漏洞标题
SMB客户端:修复在释放MIDs时可能出现的死锁问题
漏洞描述信息
在Linux内核中,已修复以下漏洞:
smb:客户端:当释放mids时,解决潜在的死锁问题
所有release_mid()调用者似乎都持有@mid的引用,因此在@server->mid_lock自旋锁下无需调用kref_put(&mid->refcount, __release_mid)。如果它们没有这样做,那么无论如何会引发一个使用后免费的错误。
通过去掉这样的自旋锁也可以解决以下所示的潜在死锁问题:
CPU 0 CPU 1
------------------------------------------------------------------
cifs_demultiplex_thread() cifs_debug_data_proc_show()
release_mid()
spin_lock(&server->mid_lock);
spin_lock(&cifs_tcp_ses_lock)
spin_lock(&server->mid_lock)
__release_mid()
smb2_find_smb_tcon()
spin_lock(&cifs_tcp_ses_lock) *死锁*
CVSS信息
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
漏洞类别
释放后使用
漏洞标题
smb: client: fix potential deadlock when releasing mids
漏洞描述信息
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix potential deadlock when releasing mids
All release_mid() callers seem to hold a reference of @mid so there is
no need to call kref_put(&mid->refcount, __release_mid) under
@server->mid_lock spinlock. If they don't, then an use-after-free bug
would have occurred anyways.
By getting rid of such spinlock also fixes a potential deadlock as
shown below
CPU 0 CPU 1
------------------------------------------------------------------
cifs_demultiplex_thread() cifs_debug_data_proc_show()
release_mid()
spin_lock(&server->mid_lock);
spin_lock(&cifs_tcp_ses_lock)
spin_lock(&server->mid_lock)
__release_mid()
smb2_find_smb_tcon()
spin_lock(&cifs_tcp_ses_lock) *deadlock*
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Linux kernel 安全漏洞
漏洞描述信息
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于smb:client模块存在死锁问题。
CVSS信息
N/A
漏洞类别
其他