lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aa4ecd85deb859ad32ba7f649321084b@manguebit.org>
Date: Fri, 11 Jul 2025 11:49:49 -0300
From: Paulo Alcantara <pc@...guebit.org>
To: Wang Zhaolong <wangzhaolong@...weicloud.com>, sfrench@...ba.org,
 pshilov@...rosoft.com, aaptel@...e.com
Cc: linux-cifs@...r.kernel.org, samba-technical@...ts.samba.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH V2] smb: client: fix use-after-free in cifs_oplock_break

Wang Zhaolong <wangzhaolong@...weicloud.com> writes:

> A race condition can occur in cifs_oplock_break() leading to a
> use-after-free of the cinode structure when unmounting:
>
>   cifs_oplock_break()
>     _cifsFileInfo_put(cfile)
>       cifsFileInfo_put_final()
>         cifs_sb_deactive()
>           [last ref, start releasing sb]
>             kill_sb()
>               kill_anon_super()
>                 generic_shutdown_super()
>                   evict_inodes()
>                     dispose_list()
>                       evict()
>                         destroy_inode()
>                           call_rcu(&inode->i_rcu, i_callback)
>     spin_lock(&cinode->open_file_lock)  <- OK
>                             [later] i_callback()
>                               cifs_free_inode()
>                                 kmem_cache_free(cinode)
>     spin_unlock(&cinode->open_file_lock)  <- UAF
>     cifs_done_oplock_break(cinode)       <- UAF
>
> The issue occurs when umount has already released its reference to the
> superblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this
> releases the last reference, triggering the immediate cleanup of all
> inodes under RCU. However, cifs_oplock_break() continues to access the
> cinode after this point, resulting in use-after-free.
>
> Fix this by holding an extra reference to the superblock during the
> entire oplock break operation. This ensures that the superblock and
> its inodes remain valid until the oplock break completes.
>
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=220309
> Fixes: b98749cac4a6 ("CIFS: keep FileInfo handle live during oplock break")
> Signed-off-by: Wang Zhaolong <wangzhaolong@...weicloud.com>
> ---
>  fs/smb/client/file.c | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)

Reviewed-by: Paulo Alcantara (Red Hat) <pc@...guebit.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