From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, ZhangXiaoxu <zhangxiaoxu5@huawei.com>,
Steve French <stfrench@microsoft.com>,
Pavel Shilovsky <pshilov@microsoft.com>
Subject: [PATCH 5.0 047/115] cifs: Fix use-after-free in SMB2_read
Date: Wed, 24 Apr 2019 19:09:43 +0200 [thread overview]
Message-ID: <20190424170927.773807529@linuxfoundation.org> (raw)
In-Reply-To: <20190424170924.797924502@linuxfoundation.org>
From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
commit 088aaf17aa79300cab14dbee2569c58cfafd7d6e upstream.
There is a KASAN use-after-free:
BUG: KASAN: use-after-free in SMB2_read+0x1136/0x1190
Read of size 8 at addr ffff8880b4e45e50 by task ln/1009
Should not release the 'req' because it will use in the trace.
Fixes: eccb4422cf97 ("smb3: Add ftrace tracepoints for improved SMB3 debugging")
Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org> 4.18+
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/smb2pdu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -3390,8 +3390,6 @@ SMB2_read(const unsigned int xid, struct
rqst.rq_nvec = 1;
rc = cifs_send_recv(xid, ses, &rqst, &resp_buftype, flags, &rsp_iov);
- cifs_small_buf_release(req);
-
rsp = (struct smb2_read_rsp *)rsp_iov.iov_base;
if (rc) {
@@ -3410,6 +3408,8 @@ SMB2_read(const unsigned int xid, struct
io_parms->tcon->tid, ses->Suid,
io_parms->offset, io_parms->length);
+ cifs_small_buf_release(req);
+
*nbytes = le32_to_cpu(rsp->DataLength);
if ((*nbytes > CIFS_MAX_MSGSIZE) ||
(*nbytes > io_parms->length)) {
next prev parent reply other threads:[~2019-04-24 17:43 UTC|newest]
Thread overview: 124+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
2019-04-24 17:08 ` [PATCH 5.0 001/115] bonding: fix event handling for stacked bonds Greg Kroah-Hartman
2019-04-24 17:08 ` [PATCH 5.0 002/115] failover: allow name change on IFF_UP slave interfaces Greg Kroah-Hartman
2019-04-24 17:08 ` [PATCH 5.0 003/115] net: atm: Fix potential Spectre v1 vulnerabilities Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 004/115] net: bridge: fix per-port af_packet sockets Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 005/115] net: bridge: multicast: use rcu to access port list from br_multicast_start_querier Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 006/115] net: fec: manage ahb clock in runtime pm Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 007/115] net: Fix missing meta data in skb with vlan packet Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 008/115] net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 009/115] tcp: tcp_grow_window() needs to respect tcp_space() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 010/115] team: set slave to promisc if team is already in promisc mode Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 011/115] tipc: missing entries in name table of publications Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 012/115] vhost: reject zero size iova range Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 013/115] ipv4: recompile ip options in ipv4_link_failure Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 014/115] ipv4: ensure rcu_read_lock() in ipv4_link_failure() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 015/115] mlxsw: spectrum_switchdev: Add MDB entries in prepare phase Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 016/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 017/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 018/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 019/115] mlxsw: spectrum_router: Do not check VRF MAC address Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 020/115] net: thunderx: raise XDP MTU to 1508 Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 021/115] net: thunderx: dont allow jumbo frames with XDP Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 022/115] net/tls: fix the IV leaks Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 023/115] net/tls: dont leak partially sent record in device mode Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 024/115] net: strparser: partially revert "strparser: Call skb_unclone conditionally" Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 025/115] net/tls: fix build without CONFIG_TLS_DEVICE Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 026/115] net: bridge: fix netlink export of vlan_stats_per_port option Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 027/115] net/mlx5e: XDP, Avoid checksum complete when XDP prog is loaded Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 028/115] net/mlx5e: Protect against non-uplink representor for encap Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 029/115] net/mlx5e: Switch to Toeplitz RSS hash by default Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 030/115] net/mlx5e: Rx, Fixup skb checksum for packets with tail padding Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 031/115] net/mlx5e: Rx, Check ip headers sanity Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 032/115] Revert "net/mlx5e: Enable reporting checksum unnecessary also for L3 packets" Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 033/115] net/mlx5: FPGA, tls, hold rcu read lock a bit longer Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 034/115] net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 035/115] net/mlx5: FPGA, tls, idr remove on flow delete Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 036/115] route: Avoid crash from dereferencing NULL rt->from Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 037/115] nfp: flower: replace CFI with vlan present Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 038/115] nfp: flower: remove vlan CFI bit from push vlan action Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 039/115] sch_cake: Use tc_skb_protocol() helper for getting packet protocol Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 040/115] sch_cake: Make sure we can write the IP header before changing DSCP bits Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 041/115] NFC: nci: Add some bounds checking in nci_hci_cmd_received() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 042/115] nfc: nci: Potential off by one in ->pipes[] array Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 043/115] sch_cake: Simplify logic in cake_select_tin() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 044/115] CIFS: keep FileInfo handle live during oplock break Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 045/115] cifs: Fix lease buffer length error Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 046/115] cifs: Fix use-after-free in SMB2_write Greg Kroah-Hartman
2019-04-24 17:09 ` Greg Kroah-Hartman [this message]
