lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAKYAXd_h9otb5kfixtwAgXfeFbmsvc5xmuoBsDNovmHFwGOEEQ@mail.gmail.com>
Date: Tue, 16 Sep 2025 10:11:16 +0900
From: Namjae Jeon <linkinjeon@...nel.org>
To: Yunseong Kim <ysk@...lloc.com>
Cc: Steve French <smfrench@...il.com>, Norbert Szetei <norbert@...ensec.com>, 
	Sergey Senozhatsky <senozhatsky@...omium.org>, Tom Talpey <tom@...pey.com>, 
	Jinjie Ruan <ruanjinjie@...wei.com>, Dawei Li <set_pte_at@...look.com>, 
	linux-cifs@...r.kernel.org, open list <linux-kernel@...r.kernel.org>, 
	stable@...r.kernel.org
Subject: Re: [PATCH] ksmbd: Fix race condition in RPC handle list access

On Tue, Sep 16, 2025 at 7:44 AM Yunseong Kim <ysk@...lloc.com> wrote:
>
> The 'sess->rpc_handle_list' XArray manages RPC handles within a ksmbd
> session. Access to this list is intended to be protected by
> 'sess->rpc_lock' (an rw_semaphore). However, the locking implementation was
> flawed, leading to potential race conditions.
>
> In ksmbd_session_rpc_open(), the code incorrectly acquired only a read lock
> before calling xa_store() and xa_erase(). Since these operations modify
> the XArray structure, a write lock is required to ensure exclusive access
> and prevent data corruption from concurrent modifications.
>
> Furthermore, ksmbd_session_rpc_method() accessed the list using xa_load()
> without holding any lock at all. This could lead to reading inconsistent
> data or a potential use-after-free if an entry is concurrently removed and
> the pointer is dereferenced.
>
> Fix these issues by:
> 1. Using down_write() and up_write() in ksmbd_session_rpc_open()
>    to ensure exclusive access during XArray modification, and ensuring
>    the lock is correctly released on error paths.
> 2. Adding down_read() and up_read() in ksmbd_session_rpc_method()
>    to safely protect the lookup.
>
> Fixes: a1f46c99d9ea ("ksmbd: fix use-after-free in ksmbd_session_rpc_open")
> Fixes: b685757c7b08 ("ksmbd: Implements sess->rpc_handle_list as xarray")
> Cc: stable@...r.kernel.org
> Signed-off-by: Yunseong Kim <ysk@...lloc.com>
Applied it to #ksmbd-for-next-next.
Thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