[PATCH V2 0/2] smb: client: Fix use-after-free in readdir
Steve French
smfrench at gmail.com
Sat May 17 20:18:51 UTC 2025
Merged into cifs-2.6.git for-next
I was only able to reproduce the rmmod problem once though (without
the patch) so been tricky to test. What server were you testing
against (I tried current Samba and ksmbd)?
On Fri, May 16, 2025 at 8:50 AM Paulo Alcantara <pc at manguebit.com> wrote:
>
> Wang Zhaolong <wangzhaolong1 at huawei.com> writes:
>
> > V2:
> > - Correct spelling mistakes in the commit message, such as 'lopp' -> 'loop'.
> > - The titles of patches follow the same style.
> >
> > This patch series addresses a use-after-free vulnerability in the SMB/CIFS
> > client readdir implementation that can be triggered during concurrent
> > directory reads when a signal interrupts directory enumeration.
> >
> > The root cause is in the operation sequence in find_cifs_entry():
> > 1. When query_dir_next() fails due to signal interruption (ERESTARTSYS)
> > 2. The code continues to access last_entry pointer before checking the return code
> > 3. This can access freed memory since the buffer may have been released
> >
> > The race condition can be triggered by processes accessing the same directory
> > with concurrent readdir operations, especially when signals are involved.
> >
> > The fix is straightforward:
> > 1. First patch ensures we check the return code before using any pointers
> > 2. Second patch improves defensiveness by resetting all related buffer pointers
> > when freeing the network buffer
> >
> > Wang Zhaolong (2):
> > smb: client: Fix use-after-free in cifs_fill_dirent
> > smb: client: Reset all search buffer pointers when releasing buffer
> >
> > fs/smb/client/readdir.c | 7 +++++--
> > 1 file changed, 5 insertions(+), 2 deletions(-)
>
> Reviewed-by: Paulo Alcantara (Red Hat) <pc at manguebit.com>
>
--
Thanks,
Steve
More information about the samba-technical
mailing list