| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250516031923.159247-3-wangzhaolong1@huawei.com>
Date: Fri, 16 May 2025 11:19:23 +0800
From: Wang Zhaolong <wangzhaolong1@...wei.com>
To: <sfrench@...ba.org>, <sfrench@...ibm.com>
CC: <linux-cifs@...r.kernel.org>, <samba-technical@...ts.samba.org>,
<linux-kernel@...r.kernel.org>, <wangzhaolong1@...wei.com>,
<yi.zhang@...wei.com>, <yangerkun@...wei.com>, <chengzhihao1@...wei.com>
Subject: [PATCH -next 2/2] cifs: Reset all search buffer pointers when releasing buffer
Multiple pointers in struct cifs_search_info (ntwrk_buf_start,
srch_entries_start, and last_entry) point to the same allocated buffer.
However, when freeing this buffer, only ntwrk_buf_start was set to NULL,
while the other pointers remained pointing to freed memory.
This is defensive programming to prevent potential issues with stale
pointers. While the active UAF vulnerability is fixed by the previous
patch.
Signed-off-by: Wang Zhaolong <wangzhaolong1@...wei.com>
---
fs/smb/client/readdir.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/smb/client/readdir.c b/fs/smb/client/readdir.c
index 67d7dd64b5e2..787d6bcb5d1d 100644
--- a/fs/smb/client/readdir.c
+++ b/fs/smb/client/readdir.c
@@ -731,11 +731,14 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos,
cifs_small_buf_release(cfile->srch_inf.
ntwrk_buf_start);
else
cifs_buf_release(cfile->srch_inf.
ntwrk_buf_start);
+ /* Reset all pointers to the network buffer to prevent stale references */
cfile->srch_inf.ntwrk_buf_start = NULL;
+ cfile->srch_inf.srch_entries_start = NULL;
+ cfile->srch_inf.last_entry = NULL;
}
rc = initiate_cifs_search(xid, file, full_path);
if (rc) {
cifs_dbg(FYI, "error %d reinitiating a search on rewind\n",
rc);
--
2.34.3
Powered by blists - more mailing lists