WSL2-Linux-Kernel/fs/cifs
ZhaoLong Wang aa5465aeca cifs: Fix use-after-free in rdata->read_into_pages()
When the network status is unstable, use-after-free may occur when
read data from the server.

  BUG: KASAN: use-after-free in readpages_fill_pages+0x14c/0x7e0

  Call Trace:
   <TASK>
   dump_stack_lvl+0x38/0x4c
   print_report+0x16f/0x4a6
   kasan_report+0xb7/0x130
   readpages_fill_pages+0x14c/0x7e0
   cifs_readv_receive+0x46d/0xa40
   cifs_demultiplex_thread+0x121c/0x1490
   kthread+0x16b/0x1a0
   ret_from_fork+0x2c/0x50
   </TASK>

  Allocated by task 2535:
   kasan_save_stack+0x22/0x50
   kasan_set_track+0x25/0x30
   __kasan_kmalloc+0x82/0x90
   cifs_readdata_direct_alloc+0x2c/0x110
   cifs_readdata_alloc+0x2d/0x60
   cifs_readahead+0x393/0xfe0
   read_pages+0x12f/0x470
   page_cache_ra_unbounded+0x1b1/0x240
   filemap_get_pages+0x1c8/0x9a0
   filemap_read+0x1c0/0x540
   cifs_strict_readv+0x21b/0x240
   vfs_read+0x395/0x4b0
   ksys_read+0xb8/0x150
   do_syscall_64+0x3f/0x90
   entry_SYSCALL_64_after_hwframe+0x72/0xdc

  Freed by task 79:
   kasan_save_stack+0x22/0x50
   kasan_set_track+0x25/0x30
   kasan_save_free_info+0x2e/0x50
   __kasan_slab_free+0x10e/0x1a0
   __kmem_cache_free+0x7a/0x1a0
   cifs_readdata_release+0x49/0x60
   process_one_work+0x46c/0x760
   worker_thread+0x2a4/0x6f0
   kthread+0x16b/0x1a0
   ret_from_fork+0x2c/0x50

  Last potentially related work creation:
   kasan_save_stack+0x22/0x50
   __kasan_record_aux_stack+0x95/0xb0
   insert_work+0x2b/0x130
   __queue_work+0x1fe/0x660
   queue_work_on+0x4b/0x60
   smb2_readv_callback+0x396/0x800
   cifs_abort_connection+0x474/0x6a0
   cifs_reconnect+0x5cb/0xa50
   cifs_readv_from_socket.cold+0x22/0x6c
   cifs_read_page_from_socket+0xc1/0x100
   readpages_fill_pages.cold+0x2f/0x46
   cifs_readv_receive+0x46d/0xa40
   cifs_demultiplex_thread+0x121c/0x1490
   kthread+0x16b/0x1a0
   ret_from_fork+0x2c/0x50

The following function calls will cause UAF of the rdata pointer.

readpages_fill_pages
 cifs_read_page_from_socket
  cifs_readv_from_socket
   cifs_reconnect
    __cifs_reconnect
     cifs_abort_connection
      mid->callback() --> smb2_readv_callback
       queue_work(&rdata->work)  # if the worker completes first,
                                 # the rdata is freed
          cifs_readv_complete
            kref_put
              cifs_readdata_release
                kfree(rdata)
 return rdata->...               # UAF in readpages_fill_pages()

Similarly, this problem also occurs in the uncache_fill_pages().

Fix this by adjusts the order of condition judgment in the return
statement.

Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com>
Cc: stable@vger.kernel.org
Acked-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
2023-02-06 22:50:25 -06:00
..
Kconfig cifs: Support fscache indexing rewrite 2022-01-19 11:21:08 -06:00
Makefile cifs: get rid of mount options string parsing 2022-12-19 08:03:11 -06:00
asn1.c cifs: decoding negTokenInit with generic ASN1 decoder 2021-06-20 21:28:17 -05:00
cached_dir.c cifs: drop the lease for cached directories on rmdir or rename 2022-10-19 17:57:41 -05:00
cached_dir.h cifs: drop the lease for cached directories on rmdir or rename 2022-10-19 17:57:41 -05:00
cifs_debug.c cifs: share dfs connections and supers 2022-12-19 08:03:12 -06:00
cifs_debug.h smb3: add dynamic trace points for tree disconnect 2022-10-05 01:31:18 -05:00
cifs_dfs_ref.c cifs: use origin fullpath for automounts 2022-12-19 08:03:12 -06:00
cifs_fs_sb.h cifs: support nested dfs links over reconnect 2021-11-10 16:30:13 -06:00
cifs_ioctl.h cifs: minor cleanup of some headers 2022-12-12 13:08:06 -06:00
cifs_spnego.c cred: Do not default to init_cred in prepare_kernel_cred() 2022-11-01 10:04:52 -07:00
cifs_spnego.h cifs: use the chans_need_reconnect bitmap for reconnect status 2022-01-02 20:38:46 -06:00
cifs_spnego_negtokeninit.asn1 cifs: decoding negTokenInit with generic ASN1 decoder 2021-06-20 21:28:17 -05:00
cifs_swn.c smb3: add dynamic trace points for tree disconnect 2022-10-05 01:31:18 -05:00
cifs_swn.h cifs: simplify SWN code with dummy funcs instead of ifdefs 2021-04-25 16:28:22 -05:00
cifs_unicode.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
cifs_unicode.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifs_uniupr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifsacl.c hardening updates for v6.2-rc1 2022-12-14 12:20:00 -08:00
cifsacl.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
cifsencrypt.c cifs: fix potential memory leaks in session setup 2023-01-10 23:24:37 -06:00
cifsfs.c cifs: get rid of mount options string parsing 2022-12-19 08:03:11 -06:00
cifsfs.h cifs: update internal module number 2022-12-19 08:04:50 -06:00
cifsglob.h cifs: fix refresh of cached referrals 2022-12-19 08:03:12 -06:00
cifspdu.h cifs: fix various whitespace errors in headers 2022-12-12 13:08:22 -06:00
cifsproto.h cifs: use origin fullpath for automounts 2022-12-19 08:03:12 -06:00
cifsroot.c cifs: move from strlcpy with unused retval to strscpy 2022-08-19 11:02:26 -05:00
cifssmb.c cifs: use stub posix acl handlers 2022-10-20 10:13:32 +02:00
connect.c cifs: do not query ifaces on smb1 mounts 2023-01-10 23:24:14 -06:00
dfs.c cifs: protect access of TCP_Server_Info::{dstaddr,hostname} 2023-01-04 09:06:53 -06:00
dfs.h cifs: use origin fullpath for automounts 2022-12-19 08:03:12 -06:00
dfs_cache.c cifs: remove unused function 2023-01-18 14:49:51 -06:00
dfs_cache.h cifs: remove unused function 2023-01-18 14:49:51 -06:00
dir.c cifs: use origin fullpath for automounts 2022-12-19 08:03:12 -06:00
dns_resolve.c cifs: set resolved ip in sockaddr 2022-12-19 08:03:11 -06:00
dns_resolve.h cifs: set resolved ip in sockaddr 2022-12-19 08:03:11 -06:00
export.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
file.c cifs: Fix use-after-free in rdata->read_into_pages() 2023-02-06 22:50:25 -06:00
fs_context.c cifs: share dfs connections and supers 2022-12-19 08:03:12 -06:00
fs_context.h cifs: share dfs connections and supers 2022-12-19 08:03:12 -06:00
fscache.c use less confusing names for iov_iter direction initializers 2022-11-25 13:01:55 -05:00
fscache.h cifs: Remove {cifs,nfs}_fscache_release_page() 2022-08-10 21:26:08 -05:00
inode.c cifs: reduce roundtrips on create/qinfo requests 2022-12-19 08:03:11 -06:00
ioctl.c cifs: Fix wrong return value checking when GETFLAGS 2022-11-16 00:21:04 -06:00
link.c cifs: Fix uninitialized memory read for smb311 posix symlink create 2023-01-12 09:51:48 -06:00
misc.c cifs: protect access of TCP_Server_Info::{dstaddr,hostname} 2023-01-04 09:06:53 -06:00
netlink.c genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
netlink.h cifs: Register generic netlink family 2020-12-14 09:16:22 -06:00
netmisc.c cifs: remove unused server parameter from calc_smb_size() 2022-08-17 18:07:13 -05:00
nterr.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
nterr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
ntlmssp.h treewide: Replace zero-length arrays with flexible-array members 2022-02-17 07:00:39 -06:00
readdir.c cifs: improve symlink handling for smb2+ 2022-10-13 09:36:04 -05:00
rfc1002pdu.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
sess.c cifs: fix potential memory leaks in session setup 2023-01-10 23:24:37 -06:00
smb1ops.c cifs: fix file info setting in cifs_open_file() 2023-01-09 13:47:02 -06:00
smb2file.c cifs: don't leak -ENOMEM in smb2_open_file() 2022-12-19 08:04:41 -06:00
smb2glob.h smb3: move defines for ioctl protocol header and SMB2 sizes to smbfs_common 2022-03-26 23:09:20 -05:00
smb2inode.c cifs: reduce roundtrips on create/qinfo requests 2022-12-19 08:03:11 -06:00
smb2maperror.c cifs: Create a new shared file holding smb2 pdu definitions 2021-11-05 09:50:57 -05:00
smb2misc.c cifs: avoid unnecessary iteration of tcp sessions 2022-11-04 23:34:40 -05:00
smb2ops.c cifs: fix interface count calculation during refresh 2023-01-04 23:18:07 -06:00
smb2pdu.c cifs: do not include page data when checking signature 2023-01-18 14:44:30 -06:00
smb2pdu.h cifs: improve symlink handling for smb2+ 2022-10-13 09:36:04 -05:00
smb2proto.h cifs: Parse owner/group for stat in smb311 posix extensions 2022-12-08 09:51:53 -06:00
smb2status.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
smb2transport.c cifs: avoid unnecessary iteration of tcp sessions 2022-11-04 23:34:40 -05:00
smbdirect.c cifs: Fix oops due to uncleared server->smbd_conn in reconnect 2023-01-25 09:57:48 -06:00
smbdirect.h Decrease the number of SMB3 smbdirect client SGEs 2022-10-05 01:29:21 -05:00
smbencrypt.c cifs: rename cifs_common to smbfs_common 2021-09-08 23:59:26 -05:00
smberr.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
trace.c smb3: Cleanup license mess 2019-01-24 09:37:33 -06:00
trace.h smb3: add dynamic trace points for tree disconnect 2022-10-05 01:31:18 -05:00
transport.c use less confusing names for iov_iter direction initializers 2022-11-25 13:01:55 -05:00
unc.c cifs: don't cargo-cult strndup() 2021-04-25 16:28:23 -05:00
winucase.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
xattr.c cifs: use stub posix acl handlers 2022-10-20 10:13:32 +02:00