lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <b5748a5a-3ca9-4cbd-8391-864909c98e6c@oracle.com>
Date: Mon, 9 Dec 2024 11:30:09 +0530
From: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
To: jianqi.ren.cn@...driver.com, pc@...guebit.com, gregkh@...uxfoundation.org
Cc: stable@...r.kernel.org, sfrench@...ba.org, pc@....nz, lsahlber@...hat.com,
        sprasad@...rosoft.com, tom@...pey.com, linux-cifs@...r.kernel.org,
        linux-kernel@...r.kernel.org, samba-technical@...ts.samba.org,
        Vegard Nossum <vegard.nossum@...cle.com>
Subject: Re: [PATCH 6.1.y] smb: client: fix potential UAF in
 cifs_dump_full_key()

Hi Jianqi,

On 09/12/24 09:52, jianqi.ren.cn@...driver.com wrote:
> From: Paulo Alcantara <pc@...guebit.com>
> 
> [ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
> 
> Skip sessions that are being teared down (status == SES_EXITING) to
> avoid UAF.
> 
> Cc: stable@...r.kernel.org
> Signed-off-by: Paulo Alcantara (Red Hat) <pc@...guebit.com>
> Signed-off-by: Steve French <stfrench@...rosoft.com>
> Signed-off-by: Jianqi Ren <jianqi.ren.cn@...driver.com>
> ---
>   fs/smb/client/ioctl.c | 8 +++++++-
>   1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c
> index ae9905e2b9d4..173c8c76d31f 100644
> --- a/fs/smb/client/ioctl.c
> +++ b/fs/smb/client/ioctl.c
> @@ -246,17 +246,23 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
>   		spin_lock(&cifs_tcp_ses_lock);
>   		list_for_each_entry(server_it, &cifs_tcp_ses_list, tcp_ses_list) {
>   			list_for_each_entry(ses_it, &server_it->smb_ses_list, smb_ses_list) {
> -				if (ses_it->Suid == out.session_id) {
> +				spin_lock(&ses_it->ses_lock);
> +				if (ses_it->ses_status != SES_EXITING &&
> +				    ses_it->Suid == out.session_id) {
>   					ses = ses_it;
>   					/*
>   					 * since we are using the session outside the crit
>   					 * section, we need to make sure it won't be released
>   					 * so increment its refcount
>   					 */
> +
> +					lockdep_assert_held(&cifs_tcp_ses_lock);

^^ This doesn't exist in upstream commit, why is this needed ?

Thanks,
Harshit
>   					ses->ses_count++;
> +					spin_unlock(&ses_it->ses_lock);
>   					found = true;
>   					goto search_end;
>   				}
> +				spin_unlock(&ses_it->ses_lock);
>   			}
>   		}
>   search_end:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