lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <860a4f7600814b17e48dbabe1ae19f68@manguebit.com>
Date: Fri, 16 May 2025 10:49:59 -0300
From: Paulo Alcantara <pc@...guebit.com>
To: Wang Zhaolong <wangzhaolong1@...wei.com>, sfrench@...ba.org,
 sfrench@...ibm.com
Cc: linux-cifs@...r.kernel.org, samba-technical@...ts.samba.org,
 linux-kernel@...r.kernel.org, chengzhihao1@...wei.com,
 wangzhaolong1@...wei.com, yi.zhang@...wei.com, yangerkun@...wei.com
Subject: Re: [PATCH V2 0/2] smb: client: Fix use-after-free in readdir

Wang Zhaolong <wangzhaolong1@...wei.com> writes:

> V2:
>   - Correct spelling mistakes in the commit message, such as 'lopp' -> 'loop'.
>   - The titles of patches follow the same style.
>
> This patch series addresses a use-after-free vulnerability in the SMB/CIFS
> client readdir implementation that can be triggered during concurrent
> directory reads when a signal interrupts directory enumeration.
>
> The root cause is in the operation sequence in find_cifs_entry():
> 1. When query_dir_next() fails due to signal interruption (ERESTARTSYS)
> 2. The code continues to access last_entry pointer before checking the return code
> 3. This can access freed memory since the buffer may have been released
>
> The race condition can be triggered by processes accessing the same directory
> with concurrent readdir operations, especially when signals are involved.
>
> The fix is straightforward:
> 1. First patch ensures we check the return code before using any pointers
> 2. Second patch improves defensiveness by resetting all related buffer pointers
>    when freeing the network buffer
>
> Wang Zhaolong (2):
>   smb: client: Fix use-after-free in cifs_fill_dirent
>   smb: client: Reset all search buffer pointers when releasing buffer
>
>  fs/smb/client/readdir.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)

Reviewed-by: Paulo Alcantara (Red Hat) <pc@...guebit.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