release 6.14.3

2025-04-21 02:06:41 +03:00
parent 0a221c5ce2
commit f2e779751a
83 changed files with 1201 additions and 921 deletions
--- a/debian/patches/patchset-pf/smb/0001-ksmbd-Fix-dangling-pointer-in-krb_authenticate.patch
+++ b/debian/patches/patchset-pf/smb/0001-ksmbd-Fix-dangling-pointer-in-krb_authenticate.patch
@@ -0,0 +1,33 @@
+From c3eedd3e0d50a748c6c520ba00377aba8150c713 Mon Sep 17 00:00:00 2001
+From: Sean Heelan <seanheelan@gmail.com>
+Date: Mon, 7 Apr 2025 11:26:50 +0000
+Subject: ksmbd: Fix dangling pointer in krb_authenticate
+
+krb_authenticate frees sess->user and does not set the pointer
+to NULL. It calls ksmbd_krb5_authenticate to reinitialise
+sess->user but that function may return without doing so. If
+that happens then smb2_sess_setup, which calls krb_authenticate,
+will be accessing free'd memory when it later uses sess->user.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Heelan <seanheelan@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/smb2pdu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
+@@ -1602,8 +1602,10 @@ static int krb5_authenticate(struct ksmb
+ 	if (prev_sess_id && prev_sess_id != sess->id)
+ 		destroy_previous_session(conn, sess->user, prev_sess_id);
+ 
+-	if (sess->state == SMB2_SESSION_VALID)
+	if (sess->state == SMB2_SESSION_VALID) {
+ 		ksmbd_free_user(sess->user);
+		sess->user = NULL;
+	}
+ 
+ 	retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,
+ 					 out_blob, &out_len);