Skip to content

[LTS 9.4] ALSA: usb-audio: Fix out of bounds reads when finding clock sources #240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 2, 2025
Merged

[LTS 9.4] ALSA: usb-audio: Fix out of bounds reads when finding clock sources #240

merged 1 commit into from
May 2, 2025

Conversation

jainanmol84
Copy link

@jainanmol84 jainanmol84 commented May 2, 2025
edited
Loading

  • Commit Message Requirements
  • Built against Vault/LTS Environment
  • kABI Check Passed, where Valid (Pre 9.4 RT does not have kABI stability)
  • Boot Test
  • Kernel SelfTest results
  • Additional Tests as determined relevant

Commit message

jira VULN-46532
cve CVE-2024-53150
commit-author Takashi Iwai <[email protected]>
commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6

The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors.  That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads.

For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal.  When the descriptor length is shorter than expected, it's skipped in the loop.

For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check.

	Reported-by: Benoît Sevens <[email protected]>
	Cc: <[email protected]>
Link: https://lore.kernel.org/[email protected] Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Takashi Iwai <[email protected]>
(cherry picked from commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6)
	Signed-off-by: Anmol Jain <[email protected]>

Kernel build logs

/home/anmol/kernel-src-tree
  CLEAN   arch/x86/boot/compressed
  CLEAN   arch/x86/boot
  CLEAN   arch/x86/crypto
  CLEAN   arch/x86/entry/vdso
  CLEAN   arch/x86/kernel/cpu
  CLEAN   arch/x86/kernel
  CLEAN   arch/x86/kvm
  CLEAN   arch/x86/purgatory
  CLEAN   arch/x86/realmode/rm
  CLEAN   arch/x86/tools
  CLEAN   arch/x86/lib
  CLEAN   certs
  CLEAN   crypto/asymmetric_keys
  CLEAN   drivers/firmware/efi/libstub
  CLEAN   drivers/gpu/drm/radeon
  CLEAN   drivers/scsi
  #
  Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
  WRAP    arch/x86/include/generated/uapi/asm/bpf_perf_event.h
  WRAP    arch/x86/include/generated/uapi/asm/errno.h
  WRAP    arch/x86/include/generated/uapi/asm/fcntl.h
  WRAP    arch/x86/include/generated/uapi/asm/ioctl.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_64.h
  WRAP    arch/x86/include/generated/uapi/asm/ioctls.h
  [--snip--]
    INSTALL /lib/modules/5.14.0-ajain_ciqlts9_4-7c531e1e9+/kernel/sound/xen/snd_xen_front.ko
  STRIP   /lib/modules/5.14.0-ajain_ciqlts9_4-7c531e1e9+/kernel/sound/xen/snd_xen_front.ko
  SIGN    /lib/modules/5.14.0-ajain_ciqlts9_4-7c531e1e9+/kernel/sound/xen/snd_xen_front.ko
  INSTALL /lib/modules/5.14.0-ajain_ciqlts9_4-7c531e1e9+/kernel/virt/lib/irqbypass.ko
  STRIP   /lib/modules/5.14.0-ajain_ciqlts9_4-7c531e1e9+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-ajain_ciqlts9_4-7c531e1e9+/kernel/virt/lib/irqbypass.ko
  DEPMOD  /lib/modules/5.14.0-ajain_ciqlts9_4-7c531e1e9+
[TIMER]{MODULES}: 52s
Making Install
sh ./arch/x86/boot/install.sh 5.14.0-ajain_ciqlts9_4-7c531e1e9+ \
        arch/x86/boot/bzImage System.map "/boot"
[TIMER]{INSTALL}: 34s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-ajain_ciqlts9_4-7c531e1e9+ and Index to 4
The default is /boot/loader/entries/c09ae7f16c7843a2947e0b4b0c2c6380-5.14.0-ajain_ciqlts9_4-7c531e1e9+.conf with index 4 and kernel /boot/vmlinuz-5.14.0-ajain_ciqlts9_4-7c531e1e9+
The default is /boot/loader/entries/c09ae7f16c7843a2947e0b4b0c2c6380-5.14.0-ajain_ciqlts9_4-7c531e1e9+.conf with index 4 and kernel /boot/vmlinuz-5.14.0-ajain_ciqlts9_4-7c531e1e9+
Generating grub configuration file ...
Adding boot menu entry for UEFI Firmware Settings ...
done
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 7s
[TIMER]{BUILD}: 2372s
[TIMER]{MODULES}: 52s
[TIMER]{INSTALL}: 34s
[TIMER]{TOTAL} 2471s
Rebooting in 10 seconds