2019-04-24 17:09 ` [PATCH 5.0 048/115] cifs: fix handle leak in smb2_query_symlink() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 049/115] fs/dax: Deposit pagetable even when installing zero page Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 050/115] KVM: x86: Dont clear EFER during SMM transitions for 32-bit vCPU Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 051/115] KVM: x86: svm: make sure NMI is injected after nmi_singlestep Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 052/115] Staging: iio: meter: fixed typo Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 053/115] staging: iio: ad7192: Fix ad7193 channel address Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 054/115] iio: gyro: mpu3050: fix chip ID reading Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 055/115] iio/gyro/bmg160: Use millidegrees for temperature scale Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 056/115] iio:chemical:bme680: Fix, report temperature in millidegrees Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 057/115] iio:chemical:bme680: Fix SPI read interface Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 058/115] iio: cros_ec: Fix the maths for gyro scale calculation Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 059/115] iio: ad_sigma_delta: select channel when reading register Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 060/115] iio: dac: mcp4725: add missing powerdown bits in store eeprom Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 061/115] iio: Fix scan mask selection Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 062/115] iio: adc: at91: disable adc channel interrupt in timeout case Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 063/115] iio: core: fix a possible circular locking dependency Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 064/115] io: accel: kxcjk1013: restore the range after resume Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 065/115] staging: most: core: use device description as name Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 066/115] staging: comedi: vmk80xx: Fix use of uninitialized semaphore Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 067/115] staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 068/115] staging: comedi: ni_usb6501: Fix use of uninitialized mutex Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 069/115] staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 070/115] ALSA: hda/realtek - add two more pin configuration sets to quirk table Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 071/115] ALSA: core: Fix card races between register and disconnect Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 072/115] Input: elan_i2c - add hardware ID for multiple Lenovo laptops Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 073/115] serial: sh-sci: Fix HSCIF RX sampling point adjustment Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 074/115] serial: sh-sci: Fix HSCIF RX sampling point calculation Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 075/115] vt: fix cursor when clearing the screen Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 076/115] scsi: core: set result when the command cannot be dispatched Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 077/115] Revert "scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO" Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 078/115] i3c: dw: Fix dw_i3c_master_disable controller by using correct mask Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 079/115] i3c: Fix the verification of random PID Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 080/115] Revert "svm: Fix AVIC incomplete IPI emulation" Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 081/115] coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 082/115] x86/kvm: move kvm_load/put_guest_xcr0 into atomic context Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 083/115] ipmi: fix sleep-in-atomic in free_user at cleanup SRCU user->release_barrier Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 084/115] crypto: x86/poly1305 - fix overflow during partial reduction Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 085/115] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 086/115] arm64: futex: Restore oldval initialization to work around buggy compilers Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 087/115] x86/kprobes: Verify stack frame on kretprobe Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 088/115] kprobes: Mark ftrace mcount handler functions nokprobe Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 089/115] x86/kprobes: Avoid kretprobe recursion bug Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 090/115] kprobes: Fix error check when reusing optimized probes Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 091/115] rt2x00: do not increment sequence number while re-transmitting Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 092/115] mac80211: do not call driver wake_tx_queue op during reconfig Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 093/115] s390/mem_detect: Use IS_ENABLED(CONFIG_BLK_DEV_INITRD) Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 094/115] drm/amdgpu/gmc9: fix VM_L2_CNTL3 programming Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 095/115] perf/x86/amd: Add event map for AMD Family 17h Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 096/115] x86/cpu/bugs: Use __initconst for const init data Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 097/115] perf/x86: Fix incorrect PEBS_REGS Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 098/115] x86/speculation: Prevent deadlock on ssb_state::lock Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 099/115] timers/sched_clock: Prevent generic sched_clock wrap caused by tick_freeze() Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 100/115] nfit/ars: Remove ars_start_flags Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 101/115] nfit/ars: Introduce scrub_flags Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 102/115] nfit/ars: Allow root to busy-poll the ARS state machine Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 103/115] nfit/ars: Avoid stale ARS results Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 104/115] tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 105/115] tpm: Fix the type of the return value in calc_tpm2_event_size() Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 106/115] Revert "kbuild: use -Oz instead of -Os when using clang" Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 107/115] sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 108/115] tpm: fix an invalid condition in tpm_common_poll Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 109/115] mt76x02: avoid status_list.lock and sta->rate_ctrl_lock dependency Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 110/115] device_cgroup: fix RCU imbalance in error case Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 111/115] perf/ring_buffer: Fix AUX record suppression Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 112/115] mm/memory_hotplug: do not unlock after failing to take the device_hotplug_lock Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 113/115] mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 114/115] ALSA: info: Fix racy addition/deletion of nodes Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 115/115] percpu: stop printing kernel addresses Greg Kroah-Hartman
2019-04-25 5:25 ` [PATCH 5.0 000/115] 5.0.10-stable review Naresh Kamboju
2019-04-25 7:18 ` Greg Kroah-Hartman
2019-04-25 11:56 ` Jon Hunter
2019-04-25 14:29 ` Greg Kroah-Hartman
2019-04-25 16:23 ` shuah
2019-04-25 17:08 ` Greg Kroah-Hartman
2019-04-25 19:39 ` Guenter Roeck
2019-04-27 6:49 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190424170927.773807529@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pshilov@microsoft.com \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
--cc=zhangxiaoxu5@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).