From patchwork Tue Apr 2 19:33:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paulo Alcantara X-Patchwork-Id: 13614525 Received: from mx.manguebit.com (mx.manguebit.com [167.235.159.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3618C56458 for ; Tue, 2 Apr 2024 19:34:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=167.235.159.17 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086490; cv=pass; b=S56xFLZi5sEAMPMY0NUJlzOFo0A6gzqesP+mFXqzlHPFWkHil2pwdHmpIipRx87HVDLuoctIfaf7rrFTPCbSOiTucKlpTnxfFeHlYNosqUoamg7BLJhCV4ZbHD156/kmQUzPBS4ntJLc5g2XEOEz0ym9Sln8k8DpxLM4tw67s/c= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086490; c=relaxed/simple; bh=hnD7WjKQPkKypBVIOvl3NgbhukfgddvgOSp52INiFyE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=dWTvzYGA4QNdx2O3Og4ACsNrsNhZSrBP+1d3yK77UHCCqkkFJeOx6GqwF0wo/1+S57KMD7aBzQ0EmOpNWc4JkjbBwPSmasAB4CVztNLVM2xR+WVtcANLh+xpBlO1bit123d6tMf3INz91y7QWNSdW+RCGwV6o6MJKz392pCKXH0= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com; spf=pass smtp.mailfrom=manguebit.com; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b=V+uQTtOC; arc=pass smtp.client-ip=167.235.159.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=manguebit.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b="V+uQTtOC" From: Paulo Alcantara DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086478; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=/7FogLtrR70qtCPERTfeYQQa+mKQ3i5HKBwgP9WM4I4=; b=V+uQTtOCh5SkAlbmLEcynlHlzX2mgAfo74icXvOBDq0ci2dn36dBukEokKLs3icBC0sCNG cImueOymtdtE3H2lLjUwxyJsNLm1678yJnNd7Yy8TOcNmSDsgGKL1tq4LBZrU0gipOVbPL 7QemHIQnBnFJU4zwlYq/P42nkx3QP090pOR6lS6H1WW+jfq5SvkoRNChv3vFk54X/wPXOz Eao2RMKPhg0NNUpOFzp+rgZJ3HPoOK963Ysyy0OiRzjm/cYlYx/cw0BLf1AXEr32s5VVBZ A3aASvm7fcwMlp3GN/KuT5fw+9P6x6rvicTZnvJR8+POwJCE5w5zC+0SViDMEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086478; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references; bh=/7FogLtrR70qtCPERTfeYQQa+mKQ3i5HKBwgP9WM4I4=; b=RBkf+/aDelCazmwzIn/PqI8s63l34g+EkcwCYy7TjrLjL6tRFHEXwvGMIUiqCMNx0tQqQS Fu9Gx8HaEsZSjkG0K5lZ5OItmYaWJpH1tE6wQ6hZLS48vL0KCpYJKqw9k2oXLelYDIkqye Ejoknky7l3uixYrbtJm++qhlxuOFKKeXiv2QWmFMEvvxtahLgq/kWpQxyMT6p59hbpZWx1 60k92NIUTpo/Rn7ZlR2ho2Wwt3TVMRu1ACQx45jvocC2hbYt2j4WhOhl3dmE5IoIAArdYM dvFW7PBXKsvyIbw8m8GJYwIj1AOEMChrP6z+bBdXiHYu/Pc22TvSeTQTuuqrUg== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.mailfrom=pc@manguebit.com ARC-Seal: i=1; s=dkim; d=manguebit.com; t=1712086478; a=rsa-sha256; cv=none; b=U2HZyjJKbmSnc4BNejlUsfADtskU+zoFmqpyRu428rcWrg6QTlFd7eRW5G5n6u7f5e86xu 2quG7k+cBOF5q37wQpR7zmUiCib2qlx/vZqQa/D+CxBrpxTouHQyaGGfs3JfuRZNLL/OxE OtQQ4T4zszPDCQfKFRkuI4voHqJBT9EJyqcuUyFblseto5nSW9HoKUyoHCEIhY9XnXTpiN R3Nri38KVkqQzqwfyfo/DRU2oz7lHs8yob+TAX5CB+advrDEKncEEofH1gdjbd7XNoOYVs lkilX3eksoQYsv628g7Nj5jXz0R7Urlo6MuksxaM4KKLQHsajyLVi2AwjXUsYg== To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org, Paulo Alcantara Subject: [PATCH 01/12] smb: client: fix potential UAF in cifs_debug_files_proc_show() Date: Tue, 2 Apr 2024 16:33:53 -0300 Message-ID: <20240402193404.236159-1-pc@manguebit.com> Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Signed-off-by: Paulo Alcantara (Red Hat) --- fs/smb/client/cifs_debug.c | 2 ++ fs/smb/client/cifsglob.h | 10 ++++++++++ 2 files changed, 12 insertions(+) diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c index 226d4835c92d..c9aec9a38ad3 100644 --- a/fs/smb/client/cifs_debug.c +++ b/fs/smb/client/cifs_debug.c @@ -250,6 +250,8 @@ static int cifs_debug_files_proc_show(struct seq_file *m, void *v) spin_lock(&cifs_tcp_ses_lock); list_for_each_entry(server, &cifs_tcp_ses_list, tcp_ses_list) { list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) { + if (cifs_ses_exiting(ses)) + continue; list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { spin_lock(&tcon->open_file_lock); list_for_each_entry(cfile, &tcon->openFileList, tlist) { diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h index 286afbe346be..f67607319c43 100644 --- a/fs/smb/client/cifsglob.h +++ b/fs/smb/client/cifsglob.h @@ -2322,4 +2322,14 @@ struct smb2_compound_vars { struct kvec ea_iov; }; +static inline bool cifs_ses_exiting(struct cifs_ses *ses) +{ + bool ret; + + spin_lock(&ses->ses_lock); + ret = ses->ses_status == SES_EXITING; + spin_unlock(&ses->ses_lock); + return ret; +} + #endif /* _CIFS_GLOB_H */ From patchwork Tue Apr 2 19:33:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paulo Alcantara X-Patchwork-Id: 13614524 Received: from mx.manguebit.com (mx.manguebit.com [167.235.159.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 430B315B55A for ; Tue, 2 Apr 2024 19:34:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=167.235.159.17 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086489; cv=pass; b=Ak8aPGpaLWoL8YQi1gyXNZWEm9LkLnRfrDBuU5ET6+IAX87gGhHfn/1NcCYnArASLjeSWjy52YLuBdt5tpXsy+zK+RWhEDQeo177wl8JX858dJJwIKMmLIezIgsFDfb2eXgNtvDMSCkn0MKrwNjhy9G/ET02IrOrJEQOqrQq3Ng= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086489; c=relaxed/simple; bh=GHwyWn4yyn+aFcqZgMHPuKRk2PGrD/PxeGjQ+FCLmqw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hH7VPpr4nCQjeDfLGJ7ioTUWfAersvw+epfHbfL7BAmTmTPeSI+hJj89iHQjzykdc22fD/VtTv0RRTolquKF1v2CNqCfCLadnWvvz+Rfem7Qnpd7mQu9NvaZez1nKW2EeSEyQLo5+IqGOv5cWkEswhEnFMSySLJD3iUWSDjgAKM= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com; spf=pass smtp.mailfrom=manguebit.com; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b=fEz1ZE6U; arc=pass smtp.client-ip=167.235.159.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=manguebit.