kernel-build.log

Kselftests

$ grep '^ok ' kselftest-before.log | wc -l && grep '^ok ' kselftest-after.log | wc -l
374
375

$ grep '^not ok ' kselftest-before.log | wc -l && grep '^not ok ' kselftest-after.log | wc -l
82
81

kselftest-before.log
kselftest-after.log

@jainanmol84
ALSA: usb-audio: Fix out of bounds reads when finding clock sources
7c531e1 
jira VULN-46533
cve CVE-2024-53150
commit-author Takashi Iwai <[email protected]>
commit a3dd4d6

The current USB-audio driver code doesn't check bLength of each
descriptor at traversing for clock descriptors.  That is, when a
device provides a bogus descriptor with a shorter bLength, the driver
might hit out-of-bounds reads.

For addressing it, this patch adds sanity checks to the validator
functions for the clock descriptor traversal.  When the descriptor
length is shorter than expected, it's skipped in the loop.

For the clock source and clock multiplier descriptors, we can just
check bLength against the sizeof() of each descriptor type.
OTOH, the clock selector descriptor of UAC2 and UAC3 has an array
of bNrInPins elements and two more fields at its tail, hence those
have to be checked in addition to the sizeof() check.

	Reported-by: Benoît Sevens <[email protected]>
	Cc: <[email protected]>
Link: https://lore.kernel.org/[email protected]
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Takashi Iwai <[email protected]>
(cherry picked from commit a3dd4d6)
	Signed-off-by: Anmol Jain <[email protected]>
@PlaidCat PlaidCat changed the title ALSA: usb-audio: Fix out of bounds reads when finding clock sources [LTS 9.4] ALSA: usb-audio: Fix out of bounds reads when finding clock sources May 2, 2025
bmastbergen
bmastbergen approved these changes May 2, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

PlaidCat
PlaidCat approved these changes May 2, 2025
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@PlaidCat PlaidCat merged commit f794e72 into ciqlts9_4 May 2, 2025
4 checks passed
github-actions bot pushed a commit that referenced this pull request May 23, 2025
@smfrench
smb: client: Fix use-after-free in cifs_fill_dirent
a7a8fe5 
There is a race condition in the readdir concurrency process, which may
access the rsp buffer after it has been released, triggering the
following KASAN warning.

 ==================================================================
 BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]
 Read of size 4 at addr ffff8880099b819c by task a.out/342975

 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0x53/0x70
  print_report+0xce/0x640
  kasan_report+0xb8/0xf0
  cifs_fill_dirent+0xb03/0xb60 [cifs]
  cifs_readdir+0x12cb/0x3190 [cifs]
  iterate_dir+0x1a1/0x520
  __x64_sys_getdents+0x134/0x220
  do_syscall_64+0x4b/0x110
  entry_SYSCALL_64_after_hwframe+0x76/0x7e
 RIP: 0033:0x7f996f64b9f9
 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89
 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
 f0 ff ff  0d f7 c3 0c 00 f7 d8 64 89 8
 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e
 RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88
 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000
  </TASK>

