Re: [PATCH V2 0/2] smb: client: Fix use-after-free in readdir

[Paulo Alcantara]

Wang Zhaolong <wangzhaolong1@xxxxxxxxxx> writes:

> V2:
>   - Correct spelling mistakes in the commit message, such as 'lopp' -> 'loop'.
>   - The titles of patches follow the same style.
>
> This patch series addresses a use-after-free vulnerability in the SMB/CIFS
> client readdir implementation that can be triggered during concurrent
> directory reads when a signal interrupts directory enumeration.
>
> The root cause is in the operation sequence in find_cifs_entry():
> 1. When query_dir_next() fails due to signal interruption (ERESTARTSYS)
> 2. The code continues to access last_entry pointer before checking the return code
> 3. This can access freed memory since the buffer may have been released
>
> The race condition can be triggered by processes accessing the same directory
> with concurrent readdir operations, especially when signals are involved.
>
> The fix is straightforward:
> 1. First patch ensures we check the return code before using any pointers
> 2. Second patch improves defensiveness by resetting all related buffer pointers
>    when freeing the network buffer
>
> Wang Zhaolong (2):
>   smb: client: Fix use-after-free in cifs_fill_dirent
>   smb: client: Reset all search buffer pointers when releasing buffer
>
>  fs/smb/client/readdir.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)

Reviewed-by: Paulo Alcantara (Red Hat) <pc@xxxxxxxxxxxxx>