1. Patchew
  2. linux
  3. View series

[PATCH -next 0/2] smb: client: Fix use-after-free in readdir

Wang Zhaolong posted 2 patches 7 months, 1 week ago
There is a newer version of this series
fs/smb/client/readdir.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
[PATCH -next 0/2] smb: client: Fix use-after-free in readdir
Posted by Wang Zhaolong 7 months, 1 week ago 
This patch series addresses a use-after-free vulnerability in the SMB/CIFS
client readdir implementation that can be triggered during concurrent
directory reads when a signal interrupts directory enumeration.

The root cause is in the operation sequence in find_cifs_entry():
1. When query_dir_next() fails due to signal interruption (ERESTARTSYS)
2. The code continues to access last_entry pointer before checking the return code
3. This can access freed memory since the buffer may have been released

The race condition can be triggered by processes accessing the same directory
with concurrent readdir operations, especially when signals are involved.

The fix is straightforward:
1. First patch ensures we check the return code before using any pointers
2. Second patch improves defensiveness by resetting all related buffer pointers
   when freeing the network buffer

Wang Zhaolong (2):
  smb: client: Fix use-after-free in cifs_fill_dirent
  cifs: Reset all search buffer pointers when releasing buffer

 fs/smb/client/readdir.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

-- 
2.34.3

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.