| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250516031923.159247-1-wangzhaolong1@huawei.com> Date: Fri, 16 May 2025 11:19:21 +0800 From: Wang Zhaolong <wangzhaolong1@...wei.com> To: <sfrench@...ba.org>, <sfrench@...ibm.com> CC: <linux-cifs@...r.kernel.org>, <samba-technical@...ts.samba.org>, <linux-kernel@...r.kernel.org>, <wangzhaolong1@...wei.com>, <yi.zhang@...wei.com>, <yangerkun@...wei.com>, <chengzhihao1@...wei.com> Subject: [PATCH -next 0/2] smb: client: Fix use-after-free in readdir This patch series addresses a use-after-free vulnerability in the SMB/CIFS client readdir implementation that can be triggered during concurrent directory reads when a signal interrupts directory enumeration. The root cause is in the operation sequence in find_cifs_entry(): 1. When query_dir_next() fails due to signal interruption (ERESTARTSYS) 2. The code continues to access last_entry pointer before checking the return code 3. This can access freed memory since the buffer may have been released The race condition can be triggered by processes accessing the same directory with concurrent readdir operations, especially when signals are involved. The fix is straightforward: 1. First patch ensures we check the return code before using any pointers 2. Second patch improves defensiveness by resetting all related buffer pointers when freeing the network buffer Wang Zhaolong (2): smb: client: Fix use-after-free in cifs_fill_dirent cifs: Reset all search buffer pointers when releasing buffer fs/smb/client/readdir.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) -- 2.34.3
Powered by blists - more mailing lists