]>
Commit | Line | Data |
---|---|---|
98979065 GKH |
1 | From 22863485a4626ec6ecf297f4cc0aef709bc862e4 Mon Sep 17 00:00:00 2001 |
2 | From: Paulo Alcantara <pc@manguebit.com> | |
3 | Date: Tue, 2 Apr 2024 16:33:59 -0300 | |
4 | Subject: smb: client: fix potential UAF in smb2_is_valid_oplock_break() | |
5 | ||
6 | From: Paulo Alcantara <pc@manguebit.com> | |
7 | ||
8 | commit 22863485a4626ec6ecf297f4cc0aef709bc862e4 upstream. | |
9 | ||
10 | Skip sessions that are being teared down (status == SES_EXITING) to | |
11 | avoid UAF. | |
12 | ||
13 | Cc: stable@vger.kernel.org | |
14 | Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com> | |
15 | Signed-off-by: Steve French <stfrench@microsoft.com> | |
16 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
17 | --- | |
18 | fs/smb/client/smb2misc.c | 2 ++ | |
19 | 1 file changed, 2 insertions(+) | |
20 | ||
21 | --- a/fs/smb/client/smb2misc.c | |
22 | +++ b/fs/smb/client/smb2misc.c | |
23 | @@ -697,6 +697,8 @@ smb2_is_valid_oplock_break(char *buffer, | |
24 | /* look up tcon based on tid & uid */ | |
25 | spin_lock(&cifs_tcp_ses_lock); | |
26 | list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { | |
27 | + if (cifs_ses_exiting(ses)) | |
28 | + continue; | |
29 | list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { | |
30 | ||
31 | spin_lock(&tcon->open_file_lock); |