 Allocated by task 408:
  kasan_save_stack+0x20/0x40
  kasan_save_track+0x14/0x30
  __kasan_slab_alloc+0x6e/0x70
  kmem_cache_alloc_noprof+0x117/0x3d0
  mempool_alloc_noprof+0xf2/0x2c0
  cifs_buf_get+0x36/0x80 [cifs]
  allocate_buffers+0x1d2/0x330 [cifs]
  cifs_demultiplex_thread+0x22b/0x2690 [cifs]
  kthread+0x394/0x720
  ret_from_fork+0x34/0x70
  ret_from_fork_asm+0x1a/0x30

 Freed by task 342979:
  kasan_save_stack+0x20/0x40
  kasan_save_track+0x14/0x30
  kasan_save_free_info+0x3b/0x60
  __kasan_slab_free+0x37/0x50
  kmem_cache_free+0x2b8/0x500
  cifs_buf_release+0x3c/0x70 [cifs]
  cifs_readdir+0x1c97/0x3190 [cifs]
  iterate_dir+0x1a1/0x520
  __x64_sys_getdents64+0x134/0x220
  do_syscall_64+0x4b/0x110
  entry_SYSCALL_64_after_hwframe+0x76/0x7e

 The buggy address belongs to the object at ffff8880099b8000
  which belongs to the cache cifs_request of size 16588
 The buggy address is located 412 bytes inside of
  freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)

 The buggy address belongs to the physical page:
 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8
 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
 anon flags: 0x80000000000040(head|node=0|zone=1)
 page_type: f5(slab)
 raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff
 head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                             ^
  ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ==================================================================

POC is available in the link [1].

The problem triggering process is as follows:

Process 1                       Process 2
-----------------------------------------------------------------
cifs_readdir
  /* file->private_data == NULL */
  initiate_cifs_search
    cifsFile = kzalloc(sizeof(struct cifsFileInfo), GFP_KERNEL);
    smb2_query_dir_first ->query_dir_first()
      SMB2_query_directory
        SMB2_query_directory_init
        cifs_send_recv
        smb2_parse_query_directory
          srch_inf->ntwrk_buf_start = (char *)rsp;
          srch_inf->srch_entries_start = (char *)rsp + ...
          srch_inf->last_entry = (char *)rsp + ...
          srch_inf->smallBuf = true;
  find_cifs_entry
    /* if (cfile->srch_inf.ntwrk_buf_start) */
    cifs_small_buf_release(cfile->srch_inf // free

                        cifs_readdir  ->iterate_shared()
                          /* file->private_data != NULL */
                          find_cifs_entry
                            /* in while (...) loop */
                            smb2_query_dir_next  ->query_dir_next()
                              SMB2_query_directory
                                SMB2_query_directory_init
                                cifs_send_recv
                                  compound_send_recv
                                    smb_send_rqst
                                    __smb_send_rqst
                                      rc = -ERESTARTSYS;
                                      /* if (fatal_signal_pending()) */
                                      goto out;
                                      return rc
                            /* if (cfile->srch_inf.last_entry) */
                            cifs_save_resume_key()
                              cifs_fill_dirent // UAF
                            /* if (rc) */
                            return -ENOENT;

Fix this by ensuring the return code is checked before using pointers
from the srch_inf.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=220131 [1]
Fixes: a364bc0 ("[CIFS] fix saving of resume key before CIFSFindNext")
Cc: [email protected]
Reviewed-by: Paulo Alcantara (Red Hat) <[email protected]>
Signed-off-by: Wang Zhaolong <[email protected]>
Signed-off-by: Steve French <[email protected]>
github-actions bot pushed a commit that referenced this pull request May 30, 2025
@gregkh
smb: client: Fix use-after-free in cifs_fill_dirent
9bea368 
commit a7a8fe5 upstream.

There is a race condition in the readdir concurrency process, which may
access the rsp buffer after it has been released, triggering the
following KASAN warning.

