cifs: fix potential use-after-free in cifs_echo_request()

Message ID	20201128195402.12233-1-pc@cjr.nz (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-cifs-owner@kernel.org> sender: pc) by mx.cjr.nz (Postfix) with ESMTPSA id C06507FD5F; Sat, 28 Nov 2020 19:54:14 +0000 (UTC) From: Paulo Alcantara <pc@cjr.nz> To: linux-cifs@vger.kernel.org, smfrench@gmail.com Cc: Paulo Alcantara <pc@cjr.nz> Subject: [PATCH] cifs: fix potential use-after-free in cifs_echo_request() Date: Sat, 28 Nov 2020 16:54:02 -0300 Message-Id: <20201128195402.12233-1-pc@cjr.nz> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	cifs: fix potential use-after-free in cifs_echo_request() \| expand cifs: fix potential use-after-free in cifs_echo_request()

Message ID

20201128195402.12233-1-pc@cjr.nz (mailing list archive)

State

New, archived

Headers

From: Paulo Alcantara <pc@cjr.nz>
To: linux-cifs@vger.kernel.org, smfrench@gmail.com
Cc: Paulo Alcantara <pc@cjr.nz>
Subject: [PATCH] cifs: fix potential use-after-free in cifs_echo_request()
Date: Sat, 28 Nov 2020 16:54:02 -0300
Message-Id: <20201128195402.12233-1-pc@cjr.nz>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

cifs: fix potential use-after-free in cifs_echo_request() | expand

Commit Message

Paulo Alcantara Nov. 28, 2020, 7:54 p.m. UTC

This patch fixes a potential use-after-free bug in
cifs_echo_request().

For instance,

  thread 1
  --------
  cifs_demultiplex_thread()
    clean_demultiplex_info()
      kfree(server)

  thread 2 (workqueue)
  --------
  apic_timer_interrupt()
    smp_apic_timer_interrupt()
      irq_exit()
        __do_softirq()
          run_timer_softirq()
            call_timer_fn()
  	      cifs_echo_request() <- use-after-free in server ptr

Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
---
 fs/cifs/connect.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Steve French Nov. 30, 2020, 2:31 a.m. UTC | #1

added Ronnie's reviewed-by to the two patches and put in cifs-2.6.git for-next

On Sat, Nov 28, 2020 at 1:54 PM Paulo Alcantara <pc@cjr.nz> wrote:
>
> This patch fixes a potential use-after-free bug in
> cifs_echo_request().
>
> For instance,
>
>   thread 1
>   --------
>   cifs_demultiplex_thread()
>     clean_demultiplex_info()
>       kfree(server)
>
>   thread 2 (workqueue)
>   --------
>   apic_timer_interrupt()
>     smp_apic_timer_interrupt()
>       irq_exit()
>         __do_softirq()
>           run_timer_softirq()
>             call_timer_fn()
>               cifs_echo_request() <- use-after-free in server ptr
>
> Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
> ---
>  fs/cifs/connect.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> index c38156f324dd..28c1459fb0fc 100644
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
> @@ -876,6 +876,8 @@ static void clean_demultiplex_info(struct TCP_Server_Info *server)
>         list_del_init(&server->tcp_ses_list);
>         spin_unlock(&cifs_tcp_ses_lock);
>
> +       cancel_delayed_work_sync(&server->echo);
> +
>         spin_lock(&GlobalMid_Lock);
>         server->tcpStatus = CifsExiting;
>         spin_unlock(&GlobalMid_Lock);
> --
> 2.29.2
>

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index c38156f324dd..28c1459fb0fc 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -876,6 +876,8 @@  static void clean_demultiplex_info(struct TCP_Server_Info *server)
 	list_del_init(&server->tcp_ses_list);
 	spin_unlock(&cifs_tcp_ses_lock);
 
+	cancel_delayed_work_sync(&server->echo);
+
 	spin_lock(&GlobalMid_Lock);
 	server->tcpStatus = CifsExiting;
 	spin_unlock(&GlobalMid_Lock);

cifs: fix potential use-after-free in cifs_echo_request()

Commit Message

Comments

Patch