From: Sean Heelan <seanheelan@gmail.com> mainline inclusion from mainline-v6.15-rc5 commit e86e9134e1d1c90a960dd57f59ce574d27b9a124 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/10609 CVE: CVE-2025-37778 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Setting sess->user = NULL was introduced to fix the dangling pointer created by ksmbd_free_user. However, it is possible another thread could be operating on the session and make use of sess->user after it has been passed to ksmbd_free_user but before sess->user is set to NULL. Cc: stable@vger.kernel.org Signed-off-by: Sean Heelan <seanheelan@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Conflicts: fs/smb/server/smb2pdu.c fs/ksmbd/smb2pdu.c fs/smb/server/auth.c fs/ksmbd/auth.c [mainline commit 38c8a9a52082 changed the file name] [mainline commit 1e440d5b25b7 still has issues] Signed-off-by: Yongjian Sun <sunyongjian1@huawei.com> --- fs/ksmbd/auth.c | 14 +++++++++++++- fs/ksmbd/smb2pdu.c | 3 --- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c index d8dabd19823f..c5916064b85e 100644 --- a/fs/ksmbd/auth.c +++ b/fs/ksmbd/auth.c @@ -514,7 +514,19 @@ int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob, retval = -ENOMEM; goto out; } - sess->user = user; + + if (!sess->user) { + /* First successful authentication */ + sess->user = user; + } else { + if (!ksmbd_compare_user(sess->user, user)) { + ksmbd_debug(AUTH, "different user tried to reuse session\n"); + retval = -EPERM; + ksmbd_free_user(user); + goto out; + } + ksmbd_free_user(user); + } memcpy(sess->sess_key, resp->payload, resp->session_key_len); memcpy(out_blob, resp->payload + resp->session_key_len, diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 13f2a81d3621..1588867b4e71 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1612,9 +1612,6 @@ static int krb5_authenticate(struct ksmbd_work *work, if (prev_sess_id && prev_sess_id != sess->id) destroy_previous_session(conn, sess->user, prev_sess_id); - if (sess->state == SMB2_SESSION_VALID) - ksmbd_free_user(sess->user); - retval = ksmbd_krb5_authenticate(sess, in_blob, in_len, out_blob, &out_len); if (retval) { -- 2.39.2