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b="fEz1ZE6U" From: Paulo Alcantara DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086480; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=VdkdcLl0mzT6RHRLQeedBjYjNRa9l4aWwKjbkBd4BC8=; b=fEz1ZE6UG08yKRV5A3Qa9vO5rhQOVuqpPuRVFRq5Lvs4/6uE1O//IJnR0+m8hvRJm7XQac fP4hpF7YVLyD2kOS1HwV7B0dGSX0vV8s61oX8wwBxHTX4x9iNHdvUd1aqXiTdi04ioYng7 ita0tTxCyE2zSPaEzPwiMnnWBfaX9KD7Opnb5snyWq3hgY/aVtjrDd+qtBwkYt2ErobD2U 4W7Ju+pqp6BafLA6wHY19qu2ihnkMwVybsTP9ReNxoiaeqgbWWAwdJF7JTqJAEljSMe5zZ IqBnNgYLTBU3VANASAuGr9Wl0NYArSS2HXum36OzeOg6iIanYRiRzYcX9X2QLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086480; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=VdkdcLl0mzT6RHRLQeedBjYjNRa9l4aWwKjbkBd4BC8=; b=DUkNO1s+P9leigclTPIQiyKn7P1T/Y+tZPYmqZhj2M5cJsy2uglDDlmPj5By4nvIsqFFcI CHPWJXGzJAE8E3D3GNM5WIwRIPCH/wYkR9aUyjAo0jLak+kNk9EDEk/Ao/Vqjqn5sUxRl4 gUwBmhc4CFH0RkSHcEgkc65Sk06JSokyDADMVdFea6oXsbT5E7QuVYfJxLgyEKRkuzNKxk heCCpWjD0Gf018s/qZWn+ircO/lNd3qWnwld5xSVAgCs4cKcTBcDIlmqxAFm+5s9UK0b6J sbfjgVMh8Ynk2HJfUcTyLunvVp1jWI9EhSqmqPv69GLKV6aG99x3Z+EEh6NJ9A== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.mailfrom=pc@manguebit.com ARC-Seal: i=1; s=dkim; d=manguebit.com; t=1712086480; a=rsa-sha256; cv=none; b=MAI7Nod4KgvkaBSPpNqK4Pz8MhaTxG3z0CWkAMpMzsXRhTRDOi3hIr17r2Rcy0R1uCY10V 5L4VmUFOM4376tn3fTt2DURlAE0muXMUFm8v+Ib8wZywYFwPX96ZDVRiR51wjXlomZX5Bp 912zY9fbQEKRRQH72mkYC8K95f+9H8lIl96Gprf5yWnmv6kWt7Z9+ATZChsHgdMLJzTnT7 Xwd3PgQCNUxWOapweeS81Ti4ENUIEg6XqSfUBb7v4z8B+pCgctqmCEVbbpXMkZ6jYQhUxn K+78eJLtKFgbc3P4dHNpNTRnJRWEBgTo0268NtllLINXnEHI2qSCCOAbkMV9wQ== To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org, Paulo Alcantara Subject: [PATCH 02/12] smb: client: fix potential UAF in cifs_dump_full_key() Date: Tue, 2 Apr 2024 16:33:54 -0300 Message-ID: <20240402193404.236159-2-pc@manguebit.com> In-Reply-To: <20240402193404.236159-1-pc@manguebit.com> References: <20240402193404.236159-1-pc@manguebit.com> Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Signed-off-by: Paulo Alcantara (Red Hat) --- fs/smb/client/ioctl.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c index c012dfdba80d..855ac5a62edf 100644 --- a/fs/smb/client/ioctl.c +++ b/fs/smb/client/ioctl.c @@ -247,7 +247,9 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug spin_lock(&cifs_tcp_ses_lock); list_for_each_entry(server_it, &cifs_tcp_ses_list, tcp_ses_list) { list_for_each_entry(ses_it, &server_it->smb_ses_list, smb_ses_list) { - if (ses_it->Suid == out.session_id) { + spin_lock(&ses_it->ses_lock); + if (ses_it->ses_status != SES_EXITING && + ses_it->Suid == out.session_id) { ses = ses_it; /* * since we are using the session outside the crit @@ -255,9 +257,11 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug * so increment its refcount */ cifs_smb_ses_inc_refcount(ses); + spin_unlock(&ses_it->ses_lock); found = true; goto search_end; } + spin_unlock(&ses_it->ses_lock); } } search_end: From patchwork Tue Apr 2 19:33:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paulo Alcantara X-Patchwork-Id: 13614528 Received: from mx.manguebit.com (mx.manguebit.com [167.235.159.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B6BE515A4BF for ; Tue, 2 Apr 2024 19:34:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=167.235.159.17 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086493; cv=pass; b=nSn4Ymn1Qh/ba3CmS4b1Yv3nBzOti3CdQZ4ZFLDoaScBELkOK9TGqmBqOY0HqvZNN6jSx5VyX3ySOiTuliMmxnpxrvFLtfdoquO6ON9nn/eKyh7Ac8osGaW0xX3LN03JqU13sqJ4DkOolM9RJ0hyfC/MkbmuTYb7mV0DpY3tajc= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086493; c=relaxed/simple; bh=0y65Yhj7aritcDWk0QDluzMc8Hv3v/kXQrJ9Dfcsuto=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=BoLH+Glppzrs68pVFRGFnt4G7LuBzQ0+rAjXZi6zZ2ffJ1XU0F7iXNQZbYFYQMznyKqXOuLC/4OpNqIOK8VXONqlDb20Omn5SCuE/tACw4+eKZbbHteVSrjyo/vi2kmaBdo9HBi2CzLRZyP0KJ4PgkrAteT40+RIMJ9Tf5Zq0eU= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com; spf=pass smtp.mailfrom=manguebit.com; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b=elO4OHC9; arc=pass smtp.client-ip=167.235.159.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=manguebit.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b="elO4OHC9" From: Paulo Alcantara DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086481; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qOzNsb+SflPQ0gD+QhjM7r4S6a3jd8PY5kCSOpeaIZQ=; b=elO4OHC9W1U/GKmcxmx4TUP4OCA27U2o/mGNCPCABoJ1PF7q4ux0WwydX+8laF+9eWuCiX tfcLxUZ9WDQOZmSmRA/b4n24BMforU8NhD2N0BGNWDwVSfVpN9HlAbP/TEViG6kDkZ7bHM vze9I9fDVYS4JrrSch/WxMyHNmO6a80zBJ9fKNQSmVcwLwNQckfazlVc50WsFizNp01+88 FYTEON4gqJKSrfT5yP+7fEztC0I25gX7dDUQGy8ZqGRghpu985A27aWcTsGT13CB51cTqw Ix80yscjoV+PfZiHwaK8w1wzMomJm8W/ckkksmix9XkfAn/qXJMaH9mHJfsTLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086481; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qOzNsb+SflPQ0gD+QhjM7r4S6a3jd8PY5kCSOpeaIZQ=; b=spweh/N2bpcvvsAc+c/eUaEE+rC+vDPPyzkVUyDnjmOYZ7kGp8uriM8LBRnmDiTmegpDL5 B1VZl+yuR4voQRqclDoKAPXvhMOar6s20Hj+X1DKNJ4SiseBloLGAvhcSRAxe52zZgaBS1 ZvOPfWcmKZbmtdzMWpRoD0Dg4azIe8VHgy10ROiFTTol0AO2kkn0Brn5TUxHZRv/9aJtPQ +a8FuIUqFeginraPvFckWcU/MtQ8ofkjsO1yndIfTEDA5Y3gT8yFiQtvcQn8Qcf6BXp6jB 7aUVS1rt21OzYh3ejFqUKUcrhagBBht0bCq3DDCAwANXnH825I7GjQpKvnWT3Q== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.mailfrom=pc@manguebit.com ARC-Seal: i=1; s=dkim; d=manguebit.com; t=1712086481; a=rsa-sha256; cv=none; b=LlDMpuU1tGe8hA5N4PoB5/Ix31PzwMTprXyfnewLz5lCUBNYdxMFq8VqNb1IM26Odd9Yl6 Q77RWJ9AXGQAKv+RStl5E23dkCE/9SGT6SH/q672VZj8EQPx2ZR6xZvJdYs8pUPWt/gEQm CBsvgMH+EdDiXT9Fgr5xtYnpg2BjomOHi1lh8KNmoKl8FYFZ67l+01TkvrL2grYn4M/80L dInGoMImw+UjQDr91srZ4jayK3ektliQupMhIvU9stCmQ3XhTgSPKZG/xpAJLUyexJ58aN sbyrdKb/hH4Vh/3YCX1q91uYREvFEblhBY0PG2NPebqWxQ23tr5Qy/r/vL4ecA== To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org, Paulo Alcantara Subject: [PATCH 03/12] smb: client: fix potential UAF in cifs_stats_proc_write() Date: Tue, 2 Apr 2024 16:33:55 -0300 Message-ID: <20240402193404.236159-3-pc@manguebit.com> In-Reply-To: <20240402193404.236159-1-pc@manguebit.com> References: <20240402193404.236159-1-pc@manguebit.com> Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Signed-off-by: Paulo Alcantara (Red Hat) --- fs/smb/client/cifs_debug.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c index c9aec9a38ad3..8535c9907462 100644 --- a/fs/smb/client/cifs_debug.c +++ b/fs/smb/client/cifs_debug.c @@ -678,6 +678,8 @@ static ssize_t cifs_stats_proc_write(struct file *file, } #endif /* CONFIG_CIFS_STATS2 */ list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) { + if (cifs_ses_exiting(ses)) + continue; list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { atomic_set(&tcon->num_smbs_sent, 0); spin_lock(&tcon->stat_lock); From patchwork Tue Apr 2 19:33:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paulo Alcantara X-Patchwork-Id: 13614523 Received: from mx.manguebit.com (mx.manguebit.com [167.235.159.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4306D15A4BF for ; Tue, 2 Apr 2024 19:34:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=167.235.159.17 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086488; cv=pass; b=Qg53xfYOHAn8fdL3iVeGLa1DKwnKI820dGvB7iwdRQo0naLJeQer8K0zKIGWATurLY+94iO3oHu7eh3MASaWG14IM+0H9UF4B4Z0kauS53HMi2tEFvy2Ox+KZgM58keBipnq4D0COVXe/FHByioxesBu0RdltS+3cjQoM30ZMvg= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086488; c=relaxed/simple; bh=9qJo1LLk4mGoQrQ3TOyFfTBbhVaiIbb6fOpvWiLxjBE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GaVynDXWVMdUYlpNe8Y7A+6OclZZSLQ0xUzvKUEqjeurRUAXXCxCmNH5lgonP4h0k74QgdP7rGCR2kvDQnBH3OPzX2XrpsaJOAb9ecnDsTm2/YChWzCOnqllSslayQYNMllb20Y42k200G+asROuNcCrctgpzzBLFBIEt7tTqoU= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com; spf=pass smtp.mailfrom=manguebit.com; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b=onKvuxxb; arc=pass smtp.client-ip=167.235.159.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=manguebit.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b="onKvuxxb" From: Paulo Alcantara DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086485; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TDIF5pz8B3+b93ew4STkJnG2r5i2svhd2mrslzBBC7g=; b=onKvuxxbG/ZQim2ScGm3DELnL/sdd7XYe7U5Rt9CIG3/K2qyG4y5w81msJ3Y5vPv+zY0eb 9MOXu9Qox948tZjp8+3QotAN7pV1dVGXo55euBr7BkEEbkMR8hUrldjuRMQxo8/73hb5GV g7EzhpQgINYrjP+0cN9OCPejIypUE1m1IYnLOcx2L0HcBNHRcVTC/7V2NsIkY9he61+tVJ 1eUM6+W2gFjAeLOscF5saQnnKtFve/VFUOA69BCrb0nn31KMmTmLfNmxodpWyzIlO4nTC2 M79ipletkLqfEKj+r0oBLhYeIrPYxpC6oYzCOVXGUPh2/hETTTzzgt/TCp1yGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086485; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TDIF5pz8B3+b93ew4STkJnG2r5i2svhd2mrslzBBC7g=; b=rIS0BlnwHAp83v7tTyaPgOGPhf4BGmzqCvqDEKHCT0hv6OsMb19LbqfdSF/q9JjsQx6Q63 mXA4M//dcdlltKp2Arwi/GNvGvvrmY3uXxgIWeJPiSvfUg6PrV2njI+x/zah0bh/OslvjE ybkr2jfR+XmzKqUmX346RgTWtP5yb2bIR1J1chRA4KM5MB6IMAy5WleJzpkreDawxNfZrJ xsvhFPapZwbh0njZP4i0kT+mboexnNJCQFGbmpA6Xfpn2cnL881H3c/lE0O9Dvg7WqDC2+ FpLRfgN4lM5W4zFP/b0oHhviDq+jl1ASYmHk31ah8nIMIwrIymV9juK4f7i18w== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.mailfrom=pc@manguebit.com ARC-Seal: i=1; s=dkim; d=manguebit.com; t=1712086485; a=rsa-sha256; cv=none; b=hJ43ClbbrOJYhmHp17QJkQmHfx6BVn19yE8qeVVZsRRIPlI5qQicHpp5x9VOqSlUAWyVp+ cfaSmJOYgNuiztFXj4RWe7R8AtWBQmKfXN+Jr+9xOq59lXa/aBpg1UoQc2NpIV8JDdNA1n 3RRFyVJYgAmKlV+bnml+ilNCAddD1SHVnOViTggi/56NKklKrWtGHJkqy7Q8EQHX3H3MbE egmQfB00Ju3QF1sGK/el3qzUjjFaDUozu4v1Ktf3c/dJv4ZUaW/X2MPVIMBm5rw8T34ZV9 HbVoZqnOtvmyMmaHHo9S0HUIQdgaSnAjOgOo/0R5pHo2zgtYHSzsNGbSzCVplQ== To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org, Paulo Alcantara Subject: [PATCH 04/12] smb: client: fix potential UAF in cifs_stats_proc_show() Date: Tue, 2 Apr 2024 16:33:56 -0300 Message-ID: <20240402193404.236159-4-pc@manguebit.com> In-Reply-To: <20240402193404.236159-1-pc@manguebit.com> References: <20240402193404.236159-1-pc@manguebit.com> Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Signed-off-by: Paulo Alcantara (Red Hat) --- fs/smb/client/cifs_debug.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c index 8535c9907462..c71ae5c04306 100644 --- a/fs/smb/client/cifs_debug.c +++ b/fs/smb/client/cifs_debug.c @@ -759,6 +759,8 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v) } #endif /* STATS2 */ list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) { + if (cifs_ses_exiting(ses)) + continue; list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { i++; seq_printf(m, "\n%d) %s", i, tcon->tree_name); From patchwork Tue Apr 2 19:33:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paulo Alcantara X-Patchwork-Id: 13614526 Received: from mx.manguebit.com (mx.manguebit.com [167.235.159.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E78715A4BF for ; Tue, 2 Apr 2024 19:34:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=167.235.159.17 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086490; cv=pass; b=SWvaiFJPUjZaUr/c6BSzsBNxH5SXiEnMd8Uzb1r6gQplInl5GBopriSe7YHLAkO4c/oFsVt7mjVuoYNP+tbTg3H+pNNbiZPXzNg3+Q+ND3qxUgLcJv6YovUiSYioa9Shf6Uj9xRVeuJERdEgo+i36YUgsRJIsc+zpr/OGW9BZKk= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086490; c=relaxed/simple; bh=OUoPlpwojIn1vNQdVRW1revNkh+kceML9MeP7IpgZQI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EdWtfRFNZ3f8Z7gXfRYxXNRC1apexTIjyljobCT34SbYTyV+d2QJcryOr47dU2a/tp6zIhxmYpcBVwLm/1JTtwjLXRkWGrSdYhkVODzsYuti9oB61yATrR/y7UudJA9gcPrBTVf1B4u5OLSJYR5A0ovScLBdcE515uTpOyWoXtw= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com; spf=pass smtp.mailfrom=manguebit.com; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b=THHMKVTz; arc=pass smtp.client-ip=167.235.159.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=manguebit.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b="THHMKVTz" From: Paulo Alcantara DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086487; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=G8LhCD9Y6XSW1yomWSIcKAk3XFngRWAzYK41UbGFhT0=; b=THHMKVTzFHUf4MTaoqMm02ocKakwq9geIf89siGXupBJHRI7KwIyYavdmovYfnzP0LkeYz Cz2tCv1CaxXU4dH7QgvSxW479ydY7hIBPEjzMPIu0SolXVpLok5tcABNe1BzL35QWM7aAj pscasjJ/Ax8UcnN9woXWO7kbPQ3vCZNgF93V0G/foTAStmXlNJsg08JL4Fcd4ogb7pq1Fj nw3f36klDVqKFZ2RRbdu4+iB9PnJEyDpdSTl0fYqXxvG7PThqy36FmyrT38/IUG7zp5Ili TxubnujtBzlq6l1DstcMjsQhw0gT9VUAy7bGUoQInvkz8oN5HQtXBjGxTDbgwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086487; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=G8LhCD9Y6XSW1yomWSIcKAk3XFngRWAzYK41UbGFhT0=; b=WaUinTACKt0fdQfrmEQeYPzdyl5WUsLeWG8xH8s3mcJ/+ERDmn+3ClF1Psqrk5ezq5HJwJ fjwHvRtmvSvNAJRxn/Y+z4BbukmyUYayIOy3Kkz+FMDwpDkWGsS3WFzK/qBlP6fpYbhcF/ X95+PvK565THmaEDvD4OOdh/WUwSrjV6HhUGBjT73Pb43DdxkqmScVdK4mGx5YItGViBM9 f9JtL6jnRXVwR21w9/SHSRS7kEMFrAutsVBp0n1UmpqihaHYfA6ISaRHu6/Bz1puhkajef c/5JBcX6BEZg/XViUnlJtbZ2zyrk6MjSYWYWIns5DBJcAG1AXXOfwHvTv7ZBUg== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.mailfrom=pc@manguebit.com ARC-Seal: i=1; s=dkim; d=manguebit.com; t=1712086487; a=rsa-sha256; cv=none; b=HuJZ8zgrT+/AIQM59ISxG/QPFPWCag/q3eRNUSvcrnJUZlmpRVpT2hpVYrPKerfHrbUbj7 LUJv94CSANpNl4SoWpkrdMtmg2jtUIeEhfC9ZhqaazAgB8OH2y+4p2x6GxgZ2358co2VpY FCj1H37kbmtMyrPTfvIrZ3jsaG4jaaJ8eHpHMx0+W5sNIXtAbYPYkiyYKJfcIsMhiAFmlX 8KtBZnH9vNDIMzykMkI7dsMl0pyZf0nDKVJnhyG3lKekYABDzD/V9jWZdlWDKBNSQxLXDQ MmNPVSlN/AxbEmFuwF/HZsuvf+zYY+g+l3WspkYnOajXjHHQ/svesfZm7bhC7A== To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org, Paulo Alcantara Subject: [PATCH 05/12] smb: client: fix potential UAF in smb2_check_message() Date: Tue, 2 Apr 2024 16:33:57 -0300 Message-ID: <20240402193404.236159-5-pc@manguebit.com> In-Reply-To: <20240402193404.236159-1-pc@manguebit.com> References: <20240402193404.236159-1-pc@manguebit.com> Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Signed-off-by: Paulo Alcantara (Red Hat) --- fs/smb/client/smb2misc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 82b84a4941dd..14d74ef70cc8 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -160,7 +160,8 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server) /* decrypt frame now that it is completely read in */ spin_lock(&cifs_tcp_ses_lock); list_for_each_entry(iter, &pserver->smb_ses_list, smb_ses_list) { - if (iter->Suid == le64_to_cpu(thdr->SessionId)) { + if (!cifs_ses_exiting(iter) && + iter->Suid == le64_to_cpu(thdr->SessionId)) { ses = iter; break; } From patchwork Tue Apr 2 19:33:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paulo Alcantara X-Patchwork-Id: 13614527 Received: from mx.manguebit.com (mx.manguebit.com [167.235.159.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B530615B978 for ; Tue, 2 Apr 2024 19:34:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=167.235.159.17 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086492; cv=pass; b=fLDvy/RHZ1X1XxoyoJlaBmTtN22NAvB5+JSx6gCKZC0uYtmMyr6MMGiPQ/ouo0VrfJ6+vqXUlEUJVkiPPZWmdXbK+DTMqQoyv9ttpMobJwxkhUQDOcCC6aqFWyjpKLH2XuiRIXsazY/dMR34ztucycGjxJe01brOlA+27oUDT/k= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086492; c=relaxed/simple; bh=qVRlRETcY8kRwBRnokLQFfdNwHDN84O3xHRcY/8N0Jo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=khEDlgvRgHO5z+chmsKNfVs9GqtBh/tJgR8nPf+Mk3a38FBzZNlo/10Ub2SFEi2iq7sxN+MT4Rva8YhxKZ9+aRa/mX1VZtpKAJ0jFuOwrFjjZO605kitlmz1J6Zk1GysHudr0xtpD2nBQ2b3CRaWnQW9Y2e/xQ+hBxwKjT0cRD0= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com; spf=pass smtp.mailfrom=manguebit.com; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b=ptYOYkW3; arc=pass smtp.client-ip=167.235.159.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=manguebit.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b="ptYOYkW3" From: Paulo Alcantara DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086488; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FtUyWEBuOD6Bqor2G3ZGyuRMG4wxcqhKl97SBKlpZRU=; b=ptYOYkW3NrgYM3MEDDTXd5vaOGklq76GNu/vmPJDNk7gex2F5MXizL1qB31LVzdoaQuihZ k3z9yASQrcDZBVBnr2LPIJIsxA93RybI9DifkzsPQa1EPG0zxW2wPq3JaQWQzO7jGQS6iT 3Nex69zHPeenCqJCLDdoeEmJFSehU+iWlXEYF0pT2ZnIjOUNWvarvB0sR1/lZggajUmqhn +a4WAWmorO1BYqKTEkbpTWXz3UQbOldVFPajgyOQq6eFzxUb/goLfEonREMT7gJTxrLE/y 6tEPr0N7rbqA2wKh4hQHcC8CDGwOaMB6YNQ38Sr9DqLHWCYj3qqkNEhmGPr3lA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086488; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FtUyWEBuOD6Bqor2G3ZGyuRMG4wxcqhKl97SBKlpZRU=; b=NRxlfBba18AF3QGrR+23B30jjjVzAWFSUH+XQPiNyIuM2A4Ed3qZGz2Bx3hDQCXjc898r8 8OpkrLmIeopqtHb8S+J8oSJsSi/EoPoSKfuBl3zG5ucvi781gyOovWCIb2RTMR97sTMCil 2ZSrn6XBsFVJU3Ug4k9O2J6A7IXtvzo8z/pKUMRwPeW/GiXpol5o/peT8ncWZ4mR/J1o39 dl3+ZCAmyMlfOM55F3vgglG67AFmBPLBkkun9YSZBuLTo9WV7iiT9cJpKBlamoh4MTgs2s Sn54FE9oYYY0WnHniXCXePz1B9dYEOcjtEEOyb0ukPhwoRvy3zz8kd+c4BD75Q== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.mailfrom=pc@manguebit.com ARC-Seal: i=1; s=dkim; d=manguebit.com; t=1712086488; a=rsa-sha256; cv=none; b=W0xgbttAXTtZE9YOMTeaB+mX9WPSJChkBqnPzjlUpvzMGa9NdOOa2EItGbD/T09YjQ3MQy 1vFOvwmxtP3OeT/zV6J9zzXcLPIjICY70kIFFmB9ZCfwKhV/cT/UZqLFSKHxcfUMyx7l+J zKrxvRhCj/BgBLUpV8yjMTb4m7UyScvdxgPpQYx/OxhXeyIrDNvJhvSTWnZ7DqVu5ovQq9 3X6EQmvuYQAQ2+YKOMAsORvVkENPydSRrh2tDui3SdUUFsQKrjyK2LdhOXZfx0rJxtd5dP sQ5Kve9r1GPbZ/Vw4n9NW7sJr1lwKpaLL5YOwEQrftmbtmZlfk8XqjYygoOgRA== To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org, Paulo Alcantara Subject: [PATCH 06/12] smb: client: fix potential UAF in smb2_is_valid_lease_break() Date: Tue, 2 Apr 2024 16:33:58 -0300 Message-ID: <20240402193404.236159-6-pc@manguebit.com> In-Reply-To: <20240402193404.236159-1-pc@manguebit.com> References: <20240402193404.236159-1-pc@manguebit.com> Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Signed-off-by: Paulo Alcantara (Red Hat) --- fs/smb/client/smb2misc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 14d74ef70cc8..4abbf6545c9c 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -623,6 +623,8 @@ smb2_is_valid_lease_break(char *buffer, struct TCP_Server_Info *server) /* look up tcon based on tid & uid */ spin_lock(&cifs_tcp_ses_lock); list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { + if (cifs_ses_exiting(ses)) + continue; list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { spin_lock(&tcon->open_file_lock); cifs_stats_inc( From patchwork Tue Apr 2 19:33:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paulo Alcantara X-Patchwork-Id: 13614529 Received: from mx.manguebit.com (mx.manguebit.com [167.235.159.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5ECDA15B980 for ; Tue, 2 Apr 2024 19:34:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=167.235.159.17 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086493; cv=pass; b=P6TxNO6qYqMJVO9vhBbn3N5ttUrabuWMRRNSyttaolJ4cGMzrQh1D7/Vqj+8JunoXMPEIEs16dNOxbb94l3xbLR76cf2CqOxpG7U489CFdYVgZ07G/krQ354z9+qiRRYtNjdpGdc6l0eLDIssLQ89bpINxK/6a2RXpE1Qk2j2vk= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086493; c=relaxed/simple; bh=bsexZhLh36P53usXEgBd0D5KVHp6dednDiELDI6aFE0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=D2gyfJhSHW/B6PSQYLoK6qckTwM0rJANnH8l2DxkSSGGs2/fLj/apwhqhOopnQGLU6OVsiwguO9JgHm3+XgEV5XUSB3E+AWXlmYp2vuO8kweHAprxbC5tbV8e4VWUucauztOWwe+52gFL2pz+AbYFr7IokLJebA4Bl2TyprVaOk= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com; spf=pass smtp.mailfrom=manguebit.com; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b=MFoegp4h; arc=pass smtp.client-ip=167.235.159.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=manguebit.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b="MFoegp4h" From: Paulo Alcantara DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086490; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jxrVSGLnER8djAA3HPvU0TK6Ikil/P4mX4QLWrJ1n38=; b=MFoegp4hZUSedCY6NWEW+B+nVlEQpQkcX3Hhl8hT6cy/Baq2GWMFGgfyljE9RpvEWjeBHS ycMRYDW+uVnfUYA669C1fbpUfPdQcOG5UGK5DIO9jV9qI1srugIT1HDrj98NZ2WQoY0JtY MRrUDY+WXMrjjxqOcvHZcvMiOApL6FrewTJFZbfgWjo5VO1idoyqN3DuegTf2/JGFk8Pn0 Y/bOA2Idg8LctaokHbDB7qjjUa8BR3hs4RAC575fe14sGNHj6uWui6tBl31Wq7ELEZ4Msx ZwzmQZkA4XTG+szSEr9662JF3J8UTLzAdfeEykyEDKIikqopFGEtoZg4iNdFoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086490; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jxrVSGLnER8djAA3HPvU0TK6Ikil/P4mX4QLWrJ1n38=; b=AGVcFrhYK4GhHhHWjxOZHpKxHOEWhauMmSWIPA0WXZOLHkHA0pX1fN7cnqOFzggX5yg/w5 9+K0fikFuS7xzHXUHEurowdQyAkGO7uXut+vD37rWFMnhlR2nyhcRs5BOmPaLveHtzrn7x NQMx8hImUW142Lq0Ltwptpubm84GLQ9QS3mvNh9K3fNROQX/yWZyRMkF8hYJwiYgUuhXLV aruOLDIpXUwfrDJ8HqBvpw+dHxRTh+fON7zNVoAOX/jp0PdY2MH3qPDMU8hbWzyRFShF40 uwCuFdYLNvhBOnERIpxm+IglMkZ+BCbtamn2mQlJbDGa/9P3vUrmTdCcA8CfZw== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.mailfrom=pc@manguebit.com ARC-Seal: i=1; s=dkim; d=manguebit.com; t=1712086490; a=rsa-sha256; cv=none; b=TyFLrCwIHlCxG+VcptuPPOHaCBAJonbI8EjNSEJTwl0EDFcSqF4Y3D2o19tbaP00ohIIUo u7cCXn6tBG7qBpw4b0xwEVRTynaRYZIrdxAA23JNVx53zRbEplVT6V6rjFynpwUeXFxiRg cOhTJQ7hltKwVCIixaAsAJPdWp82RJPb+SSnpwETWvuo/bTFCpLr27Q6sD+GPv1FvzwJPD hUMHrfXfJF1AEAOqtjqaBZHWVkweV7xGaYrCjsDYppBwNwm9L0yWTbD8riFrytIxji5cGS BWHyiyEXUqDpNRP5En3Xj9EDx3qGEo5vf8uY+PlnrGu5JkmysjcZ077VDN8RNQ== To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org, Paulo Alcantara Subject: [PATCH 07/12] smb: client: fix potential UAF in smb2_is_valid_oplock_break() Date: Tue, 2 Apr 2024 16:33:59 -0300 Message-ID: <20240402193404.236159-7-pc@manguebit.com> In-Reply-To: <20240402193404.236159-1-pc@manguebit.com> References: <20240402193404.236159-1-pc@manguebit.com> Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Signed-off-by: Paulo Alcantara (Red Hat) --- fs/smb/client/smb2misc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c index 4abbf6545c9c..29b5ae881d48 100644 --- a/fs/smb/client/smb2misc.c +++ b/fs/smb/client/smb2misc.c @@ -700,6 +700,8 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server) /* look up tcon based on tid & uid */ spin_lock(&cifs_tcp_ses_lock); list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { + if (cifs_ses_exiting(ses)) + continue; list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { spin_lock(&tcon->open_file_lock); From patchwork Tue Apr 2 19:34:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paulo Alcantara X-Patchwork-Id: 13614530 Received: from mx.manguebit.com (mx.manguebit.com [167.235.159.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BBB1C15A4BF for ; Tue, 2 Apr 2024 19:34:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=167.235.159.17 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086495; cv=pass; b=ALrtJFWshrt82AmWybL/JqB0xaOGjw7Q8+WwEBYnftUHhWmJpIhCkpgg7TZE+T/QySiW2xAor6X67dY56zZANjsZCC5Dv+AFBGxLLgc8zkftaPcW7e0EjNb6g0Gx0H0Sx3apoj5sCccRW+SMDtbVVPY5YppwqkqwHC75IJbFXGY= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086495; c=relaxed/simple; bh=kyzZ7HR2RJzLxuqa+nE58pDMF3ApahgTgPkQC2Ajg1g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Et1mW+VokJh8tq7hiMD3983yv+hPgpW8yFwG12O0SoXEdEVrUAk6IoU1KBanLu83lACG7Ef5PbuFc5bpgoK0tKtYRCBILbIxXo1vvkWVbXPGQwRdi2p7avLJ9EBbu56LqeSFkTUihKwKXBOKv4VSuLyp0o4q5cgdOfsI8u2r9xg= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com; spf=pass smtp.mailfrom=manguebit.com; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b=f767EbvI; arc=pass smtp.client-ip=167.235.159.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=manguebit.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b="f767EbvI" From: Paulo Alcantara DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086492; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZylG5CEM3g+liasZTieaviSHvloHrssy9SB/Amcs9Dg=; b=f767EbvI1ia4aNLcBFH5NhkldT966zlsQO613iQyKqq79HQINx9pEh5CDfY2CojTNXzPTl txJSGdnP4WRvLXw750Akpu6aICSNiroBlGhYAclbpc1aa8AOuvJ74WzzOAhCDk8StaailC 4sPleeChcJoW7X6eGfWigTyDebDCW95ZhHeBjg/NgPez+oyb61+PX3T43ugUJnnkCDC5zA T0auzXn5A2JgrVkIkpgdFsghpzqG5TZSdD0Fk8/SNDFPdIL2mTrT36Vo0RW0SlhOWdG9dk oCKZa0GKAmgcZavdszrCb5ingRIhdoK8YrzPITljppurHtsxgOSLofy4ri71Bg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086492; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZylG5CEM3g+liasZTieaviSHvloHrssy9SB/Amcs9Dg=; b=ebCrcfdauF9H0GbEMgEUrRPKLdHTCgRLFPZAepXwYB04yMrke/RIRfkarI33p9L0zwPNuX mJrruRT2JWoV4pK2oLR8BPHcv68uvXLfCjdEufvHoh7KF+YgfpwQyVq9PivNz9oxLa8lAL vf3M3tjkgdzpP2BHxSCF1SvbF5PaDRCGXUThxJkI9xKRY3JpqM8jrN8Id1iULz3NhJp+qS rSFDOuPyuQpyDx2DfzIADf1Qs9zBxrHRcHb0lGDWXMlbL9FwABf5+7KCFhMIbaviXeaE/L +R/im936YNVAy5DlYIoOw3NFwbnSzm7tnjk4By0ANWurZbl7TOtNcQcglD8VTA== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.mailfrom=pc@manguebit.com ARC-Seal: i=1; s=dkim; d=manguebit.com; t=1712086492; a=rsa-sha256; cv=none; b=bZ6eLhEo9vRZV6/x8O+C53T0BZOZl1FVw2EeoUSdZtHUSqToEu/CHhfkIwQAji1J/Ti5T6 NOYzhAZNDIvGNk0kOPa18BS8nz8Hgvs2kS55dtbmPoEspLorEvp+laFmctIXzrp7aE+OVD EtWsrPNqzSQVGSd6G0Bz15V1PkKttx8Z3A8P/eAZ8JC4bWYyh5MZp1Dh7BHk3vYnnM6/dw qMYt4CKEuXjhu+ZySgm+OMtn196NQQWnDak/IYwE4p7B29L5CUlH+tuYO0nmr2HuvydWeZ CTfEoEkPE/GI7rirwnN1A1vvj/MQhT/KKWHjvIoMwZheb0xoW0ZPToBaILcfpA== To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org, Paulo Alcantara Subject: [PATCH 08/12] smb: client: fix potential UAF in is_valid_oplock_break() Date: Tue, 2 Apr 2024 16:34:00 -0300 Message-ID: <20240402193404.236159-8-pc@manguebit.com> In-Reply-To: <20240402193404.236159-1-pc@manguebit.com> References: <20240402193404.236159-1-pc@manguebit.com> Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Signed-off-by: Paulo Alcantara (Red Hat) --- fs/smb/client/misc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c index 1ea22b3955a2..33ac4f8f5050 100644 --- a/fs/smb/client/misc.c +++ b/fs/smb/client/misc.c @@ -481,6 +481,8 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_Info *srv) /* look up tcon based on tid & uid */ spin_lock(&cifs_tcp_ses_lock); list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { + if (cifs_ses_exiting(ses)) + continue; list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { if (tcon->tid != buf->Tid) continue; From patchwork Tue Apr 2 19:34:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paulo Alcantara X-Patchwork-Id: 13614531 Received: from mx.manguebit.com (mx.manguebit.com [167.235.159.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6E38115B96C for ; Tue, 2 Apr 2024 19:34:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=167.235.159.17 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086496; cv=pass; b=Jcl1Vrg3v6IVLTtYRhsC8fBew/2N0um4jSLiB2Lp3/rP45mTd8Jb9ercZ+jVNACVUcbKv7B4Bx+bzQmgM4B+9pNSvY2FlFq+dkeb3jBO9M4IqBlJYDhkM6PKVxb4lXmyOLHZVmf9UaN8YIpF4el+z5ek/PzIUS29vJxTjTTAnpY= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086496; c=relaxed/simple; bh=NhgWS1jZsu0CFc0kJkeGyOm2zWtokA5d5yjWQj7qROY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=k4TN2tKhS/6FTivl2wjjnPDjsWPyJOoxrqwH2tTp/iRsiZXThQAplLqeSHUrAHSJMGSl5yqPlQ6PXEeHK4MnbNYq9KEAtOxfXJkrABdC8X/x8s94nwzleNwt4+H7DHMAgm4V4TO38D69cr7q5mUzoHy5Qx1pRx1/XANp95VzJ9U= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com; spf=pass smtp.mailfrom=manguebit.com; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b=ik8hz4bH; arc=pass smtp.client-ip=167.235.159.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=manguebit.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b="ik8hz4bH" From: Paulo Alcantara DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086493; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8sN8ymJQec6eq4M9tonpwPh+itjxLzglCu7JZ1QbByQ=; b=ik8hz4bHXKxDupwkRRiFugzVGxJLE7N05Hax7zzxBIvxMQ5W81ZcPERqPErVtJlxA1kTWq YIuxtnkf6nkWdCOHfGU9LKW2oFbNRjkj2leVRhqfVST74+RJQ9fzjDx0Nw1dT4ZOtWdvF/ DhSiuUvbuQylPdMz4O8Zkm/zvpcJiClL7/U5DuLDP4QMaa/shn5DTtmtyp+KNSgUZ5hjIy PX0WftqBIwPcErGy4xN4VfJ7JpA4IvuVAtrmcAsEZ6juWVc6qCXbvUwHfVZt2wXL+TiKxG dzQ518pMMrQbdohiWpX6cGPAX4rpW1At1y4UqJYwqWdEU1PhPKq3pkCLvQzAog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086493; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8sN8ymJQec6eq4M9tonpwPh+itjxLzglCu7JZ1QbByQ=; b=DOJ5Jarsk6rsZg3NusDJqg0acyJIIeVQ/qtlcF9fZglxxWIhmlOBLTJJW1tC2BFO31mozZ Tftvjg3YZqARlfOpT6fcY4246FpoAXrzTi38I8ly4VFp0AO4dUjyCNS5KKPU6JuH8j9dKz QoSXGQMMMr3Vvik1jCJVm0oMc9mswO6c5a2t3tucNe4RzviwNALo1MHPozUgOByUUxmD4c ghQCp0Jl+aOz1mV+XNTs//5lkZudhz+8VuqtjVFX6WKK9ovKYBz2kjHd6+JqxP3FjRAP0l orJn0V5mJSjxyBBNPn4MrkRLiDsJN+ta8aQxy3enAwyaM3vc66xGhiK/srxMvg== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.mailfrom=pc@manguebit.com ARC-Seal: i=1; s=dkim; d=manguebit.com; t=1712086493; a=rsa-sha256; cv=none; b=oWa0s+yoauLu8g72+/f+8x0zg50cCtVBbwFL3zJhf2NIUI5FKSaHIvTAHwN8EuUx5eg3Mw EZgxNWxJL9+LgP0XZfq95Nf4eXBSB0wKfDrazx+HtT/8lFk6TKON1m7znrbjutvOIiVZJ6 X7Pl54aGPP4XKwbMoMGY4PMCa0Fnz0JlN6/j3a0akiaIA4+4K42HsKFWAupTNMaSeLMcBS EqrVkNZ8OvMbXbClmykWYGwQAwzZpZpNN4EXvTzz4urnACbjb/2QQxAemdNNGu+TchsN4e qy4xV5ESlXWIc4DTVT6fuv7VSVIIufdHj24eYyXoRavyed+lpuyY9niqimRrSw== To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org, Paulo Alcantara Subject: [PATCH 09/12] smb: client: fix potential UAF in smb2_get_sign_key() Date: Tue, 2 Apr 2024 16:34:01 -0300 Message-ID: <20240402193404.236159-9-pc@manguebit.com> In-Reply-To: <20240402193404.236159-1-pc@manguebit.com> References: <20240402193404.236159-1-pc@manguebit.com> Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Signed-off-by: Paulo Alcantara (Red Hat) --- fs/smb/client/smb2transport.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport.c index 1d6e54f7879e..400175b9ef47 100644 --- a/fs/smb/client/smb2transport.c +++ b/fs/smb/client/smb2transport.c @@ -89,8 +89,10 @@ int smb2_get_sign_key(__u64 ses_id, struct TCP_Server_Info *server, u8 *key) pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { - if (ses->Suid == ses_id) + spin_lock(&ses->ses_lock); + if (ses->ses_status != SES_EXITING && ses->Suid == ses_id) goto found; + spin_unlock(&ses->ses_lock); } trace_smb3_ses_not_found(ses_id); cifs_server_dbg(FYI, "%s: Could not find session 0x%llx\n", @@ -99,7 +101,6 @@ int smb2_get_sign_key(__u64 ses_id, struct TCP_Server_Info *server, u8 *key) goto out; found: - spin_lock(&ses->ses_lock); spin_lock(&ses->chan_lock); is_binding = (cifs_chan_needs_reconnect(ses, server) && From patchwork Tue Apr 2 19:34:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paulo Alcantara X-Patchwork-Id: 13614532 Received: from mx.manguebit.com (mx.manguebit.com [167.235.159.