qiurui
/
Ubuntu-focal-kernel
mirror of https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Ubuntu-focal-kernel/fs/cifs
History
Paulo Alcantara 3ef79e32ec smb: client: fix use-after-free bug in cifs_debug_data_proc_show() 
Skip SMB sessions that are being teared down
(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()
to avoid use-after-free in @ses.

This fixes the following GPF when reading from /proc/fs/cifs/DebugData
while mounting and umounting

  [ 816.251274] general protection fault, probably for non-canonical
  address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI
  ...
  [  816.260138] Call Trace:
  [  816.260329]  <TASK>
  [  816.260499]  ? die_addr+0x36/0x90
  [  816.260762]  ? exc_general_protection+0x1b3/0x410
  [  816.261126]  ? asm_exc_general_protection+0x26/0x30
  [  816.261502]  ? cifs_debug_tcon+0xbd/0x240 [cifs]
  [  816.261878]  ? cifs_debug_tcon+0xab/0x240 [cifs]
  [  816.262249]  cifs_debug_data_proc_show+0x516/0xdb0 [cifs]
  [  816.262689]  ? seq_read_iter+0x379/0x470
  [  816.262995]  seq_read_iter+0x118/0x470
  [  816.263291]  proc_reg_read_iter+0x53/0x90
  [  816.263596]  ? srso_alias_return_thunk+0x5/0x7f
  [  816.263945]  vfs_read+0x201/0x350
  [  816.264211]  ksys_read+0x75/0x100
  [  816.264472]  do_syscall_64+0x3f/0x90
  [  816.264750]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
  [  816.265135] RIP: 0033:0x7fd5e669d381

Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

CVE-2023-52752
(backported from commit d328c09ee9f15ee5a26431f5aad7c9239fa85e62)
[yuxuan.luo: manually applied the patch with context adjustment:
 `status` substituting `ses_status` and `CifsExiting` for `SES_EXITING`.]
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
Acked-by: Kuba Pawlak <kuba.pawlak@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
 		2024-07-05 10:51:55 +02:00
..
Kconfig cifs: On cifs_reconnect, resolve the hostname again. 2021-07-15 19:27:32 +02:00
Makefile
asn1.c
cache.c
cifs_debug.c smb: client: fix use-after-free bug in cifs_debug_data_proc_show() 2024-07-05 10:51:55 +02:00
cifs_debug.h
cifs_dfs_ref.c Revert "cifs: use the expiry output of dns_query to schedule next resolution" 2022-02-02 17:00:41 +01:00
cifs_fs_sb.h smb3: add mount option to allow RW caching of share accessed by only 1 client 2019-09-16 11:43:38 -05:00
cifs_ioctl.h smb3: allow decryption keys to be dumped by admin for debugging 2019-09-21 06:02:26 -05:00
cifs_spnego.c cifs: spnego: add ';' in HOST_KEY_LEN 2024-02-02 14:13:09 +01:00
cifs_spnego.h [CIFS] Rename three structures to avoid camel case 2011-05-27 04:34:02 +00:00
cifs_unicode.c CIFS: Fix a potencially linear read overflow 2021-10-11 17:08:50 -06:00
cifs_unicode.h
cifs_uniupr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifsacl.c
cifsacl.h smb3: missing ACL related flags 2019-09-26 16:37:43 -05:00
cifsencrypt.c
cifsfs.c cifs: Fix non-availability of dedup breaking generic/304 2024-02-02 14:13:20 +01:00
cifsfs.h
cifsglob.h SMB3: Backup intent flag missing from some more ops 2023-07-10 17:21:39 +02:00
cifspdu.h
cifsproto.h smb3: fix problem with null cifs super block with previous patch 2023-07-10 17:22:08 +02:00
cifsroot.c
cifssmb.c cifs: prevent infinite recursion in CIFSGetDFSRefer() 2023-07-10 17:22:06 +02:00
connect.c
dfs_cache.c
dfs_cache.h
dir.c
dns_resolve.c
dns_resolve.h
export.c
file.c cifs: Release folio lock on fscache read hit. 2023-10-30 11:41:59 +01:00
fscache.c
fscache.h
inode.c
ioctl.c
link.c
misc.c smb: client: fix OOB in smbCalcSize() 2024-01-05 14:29:59 +01:00
netmisc.c
nterr.c
nterr.h
ntlmssp.h
readdir.c
rfc1002pdu.h
sess.c cifs: fix ntlmssp auth when there is no key exchange 2024-04-26 10:54:12 +02:00
smb1ops.c
smb2file.c
smb2glob.h
smb2inode.c
smb2maperror.c smb3: improve handling of share deleted (and share recreated) 2019-09-16 11:43:38 -05:00
smb2misc.c smb: client: fix NULL deref in asn1_ber_decoder() 2024-02-12 09:10:25 +01:00
smb2ops.c smb: client: fix potential OOBs in smb2_parse_contexts() 2024-07-05 10:51:54 +02:00
smb2pdu.c smb: client: fix potential OOBs in smb2_parse_contexts() 2024-07-05 10:51:54 +02:00
smb2pdu.h ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE 2024-02-12 09:10:24 +01:00
smb2proto.h smb: client: fix potential OOBs in smb2_parse_contexts() 2024-07-05 10:51:54 +02:00
smb2status.h
smb2transport.c
smbdirect.c smbdirect: missing rc checks while waiting for rdma events 2024-02-02 14:12:59 +01:00
smbdirect.h
smbencrypt.c
smberr.h
smbfsctl.h
trace.c
trace.h
transport.c
winucase.c
xattr.c