 ==================================================================
 BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]
 Read of size 4 at addr ffff8880099b819c by task a.out/342975

 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0x53/0x70
  print_report+0xce/0x640
  kasan_report+0xb8/0xf0
  cifs_fill_dirent+0xb03/0xb60 [cifs]
  cifs_readdir+0x12cb/0x3190 [cifs]
  iterate_dir+0x1a1/0x520
  __x64_sys_getdents+0x134/0x220
  do_syscall_64+0x4b/0x110
  entry_SYSCALL_64_after_hwframe+0x76/0x7e
 RIP: 0033:0x7f996f64b9f9
 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89
 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
 f0 ff ff  0d f7 c3 0c 00 f7 d8 64 89 8
 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e
 RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88
 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000
  </TASK>

 Allocated by task 408:
  kasan_save_stack+0x20/0x40
  kasan_save_track+0x14/0x30
  __kasan_slab_alloc+0x6e/0x70
  kmem_cache_alloc_noprof+0x117/0x3d0
  mempool_alloc_noprof+0xf2/0x2c0
  cifs_buf_get+0x36/0x80 [cifs]
  allocate_buffers+0x1d2/0x330 [cifs]
  cifs_demultiplex_thread+0x22b/0x2690 [cifs]
  kthread+0x394/0x720
  ret_from_fork+0x34/0x70
  ret_from_fork_asm+0x1a/0x30

 Freed by task 342979:
  kasan_save_stack+0x20/0x40
  kasan_save_track+0x14/0x30
  kasan_save_free_info+0x3b/0x60
  __kasan_slab_free+0x37/0x50
  kmem_cache_free+0x2b8/0x500
  cifs_buf_release+0x3c/0x70 [cifs]
  cifs_readdir+0x1c97/0x3190 [cifs]
  iterate_dir+0x1a1/0x520
  __x64_sys_getdents64+0x134/0x220
  do_syscall_64+0x4b/0x110
  entry_SYSCALL_64_after_hwframe+0x76/0x7e

 The buggy address belongs to the object at ffff8880099b8000
  which belongs to the cache cifs_request of size 16588
 The buggy address is located 412 bytes inside of
  freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)

 The buggy address belongs to the physical page:
 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8
 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
 anon flags: 0x80000000000040(head|node=0|zone=1)
 page_type: f5(slab)
 raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff
 head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                             ^
  ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ==================================================================

POC is available in the link [1].

The problem triggering process is as follows:

Process 1                       Process 2
-----------------------------------------------------------------
cifs_readdir
  /* file->private_data == NULL */
  initiate_cifs_search
    cifsFile = kzalloc(sizeof(struct cifsFileInfo), GFP_KERNEL);
    smb2_query_dir_first ->query_dir_first()
      SMB2_query_directory
        SMB2_query_directory_init
        cifs_send_recv
        smb2_parse_query_directory
          srch_inf->ntwrk_buf_start = (char *)rsp;
          srch_inf->srch_entries_start = (char *)rsp + ...
          srch_inf->last_entry = (char *)rsp + ...
          srch_inf->smallBuf = true;
  find_cifs_entry
    /* if (cfile->srch_inf.ntwrk_buf_start) */
    cifs_small_buf_release(cfile->srch_inf // free

                        cifs_readdir  ->iterate_shared()
                          /* file->private_data != NULL */
                          find_cifs_entry
                            /* in while (...) loop */
                            smb2_query_dir_next  ->query_dir_next()
                              SMB2_query_directory
                                SMB2_query_directory_init
                                cifs_send_recv
                                  compound_send_recv
                                    smb_send_rqst
                                    __smb_send_rqst
                                      rc = -ERESTARTSYS;
                                      /* if (fatal_signal_pending()) */
                                      goto out;
                                      return rc
                            /* if (cfile->srch_inf.last_entry) */
                            cifs_save_resume_key()
                              cifs_fill_dirent // UAF
                            /* if (rc) */
                            return -ENOENT;

