calls with proper error
handling.

Found by Linux Verification Center (linuxtesting.org).

Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
 fs/ksmbd/smbacl.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c
index 9ace5027684d..3a6c0abdb035 100644
--- a/fs/ksmbd/smbacl.c
+++ b/fs/ksmbd/smbacl.c
@@ -399,10 +399,6 @@ static void parse_dacl(struct user_namespace *user_ns,
 	if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
 		return;
 
-	ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), GFP_KERNEL);
-	if (!ppace)
-		return;
-
 	ret = init_acl_state(&acl_state, num_aces);
 	if (ret)
 		return;
@@ -412,6 +408,13 @@ static void parse_dacl(struct user_namespace *user_ns,
 		return;
 	}
 
+	ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), GFP_KERNEL);
+	if (!ppace) {
+		free_acl_state(&default_acl_state);
+		free_acl_state(&acl_state);
+		return;
+	}
+
 	/*
 	 * reset rwx permissions for user/group/other.
 	 * Also, if num_aces is 0 i.e. DACL has no ACEs,
-- 
2.25.1

next prev parent reply	other threads:[~2024-01-21 14:31 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-21 14:30 [PATCH 5.15.y 00/11] ksmbd: backport patches from 6.8-rc1 Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 01/11] ksmbd: validate the zero field of packet header Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 02/11] ksmbd: set v2 lease version on lease upgrade Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 03/11] ksmbd: fix potential circular locking issue in smb2_set_ea() Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 04/11] ksmbd: don't increment epoch if current state and request state are same Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 05/11] ksmbd: don't allow O_TRUNC open on read-only share Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 06/11] ksmbd: send lease break notification on FILE_RENAME_INFORMATION Namjae Jeon
2024-01-21 14:30 ` Namjae Jeon [this message]
2024-01-21 14:30 ` [PATCH 5.15.y 08/11] ksmbd: Add missing set_freezable() for freezable kthread Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 09/11] ksmbd: validate mech token in session setup Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 10/11] ksmbd: fix UAF issue in ksmbd_tcp_new_connection() Namjae Jeon
2024-01-21 14:30 ` [PATCH 5.15.y 11/11] ksmbd: only v2 leases handle the directory Namjae Jeon
2024-01-22 15:03 ` [PATCH 5.15.y 00/11] ksmbd: backport patches from 6.8-rc1 Greg KH
2024-01-22 23:28   ` Namjae Jeon
2024-01-26  1:25     ` Namjae Jeon
2024-01-26  1:36       ` Greg KH
2024-01-26  1:59         ` Namjae Jeon
2024-01-27  0:43           ` Greg KH
2024-01-27  0:48             ` Namjae Jeon

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:9ace5027684 dfblob:3a6c0abdb03 )
 OR (
bs:"[PATCH 5.15.y 07/11] ksmbd: free ppace array on error in parse_dacl" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240121143038.10589-8-linkinjeon@kernel.org \
    --to=linkinjeon@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=pchelkin@ispras.ru \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=stfrench@microsoft.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox