Bug 544417 - cifs: possible NULL pointer dereference in mount-time DFS referral chasing code
Summary: cifs: possible NULL pointer dereference in mount-time DFS referral chasing code
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.5
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Jeff Layton
QA Contact: Red Hat Kernel QE team
URL:
Whiteboard:
Depends On:
Blocks: 526950 545984
TreeView+ depends on / blocked
 
Reported: 2009-12-04 20:28 UTC by Jeff Layton
Modified: 2018-10-27 13:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 545984 (view as bug list)
Environment:
Last Closed: 2010-03-30 07:18:28 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
patch -- zero out relevant pointers before chasing DFS referral (2.07 KB, patch)
2009-12-04 20:28 UTC, Jeff Layton
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0178 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.5 kernel security and bug fix update 2010-03-29 12:18:21 UTC

Description Jeff Layton 2009-12-04 20:28:46 UTC
Created attachment 376194 [details]
patch -- zero out relevant pointers before chasing DFS referral

The upstream mailing list got a report of some oopses when attempting to chase a DFS referral at mount time if net connectivity to the referral target was spotty.

After some code analysis, I came up with the attached patch that's being pushed to -stable. I think we want the same patch in 5.5.

The upstream thread on this starts here:

http://lists.samba.org/archive/linux-cifs-client/2009-December/005428.html

Comment 1 RHEL Program Management 2009-12-04 20:51:56 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 2 Jeff Layton 2009-12-07 13:14:58 UTC
This is reproducible:

Basically you need 2 SMB servers, one has a DFS referral that points to the other server. You'll need an account on the first server (the referrer) but be unable to log into the second server (the referee) with the same account.

Try to mount the DFS referral and it will fail with EPERM or something similar. The cifsd kernel thread will still be running however and can't be shut down. What happens in this situation is that a new pSesInfo pointer is allocated on top of the old one, but in the cleanup phase that isn't put. Instead, the old tcon pointer is put again, which corrupts memory and leaves the new SMB and TCP sessions dangling.

Comment 4 Don Zickus 2009-12-11 19:32:04 UTC
in kernel-2.6.18-179.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Please update the appropriate value in the Verified field
(cf_verified) to indicate this fix has been successfully
verified. Include a comment with verification details.

Comment 6 yanfu,wang 2010-02-21 05:21:34 UTC
hard to reproduce,only do code review

Comment 8 errata-xmlrpc 2010-03-30 07:18:28 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0178.html


Note You need to log in before you can comment on or make changes to this bug.