korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-19 04:14:49 +08:00
Code Issues Packages Projects Releases Wiki Activity
f99d5d1d2a
linux/fs/ksmbd
History
Namjae Jeon f99d5d1d2a ksmbd: fix race condition with fp 
[ Upstream commit 5a7ee91d11 ]

fp can used in each command. If smb2_close command is coming at the
same time, UAF issue can happen by race condition.

                           Time
                            +
Thread A                    | Thread B1 B2 .... B5
smb2_open                   | smb2_close
                            |
 __open_id                  |
   insert fp to file_table  |
                            |
                            |   atomic_dec_and_test(&fp->refcount)
                            |   if fp->refcount == 0, free fp by kfree.
 // UAF!                    |
 use fp                     |
                            +
This patch add f_state not to use freed fp is used and not to free fp in
use.

Reported-by: luosili <rootlab@huawei.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-12-23 10:41:58 +01:00
..
mgmt ksmbd: fix race condition between session lookup and expire 2023-12-23 10:41:58 +01:00
asn1.c ksmbd: switch to use kmemdup_nul() helper 2023-12-23 10:41:57 +01:00
asn1.h
auth.c ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() 2023-12-23 10:41:58 +01:00
auth.h ksmbd: fix encryption failure issue for session logoff response 2023-12-23 10:41:53 +01:00
connection.c ksmbd: fix race condition between session lookup and expire 2023-12-23 10:41:58 +01:00
connection.h ksmbd: fix race condition between session lookup and expire 2023-12-23 10:41:58 +01:00
crypto_ctx.c ksmbd: remove NTLMv1 authentication 2021-09-29 16:17:34 -05:00
crypto_ctx.h ksmbd: remove NTLMv1 authentication 2021-09-29 16:17:34 -05:00
glob.h ksmbd: fix version mismatch with out of tree 2021-10-07 10:18:34 -05:00
Kconfig ksmbd: remove experimental warning 2023-12-23 10:41:58 +01:00
ksmbd_netlink.h ksmbd: check if a mount point is crossed during path lookup 2023-12-23 10:41:57 +01:00
ksmbd_spnego_negtokeninit.asn1
ksmbd_spnego_negtokentarg.asn1
ksmbd_work.c ksmbd: fix wrong interim response on compound 2023-12-23 10:41:57 +01:00
ksmbd_work.h ksmbd: fix wrong interim response on compound 2023-12-23 10:41:57 +01:00
Makefile
misc.c ksmbd: validate share name from share config response 2023-12-23 10:41:53 +01:00
misc.h ksmbd: validate share name from share config response 2023-12-23 10:41:53 +01:00
ndr.c ksmbd: downgrade ndr version error message to debug 2023-02-01 08:27:24 +01:00
ndr.h ksmbd: add user namespace support 2021-07-02 16:27:10 +09:00
nterr.h
ntlmssp.h
oplock.c ksmbd: fix wrong interim response on compound 2023-12-23 10:41:57 +01:00
oplock.h ksmbd: remove filename in ksmbd_file 2023-12-23 10:41:51 +01:00
server.c ksmbd: return invalid parameter error response if smb2 request is invalid 2023-12-23 10:41:58 +01:00
server.h ksmbd: add max connections parameter 2023-02-01 08:27:24 +01:00
smb2misc.c ksmbd: return invalid parameter error response if smb2 request is invalid 2023-12-23 10:41:58 +01:00
smb2ops.c ksmbd: set SMB2_SESSION_FLAG_ENCRYPT_DATA when enforcing data encryption for this share 2023-12-23 10:41:53 +01:00
smb2pdu.c ksmbd: fix race condition with fp 2023-12-23 10:41:58 +01:00
smb2pdu.h ksmbd: validate smb request protocol id 2023-12-23 10:41:56 +01:00
smb_common.c ksmbd: add support for read compound 2023-12-23 10:41:57 +01:00
smb_common.h ksmbd: fix out of bounds in init_smb2_rsp_hdr() 2023-12-23 10:41:57 +01:00
smbacl.c ksmbd: remove unneeded mark_inode_dirty in set_info_sec() 2023-12-23 10:41:58 +01:00
smbacl.h ksmbd: constify struct path 2023-12-23 10:41:52 +01:00
smbfsctl.h
smbstatus.h
transport_ipc.c ksmbd: use kvzalloc instead of kvmalloc 2023-12-23 10:41:56 +01:00
transport_ipc.h ksmbd: throttle session setup failures to avoid dictionary attacks 2021-10-20 00:07:10 -05:00
transport_rdma.c ksmbd: reduce descriptor size if remaining bytes is less than request size 2023-12-23 10:41:57 +01:00
transport_rdma.h ksmbd: fix wrong smbd max read/write size check 2023-12-23 10:41:51 +01:00
transport_tcp.c ksmbd: fix racy issue from session setup and logoff 2023-12-23 10:41:55 +01:00
transport_tcp.h
unicode.c ksmbd: remove unused is_char_allowed function 2023-12-23 10:41:54 +01:00
unicode.h ksmbd: casefold utf-8 share names and fix ascii lowercase conversion 2023-12-23 10:41:52 +01:00
uniupr.h
vfs_cache.c ksmbd: fix race condition with fp 2023-12-23 10:41:58 +01:00
vfs_cache.h ksmbd: fix race condition with fp 2023-12-23 10:41:58 +01:00
vfs.c ksmbd: add support for read compound 2023-12-23 10:41:57 +01:00
vfs.h ksmbd: add support for read compound 2023-12-23 10:41:57 +01:00
xattr.h ksmbd: reorder and document on-disk and netlink structures in headers 2021-06-30 14:47:24 +09:00