Re: [PATCH] fs: smb: client: Reset password pointer to NULL

From: Steve French
Date: Sat Feb 10 2024 - 00:46:28 EST

Next message: Vimal Kumar: "[PATCH v5] PM / sleep: Mechanism to find source aborting kernel suspend transition"
Previous message: Randy Dunlap: "[PATCH] fbdev/sh7760fb: allow modular build"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 18, 2024 at 1:44 AM Fullway Wang <fullwaywang@xxxxxxxxxxx> wrote:
>
> ctx->password was freed but not reset to NULL, which may lead to double
> free and secrets leak issues.

But no one else could use this pointer to double free this since it is
allocated in this function, and exits a few lines after it is freed
(and its parent is freed on the next line so the pointer could not be
accessed either)

> This is similar to CVE-2023-5345, which was fixed in commit e6e43b8.
>
> Signed-off-by: Fullway Wang <fullwaywang@xxxxxxxxxxx>
> ---
> fs/smb/client/connect.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c
> index 3052a208c6ca..fb96a234b9b1 100644
> --- a/fs/smb/client/connect.c
> +++ b/fs/smb/client/connect.c
> @@ -4028,6 +4028,7 @@ cifs_construct_tcon(struct cifs_sb_info *cifs_sb, kuid_t fsuid)
> out:
> kfree(ctx->username);
> kfree_sensitive(ctx->password);
> + ctx->password = NULL;
> kfree(ctx);
>
> return tcon;
> --
> 2.39.3 (Apple Git-145)
>
>

--
Thanks,

Steve

Next message: Vimal Kumar: "[PATCH v5] PM / sleep: Mechanism to find source aborting kernel suspend transition"
Previous message: Randy Dunlap: "[PATCH] fbdev/sh7760fb: allow modular build"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]