Bug 255881 - [PATCH] netsmb: Fix a use after free in smb_t2_request_int
Summary: [PATCH] netsmb: Fix a use after free in smb_t2_request_int
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: Mark Johnston
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-14 14:28 UTC by lylgood
Modified: 2021-06-02 13:38 UTC (History)
2 users (show)

See Also:

Attachments
adds a variable "sr_flags" to avoid the uaf bug. (798 bytes, patch)
2021-05-14 14:28 UTC, lylgood 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description lylgood 2021-05-14 14:28:37 UTC 
Created attachment 224944 [details]
adds a variable "sr_flags" to avoid the uaf bug.

Bug File: sys/netsmb/smb_rq.c

In function smb_t2_request_int, rqp is allocated by smb_rq_alloc(...,&rqp) and with flags SMBR_ALLOCED set. In the freerq branch of smb_t2_request_int, smb_rq_done() is called to free the rqp. But later, the freed rqp is dereferenced by rqp->sr_flags, which is a uaf bug.

My patch adds a variable "sr_flags" to avoid the uaf bug.
Comment 1 Mark Johnston freebsd_committer freebsd_triage 2021-05-26 13:57:27 UTC 
I think we can just move the smb_rq_done() call later instead of introducing a new flag variable.
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-05-26 14:50:12 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=771e95d2e2ee1b60539f1273c62837b48249590a

commit 771e95d2e2ee1b60539f1273c62837b48249590a
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-26 13:57:38 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-26 14:45:40 +0000

    netsmb: Avoid a read-after-free in smb_t2_request_int()

    Defer freeing the request structure until we've decided whether the
    request should be retried.

    PR:             255881
    MFC after:      1 week

 sys/netsmb/smb_rq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2021-06-02 13:35:43 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=a9ff49e0288b8844ddc6fb2a278ec652908d30cc

commit a9ff49e0288b8844ddc6fb2a278ec652908d30cc
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-26 13:57:38 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-06-02 13:34:47 +0000

    netsmb: Avoid a read-after-free in smb_t2_request_int()

    Defer freeing the request structure until we've decided whether the
    request should be retried.

    PR:             255881
    MFC after:      1 week

    (cherry picked from commit 771e95d2e2ee1b60539f1273c62837b48249590a)

 sys/netsmb/smb_rq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 commit-hook freebsd_committer freebsd_triage 2021-06-02 13:37:48 UTC 
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=138c9932888f5d0f331a675ec1fa925fcb707976

commit 138c9932888f5d0f331a675ec1fa925fcb707976
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-26 13:57:38 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-06-02 13:37:06 +0000

    netsmb: Avoid a read-after-free in smb_t2_request_int()

    Defer freeing the request structure until we've decided whether the
    request should be retried.

    PR:             255881
    MFC after:      1 week

    (cherry picked from commit 771e95d2e2ee1b60539f1273c62837b48249590a)

 sys/netsmb/smb_rq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)