Fix this by ensuring the return code is checked before using pointers
from the srch_inf.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=220131 [1]
Fixes: a364bc0 ("[CIFS] fix saving of resume key before CIFSFindNext")
Cc: [email protected]
Reviewed-by: Paulo Alcantara (Red Hat) <[email protected]>
Signed-off-by: Wang Zhaolong <[email protected]>
Signed-off-by: Steve French <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
github-actions bot pushed a commit that referenced this pull request Jul 25, 2025
@pcacjr
smb: client: Fix use-after-free in cifs_fill_dirent
0735d72 
JIRA: https://issues.redhat.com/browse/RHEL-96872

commit a7a8fe5
Author: Wang Zhaolong <[email protected]>
Date:   Fri May 16 17:12:55 2025 +0800

    smb: client: Fix use-after-free in cifs_fill_dirent
    
    There is a race condition in the readdir concurrency process, which may
    access the rsp buffer after it has been released, triggering the
    following KASAN warning.
    
     ==================================================================
     BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]
     Read of size 4 at addr ffff8880099b819c by task a.out/342975
    
     CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
     Call Trace:
      <TASK>
      dump_stack_lvl+0x53/0x70
      print_report+0xce/0x640
      kasan_report+0xb8/0xf0
      cifs_fill_dirent+0xb03/0xb60 [cifs]
      cifs_readdir+0x12cb/0x3190 [cifs]
      iterate_dir+0x1a1/0x520
      __x64_sys_getdents+0x134/0x220
      do_syscall_64+0x4b/0x110
      entry_SYSCALL_64_after_hwframe+0x76/0x7e
     RIP: 0033:0x7f996f64b9f9
     Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89
     f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
     f0 ff ff  0d f7 c3 0c 00 f7 d8 64 89 8
     RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e
     RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9
     RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
     RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000
     R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88
     R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000
      </TASK>
    
     Allocated by task 408:
      kasan_save_stack+0x20/0x40
      kasan_save_track+0x14/0x30
      __kasan_slab_alloc+0x6e/0x70
      kmem_cache_alloc_noprof+0x117/0x3d0
      mempool_alloc_noprof+0xf2/0x2c0
      cifs_buf_get+0x36/0x80 [cifs]
      allocate_buffers+0x1d2/0x330 [cifs]
      cifs_demultiplex_thread+0x22b/0x2690 [cifs]
      kthread+0x394/0x720
      ret_from_fork+0x34/0x70
      ret_from_fork_asm+0x1a/0x30
    
     Freed by task 342979:
      kasan_save_stack+0x20/0x40
      kasan_save_track+0x14/0x30
      kasan_save_free_info+0x3b/0x60
      __kasan_slab_free+0x37/0x50
      kmem_cache_free+0x2b8/0x500
      cifs_buf_release+0x3c/0x70 [cifs]
      cifs_readdir+0x1c97/0x3190 [cifs]
      iterate_dir+0x1a1/0x520
      __x64_sys_getdents64+0x134/0x220
      do_syscall_64+0x4b/0x110
      entry_SYSCALL_64_after_hwframe+0x76/0x7e
    
     The buggy address belongs to the object at ffff8880099b8000
      which belongs to the cache cifs_request of size 16588
     The buggy address is located 412 bytes inside of
      freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)
    
     The buggy address belongs to the physical page:
     page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8
     head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
     anon flags: 0x80000000000040(head|node=0|zone=1)
     page_type: f5(slab)
     raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
     raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
     head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
     head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
     head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff
     head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
     page dumped because: kasan: bad access detected
    
     Memory state around the buggy address:
      ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                 ^
      ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ==================================================================
    
    POC is available in the link [1].
    
