lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-id: <175331183374.2234665.16356100340389738205@noble.neil.brown.name>
Date: Thu, 24 Jul 2025 09:03:53 +1000
From: "NeilBrown" <neil@...wn.name>
To: "Stefan Metzmacher" <metze@...ba.org>
Cc: "Namjae Jeon" <linkinjeon@...nel.org>, "Steve French" <smfrench@...il.com>,
 "Sergey Senozhatsky" <senozhatsky@...omium.org>,
 "Tom Talpey" <tom@...pey.com>, "Alexander Viro" <viro@...iv.linux.org.uk>,
 "Christian Brauner" <brauner@...nel.org>, "Jan Kara" <jack@...e.cz>,
 linux-fsdevel@...r.kernel.org, linux-cifs@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH 4/4] smb/server: add ksmbd_vfs_kern_path()

On Thu, 24 Jul 2025, Stefan Metzmacher wrote:
> Hi Neil,
> 
> for me this reliable generates the following problem, just doing a simple:
> mount -t cifs -ousername=root,password=test,noperm,vers=3.1.1,mfsymlinks,actimeo=0 //172.31.9.167/test /mnt/test/
> 
> [ 2213.234061] [   T1972] ==================================================================
> [ 2213.234607] [   T1972] BUG: KASAN: slab-use-after-free in lookup_noperm_common+0x237/0x2b0

Hi,
 thanks for testing and reporting.  Sorry about this obvious bug...

I called putname() too early.  The following should fix it.  Please test
and support.
Namjae: it would be good to squash this into the offending patch before
submitting upstream.  Can you do that?  Do you want me to resend the
whole patch?

Thanks,
NeilBrown

--- a/fs/smb/server/vfs.c
+++ b/fs/smb/server/vfs.c
@@ -53,7 +53,7 @@ static int ksmbd_vfs_path_lookup(struct ksmbd_share_config *share_conf,
 				 struct path *path, bool do_lock)
 {
 	struct qstr last;
-	struct filename *filename;
+	struct filename *filename __free(putname) = NULL;
 	struct path *root_share_path = &share_conf->vfs_path;
 	int err, type;
 	struct dentry *d;
@@ -72,7 +72,6 @@ static int ksmbd_vfs_path_lookup(struct ksmbd_share_config *share_conf,
 	err = vfs_path_parent_lookup(filename, flags,
 				     path, &last, &type,
 				     root_share_path);
-	putname(filename);
 	if (err)
 		return err;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