blob: 1a4498271114d57422f1cd2d99641d9122bb8d70 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
Description: use-after-free in smb2_is_status_io_timeout()
References:
https://bugzilla.redhat.com/show_bug.cgi?id=2154178
https://bugzilla.redhat.com/show_bug.cgi?id=2154178#c24
https://lore.kernel.org/linux-cifs/ZZgFEX3QNWWj_VxA@eldamar.lan
https://lore.kernel.org/linux-cifs/aca1c4e755e8c005b874c57a6210c4c6a34d2324.camel@debian.org/
Notes:
bwh> Introduced in 5.10 by commit 8e670f77c4a5 "Handle STATUS_IO_TIMEOUT
bwh> gracefully". I posted my analysis and an untested patch on RHBZ.
carnil> Paulo Alcantara replied that this issue is supposed to be fixed
carnil> with d527f51331ca ("cifs: Fix UAF in
carnil> cifs_demultiplex_thread()") and that wile the commit mentions
carnil> an UAF in >is_network_name_deleted() it should work as well for
carnil> the smb2_is_status_io_timeout() case.
carnil> But according to Ben this is another issue.
Bugs:
upstream: released (6.6-rc3) [d527f51331cace562393a8038d870b3e9916686f]
6.7-upstream-stable: N/A "Fixed before branching point"
6.6-upstream-stable: N/A "Fixed before branching point"
6.1-upstream-stable: released (6.1.56) [908b3b5e97d25e879de3d1f172a255665491c2c3]
5.10-upstream-stable: needed
4.19-upstream-stable: N/A "Vulnerable code not present"
sid: released (6.5.6-1)
6.1-bookworm-security: released (6.1.64-1)
5.10-bullseye-security: needed
4.19-buster-security: N/A "Vulnerable code not present"
|