| Message ID | PH7PR20MB592590F74C734584DCF88D6CBF712@PH7PR20MB5925.namprd20.prod.outlook.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | fs: smb: client: Reset password pointer to NULL | expand |
On Thu, Jan 18, 2024 at 1:44 AM Fullway Wang <fullwaywang@outlook.com> wrote: > > ctx->password was freed but not reset to NULL, which may lead to double > free and secrets leak issues. But no one else could use this pointer to double free this since it is allocated in this function, and exits a few lines after it is freed (and its parent is freed on the next line so the pointer could not be accessed either) > This is similar to CVE-2023-5345, which was fixed in commit e6e43b8. > > Signed-off-by: Fullway Wang <fullwaywang@outlook.com> > --- > fs/smb/client/connect.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c > index 3052a208c6ca..fb96a234b9b1 100644 > --- a/fs/smb/client/connect.c > +++ b/fs/smb/client/connect.c > @@ -4028,6 +4028,7 @@ cifs_construct_tcon(struct cifs_sb_info *cifs_sb, kuid_t fsuid) > out: > kfree(ctx->username); > kfree_sensitive(ctx->password); > + ctx->password = NULL; > kfree(ctx); > > return tcon; > -- > 2.39.3 (Apple Git-145) > >
diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index 3052a208c6ca..fb96a234b9b1 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -4028,6 +4028,7 @@ cifs_construct_tcon(struct cifs_sb_info *cifs_sb, kuid_t fsuid) out: kfree(ctx->username); kfree_sensitive(ctx->password); + ctx->password = NULL; kfree(ctx); return tcon;
ctx->password was freed but not reset to NULL, which may lead to double free and secrets leak issues. This is similar to CVE-2023-5345, which was fixed in commit e6e43b8. Signed-off-by: Fullway Wang <fullwaywang@outlook.com> --- fs/smb/client/connect.c | 1 + 1 file changed, 1 insertion(+)