Bug 255881

Summary:

[PATCH] netsmb: Fix a use after free in smb_t2_request_int

Product:

Base System

Reporter:

lylgood

Component:

kern

Assignee:

Mark Johnston <markj>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

emaste, markj

Priority:

---

Version:

CURRENT

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
adds a variable "sr_flags" to avoid the uaf bug.	none

Description lylgood 2021-05-14 14:28:37 UTC

Created attachment 224944 [details]
adds a variable "sr_flags" to avoid the uaf bug.

Bug File: sys/netsmb/smb_rq.c

In function smb_t2_request_int, rqp is allocated by smb_rq_alloc(...,&rqp) and with flags SMBR_ALLOCED set. In the freerq branch of smb_t2_request_int, smb_rq_done() is called to free the rqp. But later, the freed rqp is dereferenced by rqp->sr_flags, which is a uaf bug.

My patch adds a variable "sr_flags" to avoid the uaf bug.

Comment 1 Mark Johnston freebsd_committer

2021-05-26 13:57:27 UTC

I think we can just move the smb_rq_done() call later instead of introducing a new flag variable.

Comment 2 commit-hook freebsd_committer

2021-05-26 14:50:12 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=771e95d2e2ee1b60539f1273c62837b48249590a

commit 771e95d2e2ee1b60539f1273c62837b48249590a
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-26 13:57:38 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-26 14:45:40 +0000

    netsmb: Avoid a read-after-free in smb_t2_request_int()

    Defer freeing the request structure until we've decided whether the
    request should be retried.

    PR:             255881
    MFC after:      1 week

 sys/netsmb/smb_rq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 3 commit-hook freebsd_committer

2021-06-02 13:35:43 UTC

A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=a9ff49e0288b8844ddc6fb2a278ec652908d30cc

commit a9ff49e0288b8844ddc6fb2a278ec652908d30cc
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-26 13:57:38 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-06-02 13:34:47 +0000

    netsmb: Avoid a read-after-free in smb_t2_request_int()

    Defer freeing the request structure until we've decided whether the
    request should be retried.

    PR:             255881
    MFC after:      1 week

    (cherry picked from commit 771e95d2e2ee1b60539f1273c62837b48249590a)

 sys/netsmb/smb_rq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 4 commit-hook freebsd_committer

2021-06-02 13:37:48 UTC

A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=138c9932888f5d0f331a675ec1fa925fcb707976

commit 138c9932888f5d0f331a675ec1fa925fcb707976
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-26 13:57:38 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-06-02 13:37:06 +0000

    netsmb: Avoid a read-after-free in smb_t2_request_int()

    Defer freeing the request structure until we've decided whether the
    request should be retried.

    PR:             255881
    MFC after:      1 week

    (cherry picked from commit 771e95d2e2ee1b60539f1273c62837b48249590a)

 sys/netsmb/smb_rq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)