    The problem triggering process is as follows:
    
    Process 1                       Process 2
    -----------------------------------------------------------------
    cifs_readdir
      /* file->private_data == NULL */
      initiate_cifs_search
        cifsFile = kzalloc(sizeof(struct cifsFileInfo), GFP_KERNEL);
        smb2_query_dir_first ->query_dir_first()
          SMB2_query_directory
            SMB2_query_directory_init
            cifs_send_recv
            smb2_parse_query_directory
              srch_inf->ntwrk_buf_start = (char *)rsp;
              srch_inf->srch_entries_start = (char *)rsp + ...
              srch_inf->last_entry = (char *)rsp + ...
              srch_inf->smallBuf = true;
      find_cifs_entry
        /* if (cfile->srch_inf.ntwrk_buf_start) */
        cifs_small_buf_release(cfile->srch_inf // free
    
                            cifs_readdir  ->iterate_shared()
                              /* file->private_data != NULL */
                              find_cifs_entry
                                /* in while (...) loop */
                                smb2_query_dir_next  ->query_dir_next()
                                  SMB2_query_directory
                                    SMB2_query_directory_init
                                    cifs_send_recv
                                      compound_send_recv
                                        smb_send_rqst
                                        __smb_send_rqst
                                          rc = -ERESTARTSYS;
                                          /* if (fatal_signal_pending()) */
                                          goto out;
                                          return rc
                                /* if (cfile->srch_inf.last_entry) */
                                cifs_save_resume_key()
                                  cifs_fill_dirent // UAF
                                /* if (rc) */
                                return -ENOENT;
    
    Fix this by ensuring the return code is checked before using pointers
    from the srch_inf.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=220131 [1]
    Fixes: a364bc0 ("[CIFS] fix saving of resume key before CIFSFindNext")
    Cc: [email protected]
    Reviewed-by: Paulo Alcantara (Red Hat) <[email protected]>
    Signed-off-by: Wang Zhaolong <[email protected]>
    Signed-off-by: Steve French <[email protected]>

Signed-off-by: Paulo Alcantara <[email protected]>
github-actions bot pushed a commit that referenced this pull request Jul 30, 2025
@pcacjr
smb: client: Fix use-after-free in cifs_fill_dirent
eb16f2a 
JIRA: https://issues.redhat.com/browse/RHEL-104401

commit a7a8fe5
Author: Wang Zhaolong <[email protected]>
Date:   Fri May 16 17:12:55 2025 +0800

    smb: client: Fix use-after-free in cifs_fill_dirent
    
    There is a race condition in the readdir concurrency process, which may
    access the rsp buffer after it has been released, triggering the
    following KASAN warning.
    
     ==================================================================
     BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]
     Read of size 4 at addr ffff8880099b819c by task a.out/342975
    
     CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
     Call Trace:
      <TASK>
      dump_stack_lvl+0x53/0x70
      print_report+0xce/0x640
      kasan_report+0xb8/0xf0
      cifs_fill_dirent+0xb03/0xb60 [cifs]
      cifs_readdir+0x12cb/0x3190 [cifs]
      iterate_dir+0x1a1/0x520
      __x64_sys_getdents+0x134/0x220
      do_syscall_64+0x4b/0x110
      entry_SYSCALL_64_after_hwframe+0x76/0x7e
     RIP: 0033:0x7f996f64b9f9
     Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89
     f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
     f0 ff ff  0d f7 c3 0c 00 f7 d8 64 89 8
     RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e
     RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9
     RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
     RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000
     R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88
     R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000
      </TASK>
    
     Allocated by task 408:
      kasan_save_stack+0x20/0x40
      kasan_save_track+0x14/0x30
      __kasan_slab_alloc+0x6e/0x70
      kmem_cache_alloc_noprof+0x117/0x3d0
      mempool_alloc_noprof+0xf2/0x2c0
      cifs_buf_get+0x36/0x80 [cifs]
      allocate_buffers+0x1d2/0x330 [cifs]
      cifs_demultiplex_thread+0x22b/0x2690 [cifs]
      kthread+0x394/0x720
      ret_from_fork+0x34/0x70
      ret_from_fork_asm+0x1a/0x30
    
     Freed by task 342979:
      kasan_save_stack+0x20/0x40
      kasan_save_track+0x14/0x30
      kasan_save_free_info+0x3b/0x60
      __kasan_slab_free+0x37/0x50
      kmem_cache_free+0x2b8/0x500
      cifs_buf_release+0x3c/0x70 [cifs]
      cifs_readdir+0x1c97/0x3190 [cifs]
      iterate_dir+0x1a1/0x520
      __x64_sys_getdents64+0x134/0x220
      do_syscall_64+0x4b/0x110
      entry_SYSCALL_64_after_hwframe+0x76/0x7e
    
     The buggy address belongs to the object at ffff8880099b8000
      which belongs to the cache cifs_request of size 16588
     The buggy address is located 412 bytes inside of
      freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)
    
     The buggy address belongs to the physical page:
     page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8
     head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
     anon flags: 0x80000000000040(head|node=0|zone=1)
     page_type: f5(slab)
     raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
     raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
     head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
     head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
     head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff
     head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
     page dumped because: kasan: bad access detected
    
     Memory state around the buggy address:
      ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                 ^
      ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ==================================================================
    
    POC is available in the link [1].
    
    The problem triggering process is as follows:
    
    Process 1                       Process 2
    -----------------------------------------------------------------
    cifs_readdir
      /* file->private_data == NULL */
      initiate_cifs_search
        cifsFile = kzalloc(sizeof(struct cifsFileInfo), GFP_KERNEL);
        smb2_query_dir_first ->query_dir_first()
          SMB2_query_directory
            SMB2_query_directory_init
            cifs_send_recv
            smb2_parse_query_directory
              srch_inf->ntwrk_buf_start = (char *)rsp;
              srch_inf->srch_entries_start = (char *)rsp + ...
              srch_inf->last_entry = (char *)rsp + ...
              srch_inf->smallBuf = true;
      find_cifs_entry
        /* if (cfile->srch_inf.ntwrk_buf_start) */
        cifs_small_buf_release(cfile->srch_inf // free
    
                            cifs_readdir  ->iterate_shared()
                              /* file->private_data != NULL */
                              find_cifs_entry
                                /* in while (...) loop */
                                smb2_query_dir_next  ->query_dir_next()
                                  SMB2_query_directory
                                    SMB2_query_directory_init
                                    cifs_send_recv
                                      compound_send_recv
                                        smb_send_rqst
                                        __smb_send_rqst
                                          rc = -ERESTARTSYS;
                                          /* if (fatal_signal_pending()) */
                                          goto out;
                                          return rc
                                /* if (cfile->srch_inf.last_entry) */
                                cifs_save_resume_key()
                                  cifs_fill_dirent // UAF
                                /* if (rc) */
                                return -ENOENT;
    
    Fix this by ensuring the return code is checked before using pointers
    from the srch_inf.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=220131 [1]
    Fixes: a364bc0 ("[CIFS] fix saving of resume key before CIFSFindNext")
    Cc: [email protected]
    Reviewed-by: Paulo Alcantara (Red Hat) <[email protected]>
    Signed-off-by: Wang Zhaolong <[email protected]>
    Signed-off-by: Steve French <[email protected]>

Signed-off-by: Paulo Alcantara <[email protected]>
bmastbergen pushed a commit to bmastbergen/kernel-src-tree that referenced this pull request Aug 29, 2025
@PlaidCat
selftests/bpf: Add mprog API tests for BPF tcx opts
78b9f42 
jira LE-1907
Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4
commit-author Daniel Borkmann <[email protected]>
commit cd13c91

Add a big batch of test coverage to assert all aspects of the tcx opts
attach, detach and query API:

