[SRU][F/J][PATCH 0/1] CVE-2023-52752

[Yuxuan Luo]

[Impact]
A potential use-after-free may occur in smb subsystem when the server is
dumping debug information while the session is tearing down, this
vulnerability leads to memory corruption and system crash.

[Backport]
The fix relies on ses->ses_status and ses->ses_lock, which are both not
introduced in the affected kernels and hard to backport.

The ses_lock is added in d7d7a66aacd6 (“cifs: avoid use of global locks
for high contention data”) in order to increase granularity to improve
performance, therefore, it is viable to stay with the old global lock
GlobalMid_Lock.

For ses_status, dd3cd8709ed5 (“cifs: use new enum for ses_status”)
specified SES_EXITING instead of CifsExiting under the session context,
which means they can be used interchangably here.

According to the fix commit message, the spin lock is used to protect
use-after-free scenario for ses->*, hence, place the spin_lock() pair
around the if ((ses->serverDomain == NULL) || and else pair.

[Test]
Tested using ksmbd-tools:
```
cd /home/ubuntu
mkdir -p /home/ubuntu/MyShare
sudo ksmbd.addshare --add \
	--option "path = /home/ubunut/MyShare" \
	--option 'read only = no' \
	--option 'force user = ubuntu' \
	--option 'force group = ubuntu' \
	MyShare
sudo ksmbd.adduser --add MyUser --password ubuntu
sudo ksmbd.mountd
sudo mount -o vers=3 -o pass=ubuntu -o user=MyUser //127.0.0.1/MyShare /mnt

echo 'hello smb' > ./MyShare/smb.txt
res=`cat /mnt/smb.txt`
if [ "$res" == "hello smb" ]; then
	echo "==== TEST SUCCESS ===="
else
	echo "==== TEST FAILS: $res ===="
fi
```

[Where things could go wrong]
smb server might crash when dumping debug info.

Paulo Alcantara (1):
  smb: client: fix use-after-free bug in cifs_debug_data_proc_show()

 fs/cifs/cifs_debug.c | 6 ++++++
 1 file changed, 6 insertions(+)

-- 
2.34.1