NAK: [SRU][F][PATCH 2/2] smb: client: fix potential UAF in smb2_is_valid_lease_break()
Stewart Hore
stewart.hore at canonical.com
Fri Feb 7 09:38:32 UTC 2025
On Thu, Feb 06, 2025 at 08:10:54PM -0500, Yuxuan Luo wrote:
> From: Paulo Alcantara <pc at manguebit.com>
>
> Skip sessions that are being teared down (status == SES_EXITING) to
> avoid UAF.
>
> Cc: stable at vger.kernel.org
> Signed-off-by: Paulo Alcantara (Red Hat) <pc at manguebit.com>
> Signed-off-by: Steve French <stfrench at microsoft.com>
> (backported from commit 705c76fbf726c7a2f6ff9143d4013b18daaaebf1)
> [yuxuan.luo: ignored context conflicts and added the if statement.]
> CVE-2024-35864
> Signed-off-by: Yuxuan Luo <yuxuan.luo at canonical.com>
> ---
> fs/cifs/smb2misc.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
> index d3d5d2c6c401..c5194b8e9c08 100644
> --- a/fs/cifs/smb2misc.c
> +++ b/fs/cifs/smb2misc.c
> @@ -607,6 +607,8 @@ smb2_is_valid_lease_break(char *buffer)
> /* look up tcon based on tid & uid */
> spin_lock(&cifs_tcp_ses_lock);
> list_for_each(tmp, &cifs_tcp_ses_list) {
> + if (cifs_ses_exiting(ses))
> + continue;
> server = list_entry(tmp, struct TCP_Server_Info, tcp_ses_list);
>
> list_for_each(tmp1, &server->smb_ses_list) {
> --
> 2.43.0
The call to `cifs_ses_exiting(ses)` will dereference the `ses` pointer
before it has been assigned.
Suggested change, move the `if(cifs_ses_exiting(ses))` to after `ses`
assignment.
--
kernel-team mailing list
kernel-team at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list