NAK: [SRU][F][PATCH 2/2] smb: client: fix potential UAF in smb2_is_valid_lease_break()
Yuxuan Luo
yuxuan.luo at canonical.com
Wed Feb 12 02:15:25 UTC 2025
On Fri, Feb 7, 2025 at 4:38 AM Stewart Hore <stewart.hore at canonical.com>
wrote:
> On Thu, Feb 06, 2025 at 08:10:54PM -0500, Yuxuan Luo wrote:
> > From: Paulo Alcantara <pc at manguebit.com>
> >
> > Skip sessions that are being teared down (status == SES_EXITING) to
> > avoid UAF.
> >
> > Cc: stable at vger.kernel.org
> > Signed-off-by: Paulo Alcantara (Red Hat) <pc at manguebit.com>
> > Signed-off-by: Steve French <stfrench at microsoft.com>
> > (backported from commit 705c76fbf726c7a2f6ff9143d4013b18daaaebf1)
> > [yuxuan.luo: ignored context conflicts and added the if statement.]
> > CVE-2024-35864
> > Signed-off-by: Yuxuan Luo <yuxuan.luo at canonical.com>
> > ---
> > fs/cifs/smb2misc.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
> > index d3d5d2c6c401..c5194b8e9c08 100644
> > --- a/fs/cifs/smb2misc.c
> > +++ b/fs/cifs/smb2misc.c
> > @@ -607,6 +607,8 @@ smb2_is_valid_lease_break(char *buffer)
> > /* look up tcon based on tid & uid */
> > spin_lock(&cifs_tcp_ses_lock);
> > list_for_each(tmp, &cifs_tcp_ses_list) {
> > + if (cifs_ses_exiting(ses))
> > + continue;
> > server = list_entry(tmp, struct TCP_Server_Info,
> tcp_ses_list);
> >
> > list_for_each(tmp1, &server->smb_ses_list) {
> > --
> > 2.43.0
>
> The call to `cifs_ses_exiting(ses)` will dereference the `ses` pointer
> before it has been assigned.
>
> Suggested change, move the `if(cifs_ses_exiting(ses))` to after `ses`
> assignment.
>
Thanks for catching it, sending a v2 patch.
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250211/23fb85ef/attachment.html>
More information about the kernel-team
mailing list