  # ./vmtest.sh -- ./test_progs -t tc_opts
  [...]
  ctrliq#238     tc_opts_after:OK
  ctrliq#239     tc_opts_append:OK
  ctrliq#240     tc_opts_basic:OK
  ctrliq#241     tc_opts_before:OK
  ctrliq#242     tc_opts_chain_classic:OK
  ctrliq#243     tc_opts_demixed:OK
  ctrliq#244     tc_opts_detach:OK
  ctrliq#245     tc_opts_detach_after:OK
  ctrliq#246     tc_opts_detach_before:OK
  ctrliq#247     tc_opts_dev_cleanup:OK
  ctrliq#248     tc_opts_invalid:OK
  ctrliq#249     tc_opts_mixed:OK
  ctrliq#250     tc_opts_prepend:OK
  ctrliq#251     tc_opts_replace:OK
  ctrliq#252     tc_opts_revision:OK
  Summary: 15/0 PASSED, 0 SKIPPED, 0 FAILED

	Signed-off-by: Daniel Borkmann <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
	Signed-off-by: Alexei Starovoitov <[email protected]>
(cherry picked from commit cd13c91)
	Signed-off-by: Jonathan Maple <[email protected]>
bmastbergen pushed a commit to bmastbergen/kernel-src-tree that referenced this pull request Aug 29, 2025
@PlaidCat
selftests/bpf: Add various more tcx test cases
1bd1f2d 
jira LE-1907
Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4
commit-author Daniel Borkmann <[email protected]>
commit ccd9a8b

Add several new tcx test cases to improve test coverage. This also includes
a few new tests with ingress instead of clsact qdisc, to cover the fix from
commit dc644b5 ("tcx: Fix splat in ingress_destroy upon tcx_entry_free").

  # ./test_progs -t tc
  [...]
  ctrliq#234     tc_links_after:OK
  ctrliq#235     tc_links_append:OK
  ctrliq#236     tc_links_basic:OK
  ctrliq#237     tc_links_before:OK
  ctrliq#238     tc_links_chain_classic:OK
  ctrliq#239     tc_links_chain_mixed:OK
  ctrliq#240     tc_links_dev_cleanup:OK
  ctrliq#241     tc_links_dev_mixed:OK
  ctrliq#242     tc_links_ingress:OK
  ctrliq#243     tc_links_invalid:OK
  ctrliq#244     tc_links_prepend:OK
  ctrliq#245     tc_links_replace:OK
  ctrliq#246     tc_links_revision:OK
  ctrliq#247     tc_opts_after:OK
  ctrliq#248     tc_opts_append:OK
  ctrliq#249     tc_opts_basic:OK
  ctrliq#250     tc_opts_before:OK
  ctrliq#251     tc_opts_chain_classic:OK
  ctrliq#252     tc_opts_chain_mixed:OK
  ctrliq#253     tc_opts_delete_empty:OK
  ctrliq#254     tc_opts_demixed:OK
  ctrliq#255     tc_opts_detach:OK
  ctrliq#256     tc_opts_detach_after:OK
  ctrliq#257     tc_opts_detach_before:OK
  ctrliq#258     tc_opts_dev_cleanup:OK
  ctrliq#259     tc_opts_invalid:OK
  ctrliq#260     tc_opts_mixed:OK
  ctrliq#261     tc_opts_prepend:OK
  ctrliq#262     tc_opts_replace:OK
  ctrliq#263     tc_opts_revision:OK
  [...]
  Summary: 44/38 PASSED, 0 SKIPPED, 0 FAILED

	Signed-off-by: Daniel Borkmann <[email protected]>
Link: https://lore.kernel.org/r/8699efc284b75ccdc51ddf7062fa2370330dc6c0.1692029283.git.daniel@iogearbox.net
	Signed-off-by: Martin KaFai Lau <[email protected]>
(cherry picked from commit ccd9a8b)
	Signed-off-by: Jonathan Maple <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PlaidCat PlaidCat PlaidCat approved these changes

@kerneltoast kerneltoast Awaiting requested review from kerneltoast

@bmastbergen bmastbergen Awaiting requested review from bmastbergen

@thefossguy-ciq thefossguy-ciq Awaiting requested review from thefossguy-ciq

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jainanmol84 @PlaidCat @bmastbergen