lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sat, 1 Aug 2020 09:49:43 -0500
From:   Steve French <smfrench@...il.com>
To:     Colin King <colin.king@...onical.com>
Cc:     Steve French <sfrench@...ba.org>, Aurelien Aptel <aaptel@...e.com>,
        Paulo Alcantara <pc@....nz>, CIFS <linux-cifs@...r.kernel.org>,
        samba-technical <samba-technical@...ts.samba.org>,
        kernel-janitors <kernel-janitors@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH][next] cifs: fix double free error on share and prefix

merged into cifs-2.6.git for-next

On Fri, Jul 31, 2020 at 12:15 PM Colin King <colin.king@...onical.com> wrote:
>
> From: Colin Ian King <colin.king@...onical.com>
>
> Currently if the call dfs_cache_get_tgt_share fails we cannot
> fully guarantee that share and prefix are set to NULL and the
> next iteration of the loop can end up potentially double freeing
> these pointers. Since the semantics of dfs_cache_get_tgt_share
> are ambiguous for failure cases with the setting of share and
> prefix (currently now and the possibly the future), it seems
> prudent to set the pointers to NULL when the objects are
> free'd to avoid any double frees.
>
> Addresses-Coverity: ("Double free")
> Fixes: 96296c946a2a ("cifs: handle RESP_GET_DFS_REFERRAL.PathConsumed in reconnect")
> Signed-off-by: Colin Ian King <colin.king@...onical.com>
> ---
>  fs/cifs/connect.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> index 3c4dd4e1b9eb..4b2f5f5b3a8e 100644
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
> @@ -5574,6 +5574,8 @@ int cifs_tree_connect(const unsigned int xid, struct cifs_tcon *tcon, const stru
>
>                 kfree(share);
>                 kfree(prefix);
> +               share = NULL;
> +               prefix = NULL;
>
>                 rc = dfs_cache_get_tgt_share(tcon->dfs_path + 1, it, &share, &prefix);
>                 if (rc) {
> --
> 2.27.0
>


-- 
Thanks,

Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