APPLIED: [SRU][F/J][PATCH v2 0/2] CVE-2024-35864/CVE-2024-26928
Koichiro Den
koichiro.den at canonical.com
Fri Feb 28 03:16:34 UTC 2025
On Tue, Feb 11, 2025 at 09:12:28PM GMT, Yuxuan Luo wrote:
> v2: Fix a problem where ses members are access before ses is assigned.
>
> [Impact]
> When a smb client is disconnecting or, specifically, tearing down a
> session, an use-after-free vulnerability might happen, potentially
> leading to privilege escalation or system crash.
>
> [Backport]
> The fix commit for CVE-2024-26928 introduces a dependent helper function
> for CVE-2024-35864, thus combining them together.
>
> For PATCH 1/2, there are certain variables hasn't been
> renamed/introduced yet:
> - ses->ses_status was ses->status.
> - SES_EXITING was CifsExiting.
> - use GlobalMid_Lock instead of ses->ses_lock since the latter hasn't
> been introduced.
>
> For PATCH 2/2, the context conflict is irrelevant to the fix, thus
> ignore it and add the if statement.
>
> [Test]
> Compile tested only.
>
> [Where Problems Could Occur]
> Regression might happen when a smb client is tearing down a session.
>
> Paulo Alcantara (2):
> smb: client: fix potential UAF in cifs_debug_files_proc_show()
> smb: client: fix potential UAF in smb2_is_valid_lease_break()
>
> fs/cifs/cifs_debug.c | 2 ++
> fs/cifs/cifsglob.h | 10 ++++++++++
> fs/cifs/smb2misc.c | 2 ++
> 3 files changed, 14 insertions(+)
>
Applied to jammy:linux, focal:linux master-next branches. Thanks!
More information about the kernel-team
mailing list