CIFS: fix use-after-free of the lease keys

The request buffers are freed right before copying the pointers. Use the func args instead which are identical and still valid. Simple reproducer (requires KASAN enabled) on a cifs mount: echo foo > foo ; tail -f foo & rm foo Cc: <[email protected]> # 4.20 Fixes: 179e44d ("smb3: add tracepoint for sending lease break responses to server") Signed-off-by: Aurelien Aptel <[email protected]> Signed-off-by: Steve French <[email protected]> Reviewed-by: Paulo Alcantara <[email protected]>
adn770 · Jan 31, 2019 · d339adc · d339adc
1 parent 082aaa8
commit d339adc
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
@@ -4441,8 +4441,8 @@ SMB2_lease_break(const unsigned int xid, struct cifs_tcon *tcon,
 	rc = cifs_send_recv(xid, ses, &rqst, &resp_buf_type, flags, &rsp_iov);
 	cifs_small_buf_release(req);
 
-	please_key_low = (__u64 *)req->LeaseKey;
-	please_key_high = (__u64 *)(req->LeaseKey+8);
+	please_key_low = (__u64 *)lease_key;
+	please_key_high = (__u64 *)(lease_key+8);
 	if (rc) {
 		cifs_stats_fail_inc(tcon, SMB2_OPLOCK_BREAK_HE);
 		trace_smb3_lease_err(le32_to_cpu(lease_state), tcon->tid,