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 660EB15B96C for ; Tue, 2 Apr 2024 19:34:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=167.235.159.17 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086498; cv=pass; b=dJjSHGrGWqE6V1L2dcL4nKZ74dcPAzJKPrfQVMSmQQBfNxXShpGX2wdu9sxTGwfQQK2kTmEFAHhF49Vdy88mwOVc2BB9An7zrAWMO3O7G0wblxB96NwMFNCXbkaLOoooA1Nm3a1xfwUelzBWgKy8H52M9pn+ACHz/mpoqdSNxmY= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086498; c=relaxed/simple; bh=AQ0hBbey6g2ZuMltlKwO6WXNpqbiL6yMc7BbdI2hT0s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=O3K5HwuXM2JK8ePCEFbG21hcPi9t34/Y3X7ERmz03wARClnT9A4uWROlaYawqft4vjj3cIexlxGgidXvnhGXlgdxGugWf1EAyaVFJp6YJQ3v2H9rx1EZ99GU3MAm2H8BsqhGJw6QXcwl+AJqQArK2YTIUn6xlOQzMwE8TaUy1+Y= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com; spf=pass smtp.mailfrom=manguebit.com; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b=iCy2+rfw; arc=pass smtp.client-ip=167.235.159.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=manguebit.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b="iCy2+rfw" From: Paulo Alcantara DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086495; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JnsGhXFpWTFCEOvj33KAiKhRnkc15SwS4zHKFOTrOsQ=; b=iCy2+rfwUPIG7gp6M4tuIcRD0ejGg9fgKyq1bT2QSrlMvrCDakQLq7CgcFVx2nkDGATQUr andIu7P5DM3R+vRnxIlEiv+lw+FRU7MEW54krQ9rdFakmjOa9pdMDRkdY/zfWcc3JY9bmR P1qlXRHfOSIHf9mIyq12ctPxkv3Htvu4nR9noPX3GP7ZSi/13iT4uSQgIUYn4QW9N0Szbc cXpvVCwgxFKmzNfqy1IXb9asjWFVB98xOLkp9sd1VIMvna0mSoxZXUpZA1F0Q/QfX9jP0p 5No3EpRrVXUQPYE1D0OeMLt8oLq4E12tFyesEPbuobQ5tvYfEb9Qt85dvwUT5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086495; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JnsGhXFpWTFCEOvj33KAiKhRnkc15SwS4zHKFOTrOsQ=; b=kEX1C/ZLntcKmDQpEjPYjN7p76UL2f2zbP57U4kLsLdwLMtQExnWQyDUDFTKisgDP9hicH J5ak9EohuS+Cjs7serspbI8nSrPspyKClpcwMCK9Bguna0tpaPXZYbXg3WJuYhryyadWRd 25ikLiWShms3baperDWrxDtFaqIvlYMjlKOFED7hboXhg+2AGKofRBakWf1EpCKnBaZyDU lRoFU6buLaWWJ30JydT1/PyDIMRxeTPz5oPCBNsZyQJHCKi1Sv0GHDLrnXoROb71tOpjzL VmjoaKFUlwflUa1CBRYqgrl06e45D0rT4Z4kR8+64YyrdvnCkfpmz/XJH6wU5g== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.mailfrom=pc@manguebit.com ARC-Seal: i=1; s=dkim; d=manguebit.com; t=1712086495; a=rsa-sha256; cv=none; b=GAd+5Ncs3tKPJRi72Ko59bSziIl9gJY/rp4YHt04iepUg2NU4SooqAsuz16dvNgk20Y3hw o5NdhMrk+HCShS+2hufNb3ASF7zQKeiaAT3SPehrZduhJkRjsio2oVUM5bP5NCFameag+L idfT1ve8nsrgaId4i1GzvYmqXugin7r4EYF5ejKHpdMaiL/W/pT/zUfvHAcYsecLmK35lr /mFyhM4uU8QM0/y1Hmsd9q1bXOa6jjE/r6EB8iTxv2C5ZfXV7u8d3jk/XCf9LkLQEy2q6v iQNVd2OjDYqwRGvLtOS58O1liH1rE4JHz0PKSxxitCJyYImQYX5d+ODMijpjxg== To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org, Paulo Alcantara Subject: [PATCH 10/12] smb: client: fix potential UAF in smb2_is_network_name_deleted() Date: Tue, 2 Apr 2024 16:34:02 -0300 Message-ID: <20240402193404.236159-10-pc@manguebit.com> In-Reply-To: <20240402193404.236159-1-pc@manguebit.com> References: <20240402193404.236159-1-pc@manguebit.com> Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Signed-off-by: Paulo Alcantara (Red Hat) --- fs/smb/client/smb2ops.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index 35bf7eb315cd..1506a0eb10ba 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -2480,6 +2480,8 @@ smb2_is_network_name_deleted(char *buf, struct TCP_Server_Info *server) spin_lock(&cifs_tcp_ses_lock); list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { + if (cifs_ses_exiting(ses)) + continue; list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { if (tcon->tid == le32_to_cpu(shdr->Id.SyncId.TreeId)) { spin_lock(&tcon->tc_lock); From patchwork Tue Apr 2 19:34:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paulo Alcantara X-Patchwork-Id: 13614533 Received: from mx.manguebit.com (mx.manguebit.com [167.235.159.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E629315A4BF for ; Tue, 2 Apr 2024 19:34:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=167.235.159.17 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086500; cv=pass; b=kkm6dB2SqvmetN/UMOjlv3rWcYPeSrvmogaVG2y7//4mDBdWKOuQlTNf13VytgMejiP5O2BEjm/IwC4s7sJk9Os4RFPrz+FF/lqCnRqY8xT30D41UfpVJ4YQDkdCncj5+nVCP6427yVLdVna0fUb6pP6m/sUn7wBfcgKZ82qZlQ= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086500; c=relaxed/simple; bh=1gy08Vrf6EE+PH8rnpU4qGUbg8jxhQKmmpDOVGs2zi4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YEkSiF1JQEr0YELFBQZ3+DbXaewmiZ2ZJaVrzYTtpJr0gEVQlesxyIfqWxLSQskThmDM2xO/d5UoOTsI4wFryKsq8x4Ys1hnCejJpj67T2XapXko9ooQ84IIxeDYJJcLn/S2E1y14FEBf2iurTm+Epa9O7X3wUlVyamXR4tKsVM= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com; spf=pass smtp.mailfrom=manguebit.com; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b=EfSgFXLc; arc=pass smtp.client-ip=167.235.159.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=manguebit.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b="EfSgFXLc" From: Paulo Alcantara DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086497; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FJpi1mg1vi287B88sjiK4HGxb3ihbX58FEeF/3XIjKs=; b=EfSgFXLcYSwoqFO2R4DB0ZMCUdMZShdynTLiT90NVQJ9PsIyA//OMKr1NahmuJNTkZJ6AY 6VHBAVD5jzlcLhNu8pfwo7OE8s+BOphH2pAYoIuAiKSLhQ5eYgVgbuMZKyaWJsU/eCYaPB M7EdJSLd5OpkCvF2uRTGsIHwrX8qZYwJH5cmme3Efz9sk5MAPRPip7qWZ5AciEmz/dlJUX kolXHc2C3+FbOQiT3HNmDu6HPykfBBDwGm1AUe4/+nNolDnd8B0gE5e8N0Yvd/5BqK5Oyo EzGSU9zzK1UvAliMTVOQYQ5n6EHU4PYblc9jzq9tvt45P91cIKHfIirNxB6RLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086497; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FJpi1mg1vi287B88sjiK4HGxb3ihbX58FEeF/3XIjKs=; b=WdwEq/M3rQhZsGhYGYVlFEC3bjb2jhprVduHc6Auh4TOe1xXb+Ge7/ETGxnamBTA6HTdkt Nh8U1KZyIPUFsRlf/WYZUNplag2Hgc+zVNWEuxq9LZaw9McEXJ0EoyizTkw4FXKBebJPmY