blob: 8bdbcbb806a2204a0fb8dd346e78b51713b376f2 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
Description: use-after-free in smb2_is_status_io_timeout()
References:
https://bugzilla.redhat.com/show_bug.cgi?id=2154178
https://bugzilla.redhat.com/show_bug.cgi?id=2154178#c24
https://lore.kernel.org/linux-cifs/ZZgFEX3QNWWj_VxA@eldamar.lan
https://lore.kernel.org/linux-cifs/aca1c4e755e8c005b874c57a6210c4c6a34d2324.camel@debian.org/
Notes:
bwh> Introduced in 5.10 by commit 8e670f77c4a5 "Handle STATUS_IO_TIMEOUT
bwh> gracefully". I posted my analysis and an untested patch on RHBZ.
carnil> Paulo Alcantara replied that this issue is supposed to be fixed
carnil> with d527f51331ca ("cifs: Fix UAF in
carnil> cifs_demultiplex_thread()") and that wile the commit mentions
carnil> an UAF in >is_network_name_deleted() it should work as well for
carnil> the smb2_is_status_io_timeout() case.
carnil> But according to Ben this is another issue.
Bugs:
upstream: needed
6.1-upstream-stable: needed
5.10-upstream-stable: needed
4.19-upstream-stable: N/A "Vulnerable code not present"
sid: needed
6.1-bookworm-security: needed
5.10-bullseye-security: needed
4.19-buster-security: N/A "Vulnerable code not present"
|