| Message ID | 20240402193404.236159-9-pc@manguebit.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [01/12] smb: client: fix potential UAF in cifs_debug_files_proc_show() | expand |
Paulo Alcantara <pc@manguebit.com> writes: > Skip sessions that are being teared down (status == SES_EXITING) to > avoid UAF. > > Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com> > --- > fs/smb/client/smb2transport.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) Please ignore this one as we still need the signing key for session logoff in __cifs_put_smb_ses().
diff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport.c index 1d6e54f7879e..400175b9ef47 100644 --- a/fs/smb/client/smb2transport.c +++ b/fs/smb/client/smb2transport.c @@ -89,8 +89,10 @@ int smb2_get_sign_key(__u64 ses_id, struct TCP_Server_Info *server, u8 *key) pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { - if (ses->Suid == ses_id) + spin_lock(&ses->ses_lock); + if (ses->ses_status != SES_EXITING && ses->Suid == ses_id) goto found; + spin_unlock(&ses->ses_lock); } trace_smb3_ses_not_found(ses_id); cifs_server_dbg(FYI, "%s: Could not find session 0x%llx\n", @@ -99,7 +101,6 @@ int smb2_get_sign_key(__u64 ses_id, struct TCP_Server_Info *server, u8 *key) goto out; found: - spin_lock(&ses->ses_lock); spin_lock(&ses->chan_lock); is_binding = (cifs_chan_needs_reconnect(ses, server) &&
Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com> --- fs/smb/client/smb2transport.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)