jGvdQ8OMUSa8/hHDbvCol8RLoTqpl8XtnARwP7AtnBc/i+XO6UpPFUplZSavQjAJmF95cA PoM357+OzLtwiM2MKYf8m9HhpvCZFkRr+HDuhvU4piAZMLRkhuPn3AEL1vrZtnjwW8/A7l ZXheSgZWsBDdBTwaevph5/8VFOeparaSLPJFFU4Y9FPTm2kXdhRFgGSDdZMSxQ== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.mailfrom=pc@manguebit.com ARC-Seal: i=1; s=dkim; d=manguebit.com; t=1712086497; a=rsa-sha256; cv=none; b=BCutS2foT6jqC2wC1AtQfIK59C/kl/F+s9N5m/nFbTDkUHIrGSPIbBuH63uPT1EMrr5KS4 PNaDhNMPTc6cJv5Y6S1AH5Nb/8rRVyD2xNBAnpr062tR42DflsQKQPbuVhSOE+C5Y1icB1 Zaf7QHrL9nmeWOH3jcc+0qP4jV/aasO/Hbu4kTdAjiZ1S9D0m1xq3h7GB6Pte3MxKu3F5A rw49uyP9M1ObP9LmoT2JaafbhjHjNrqSJ/5pF821GcHcRBlpO2VuSZzOgLNqlPkRGR5Ai4 CF/q8AxWBqeuN2MRE+vBwpnnAD5L99bo4KoPrO3T+QUZhqsfLRB+QYWq2IyaRw== To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org, Paulo Alcantara Subject: [PATCH 11/12] smb: client: fix potential UAF in smb2_get_enc_key() Date: Tue, 2 Apr 2024 16:34:03 -0300 Message-ID: <20240402193404.236159-11-pc@manguebit.com> In-Reply-To: <20240402193404.236159-1-pc@manguebit.com> References: <20240402193404.236159-1-pc@manguebit.com> Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Signed-off-by: Paulo Alcantara (Red Hat) --- fs/smb/client/smb2ops.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index 1506a0eb10ba..4fd2ffa2ebba 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -4188,8 +4188,8 @@ smb2_get_enc_key(struct TCP_Server_Info *server, __u64 ses_id, int enc, u8 *key) spin_lock(&cifs_tcp_ses_lock); list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { - if (ses->Suid == ses_id) { - spin_lock(&ses->ses_lock); + spin_lock(&ses->ses_lock); + if (ses->ses_status != SES_EXITING && ses->Suid == ses_id) { ses_enc_key = enc ? ses->smb3encryptionkey : ses->smb3decryptionkey; memcpy(key, ses_enc_key, SMB3_ENC_DEC_KEY_SIZE); @@ -4197,6 +4197,7 @@ smb2_get_enc_key(struct TCP_Server_Info *server, __u64 ses_id, int enc, u8 *key) spin_unlock(&cifs_tcp_ses_lock); return 0; } + spin_unlock(&ses->ses_lock); } spin_unlock(&cifs_tcp_ses_lock); From patchwork Tue Apr 2 19:34:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paulo Alcantara X-Patchwork-Id: 13614534 Received: from mx.manguebit.com (mx.manguebit.com [167.235.159.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C64A15B96C for ; Tue, 2 Apr 2024 19:35:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=167.235.159.17 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086502; cv=pass; b=X8jkUl4ddd9ZXbhTXIS1E7LMiM9Y+MpeqE9VMIWN1tbyUALeE9x5NMSLf/ARIPSDqdYkUhrtXqdUeO84ekf3D/bsp1j5g6QrhqUh1pK0OyXmdwNIdSJt5Hv35we5hXs2B3O8UKCLGc8Z+r7RrQF2f6xSkW2ZTZSG6E3rhBY4HvI= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086502; c=relaxed/simple; bh=O6hwRl2HxUsOzaPuPskzTgUrHH0WnPZ67/otaq8HOzc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Zy3ta+R9k1t4uhp8f/SBUkmalO4nALjDs1BouIXzwOZQr+E8F/tze1+lcQkSHeV2R2Ox6dSZArL6PPWVEcXaaF+xP05pawAHqxsL1O4xZ/Qgfvl6amXtPt/pmTq8p+HrCDuFfrneWmugPfOCsEL7WaB8cS/t+94IXwAnPqTV3cA= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com; spf=pass smtp.mailfrom=manguebit.com; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b=EI0Y9Y2w; arc=pass smtp.client-ip=167.235.159.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=manguebit.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=manguebit.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=manguebit.com header.i=@manguebit.com header.b="EI0Y9Y2w" From: Paulo Alcantara DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086498; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=W0jkb2dPczVqq4yLLuPFOX4lhhQL+Wtubh3CRRnni8k=; b=EI0Y9Y2wFyWYvMyrmREqMxWMWIC8yqkty7+60x9CaJXbXwzF+qMiovvNim0Vgplqqh6BDp QByyp+2ymrDkul/21GW40KKV4NpaGAJgyJm2LTVloAE4iFW+oSLXJDFMzvOxRKC+n5jvFG a4EAUVVdCkJAw/sw+YwhAS7hloGVSI55GZgSiA+rYIei1AuSHGgt5AsovwF3lNA3AC0XYm q9cLxcrM10PbwzKheFLkrS5fhCebI7Jl6IJ9oFWreo2yZrXDVM9rPjsp+uTDc8XLNKxH6z CJmaWNw8B8/LWpHDnA2l70gRi5IqbOxXfRRSBv5uFAWE0dD7YkJfKTAUoHtsVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=manguebit.com; s=dkim; t=1712086498; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=W0jkb2dPczVqq4yLLuPFOX4lhhQL+Wtubh3CRRnni8k=; b=QowXJXlfX9DI5D8gET7ydEG39XPbgOXeZnN8BI+i2R36QF0AUNGpLLRPH6dwKsTHHjeu0K wLshfSWlMxgm8xRPclLIWdCa7W8RKqXDfvJb6/MTFqsFR5UXOob3toIcbyfJQGD/b3XGAR pvZAh6tdbrBW1DKUodl35RLV6o+ZMaf30LV5Peq2kgJjYrG7Ca184jF6NCe+Cjuq6teuG2 T13C7+dziMR+IQ/X8Ah/16MnQBE3cxpgA3kkcg8kTRRrbQ3Ll+PUGwHcpgqrf0BNigcNxj olNXUbTfXXQF1/k51Chg8s50wglueKC7Uxh1wc4oZ3zL/yYCbsWWq5rAbksz4Q== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.mailfrom=pc@manguebit.com ARC-Seal: i=1; s=dkim; d=manguebit.com; t=1712086498; a=rsa-sha256; cv=none; b=XRF6pYmqHvOZdzTjYtH++Wpk17Pa305hWv1Fj/oaqtyhodP9OlXOdXSSIXZx9WpLVaf/PK u+RLkFKIPKpionUZV/NJ+dcxZ0YgHFHeZN5LtRuEuJ9bl7aWXdHY4eGKcH9v0aHZZDkmxd OaVodQsnO4lggg1fEJ6JeiZmd29jx/li4nV0/sDyED/dGoOFSukXbDZVZ7lv0OvLRgdDVa x66HYVnnb1WYYRXWCloPlz6+I3zM4C7SXOq3kVvVyPjht81VXCO/C+VjUKdG9kOhD+Jt+i Cr/jQi2yIw8UH26xDlUzZ2D0rQTenLMuXIydUIepy/ntGLQPx5KaVJJbPfcVDA== To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org, Paulo Alcantara Subject: [PATCH 12/12] smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect() Date: Tue, 2 Apr 2024 16:34:04 -0300 Message-ID: <20240402193404.236159-12-pc@manguebit.com> In-Reply-To: <20240402193404.236159-1-pc@manguebit.com> References: <20240402193404.236159-1-pc@manguebit.com> Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Signed-off-by: Paulo Alcantara (Red Hat) --- fs/smb/client/connect.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index 95e4bda4fd51..85679ae106fd 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -175,6 +175,8 @@ cifs_signal_cifsd_for_reconnect(struct TCP_Server_Info *server, spin_lock(&cifs_tcp_ses_lock); list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { + if (cifs_ses_exiting(ses)) + continue; spin_lock(&ses->chan_lock); for (i = 0; i < ses->chan_count; i++) { if (!ses->chans[i].server)