]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
projects / thirdparty / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6955bfe)
ksmbd: fix use-after-free in ksmbd_sessions_deregister()
authorNamjae Jeon <linkinjeon@kernel.org>
Sat, 22 Mar 2025 00:20:19 +0000 (09:20 +0900)
committerSteve French <stfrench@microsoft.com>
Fri, 28 Mar 2025 00:12:00 +0000 (19:12 -0500)
In multichannel mode, UAF issue can occur in session_deregister
when the second channel sets up a session through the connection of
the first channel. session that is freed through the global session
table can be accessed again through ->sessions of connection.

Cc: stable@vger.kernel.org
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/smb/server/mgmt/user_session.c patch | blob | blame | history

diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c
index 71c6939dfbf13bdcd113b9c7bd155e86b1242172..1ecca6785ed0ca1ed86507b479e217d0ae8d4f10 100644 (file)
--- a/fs/smb/server/mgmt/user_session.c
+++ b/fs/smb/server/mgmt/user_session.c
@@ -230,6 +230,9 @@ void ksmbd_sessions_deregister(struct ksmbd_conn *conn)
                        if (!ksmbd_chann_del(conn, sess) &&
                            xa_empty(&sess->ksmbd_chann_list)) {
                                hash_del(&sess->hlist);
+                               down_write(&conn->session_lock);
+                               xa_erase(&conn->sessions, sess->id);
+                               up_write(&conn->session_lock);
                                ksmbd_session_destroy(sess);
                        }
                }
A mirror of Linus' kernel repository