Commit be1df69d authored by Namjae Jeon's avatar Namjae Jeon Committed by ZhaoLong Wang
Browse files

ksmbd: fix racy issue from smb2 close and logoff with multichannel 

mainline inclusion
from mainline-v6.4-rc1
commit abcc506a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7BIK2
CVE: CVE-2023-32256,CVE-2023-32258

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=abcc506a9a71976a8b4c9bf3ee6efd13229c1e19



--------------------------------

When smb client send concurrent smb2 close and logoff request
with multichannel connection, It can cause racy issue. logoff request
free tcon and can cause UAF issues in smb2 close. When receiving logoff
request with multichannel, ksmbd should wait until all remaning requests
complete as well as ones in the current connection, and then make
session expired.

Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20796 ZDI-CAN-20595
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
Signed-off-by: default avatarZhaoLong Wang <wangzhaolong1@huawei.com>

Conflicts:
	fs/ksmbd/connection.c
parent 6d006b2f
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment