From patchwork Thu Jul 27 09:59:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qi Zheng X-Patchwork-Id: 126903 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a985:0:b0:3e4:2afc:c1 with SMTP id t5csp1009794vqo; Thu, 27 Jul 2023 03:53:58 -0700 (PDT) X-Google-Smtp-Source: APBJJlEC3o5gjCCvsKKHZ67vwltZlSrG5JPiolwFKygejE3sl0zXAJdn2/nmWV2wkr5caCu6+XS+ X-Received: by 2002:a05:6512:3ca4:b0:4fb:ca59:42d7 with SMTP id h36-20020a0565123ca400b004fbca5942d7mr1904153lfv.33.1690455237859; Thu, 27 Jul 2023 03:53:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690455237; cv=none; d=google.com; s=arc-20160816; b=qBH3iK5RKlqE9lZ9TdXWft2VX1C56dv49EeMuYgKS8AgMgYrd1DpSkWkwdzV28ydT+ P+lr2OGBwD+Omswb7/M8cKRvRu26DTSZFUohqxGqs8MmczRuGe/A39HKJLN7bCfk4Drf wongUM04om5z6JunvN4xTQ57ijkB3hng/7ORq5PuF2xIA9PdjD+Q337HbjUosKjmwsyQ ilL7mkjzJewxcZc3zj37I6fcgOxn1OKf0afx4c2z82WDkNeJxiIjwHNLCz4KsxTDiZ6C YfZ0bBoj+KxwivEO4Y+sQFP/O2lpy396mMh5N8BgWSL5ZLTLXDn5xVc/jzR6Q6KhmZ1d 6TgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=DNWLHhv5T3pdBxH+svwzRV+94Efsn3aqq01UEqVJuHE=; fh=IDrxqEfv2iC25v9qXWiCjQcV8X7/JN2dkEXm2OHcMhw=; b=btvGwqXpQlR66ES/8j8SjQIwBkYt7URa66mgtArhRtY4IAReCUL1WRR42+kHS407YW QDAmozErjQkGK0IHJnII1tS3xKHIWobwJ63adVf0/4nRoEmcF5H6U5Rlhmv2UuQHN1JG hRgJ6JH8MCtI8d3XRL7Lzqhm3tkz2OC7gRx244Sn6GfLAZ4Cq5VWV8lJKJYdSO/wpgBx u0OMmrvVhPq3+MbwZ2McgCQp7OIlVU/jzciYRytQ0NsjLR8xANn/IOy/z49hfwQGkMTI e8B9p9gNBH5AvN4ejH1eYZUOAzvSGxlN+V1v6QlxZXxL+SnguDEYHNi144q7BjWi4gox ai2w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b="dT/EjlSE"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i7-20020aa7dd07000000b0051e041a38f0si736979edv.596.2023.07.27.03.53.33; Thu, 27 Jul 2023 03:53:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b="dT/EjlSE"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230064AbjG0J7k (ORCPT + 99 others); Thu, 27 Jul 2023 05:59:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41674 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230466AbjG0J7g (ORCPT ); Thu, 27 Jul 2023 05:59:36 -0400 Received: from out-88.mta0.migadu.com (out-88.mta0.migadu.com [91.218.175.88]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B28999C for ; Thu, 27 Jul 2023 02:59:33 -0700 (PDT) X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1690451971; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=DNWLHhv5T3pdBxH+svwzRV+94Efsn3aqq01UEqVJuHE=; b=dT/EjlSElwKm8Z9BWLzDRYC3ol71xwzcyjNVK8NXbjM7rGtG1z7FzCJ3GIp2/Il4qVkFIU 7K8xdTkoZu1CAYNFnX+eznvcbSGVwBppQ7pG2bpoc+z3FtHATSq8UqgzBBSY22DD9ExGP3 +LhKYvMtkT7bLSyORg3HpUf83YC/+9k= From: Qi Zheng To: linkinjeon@kernel.org, sfrench@samba.org, senozhatsky@chromium.org, tom@talpey.com, hyc.lee@gmail.com, lsahlber@redhat.com, paulmck@kernel.org Cc: linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org, Qi Zheng Subject: [PATCH] cifsd: fix potential UAF Date: Thu, 27 Jul 2023 09:59:11 +0000 Message-Id: <20230727095911.3657425-1-qi.zheng@linux.dev> MIME-Version: 1.0 X-Migadu-Flow: FLOW_OUT X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772570791621384698 X-GMAIL-MSGID: 1772570791621384698 From: Qi Zheng After calling opinfo_put(), the opinfo may be freed, then using this opinfo in the next traversal will cause UAF bug. To fix it, swap the call order of opinfo_put() and rcu_read_lock(), so that the opinfo_free_rcu() will not be called, and the opinfo will not be freed, then we can safely perform the next traversal. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Qi Zheng --- fs/smb/server/oplock.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/smb/server/oplock.c b/fs/smb/server/oplock.c index 844b303baf29..a0e47eb2df83 100644 --- a/fs/smb/server/oplock.c +++ b/fs/smb/server/oplock.c @@ -1021,8 +1021,8 @@ int find_same_lease_key(struct ksmbd_session *sess, struct ksmbd_inode *ci, goto out; } op_next: - opinfo_put(opinfo); rcu_read_lock(); + opinfo_put(opinfo); } rcu_read_unlock(); @@ -1314,8 +1314,8 @@ void smb_break_all_levII_oplock(struct ksmbd_work *work, struct ksmbd_file *fp, brk_op->open_trunc = is_trunc; oplock_break(brk_op, SMB2_OPLOCK_LEVEL_NONE); next: - opinfo_conn_put(brk_op); rcu_read_lock(); + opinfo_conn_put(brk_op); } rcu_read_unlock(); @@ -1711,8 +1711,8 @@ struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn, goto out; } op_next: - opinfo_put(opinfo); rcu_read_lock(); + opinfo_put(opinfo); } rcu_read_unlock();