CVE-2024-53179
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix use-after-free of signing key
Customers have reported use-after-free in @ses->auth_key.response with SMB2.1 + sign mounts which occurs due to following race:
task A task B cifs_mount() dfs_mount_share() get_session() cifs_mount_get_session() cifs_send_recv() cifs_get_smb_ses() compound_send_recv() cifs_setup_session() smb2_setup_request() kfree_sensitive() smb2_calc_signature() crypto_shash_setkey() UAF
Fix this by ensuring that we have a valid @ses->auth_key.response by checking whether @ses->ses_status is SES_GOOD or SES_EXITING with @ses->ses_lock held. After commit 24a9799aa8ef ("smb: client: fix UAF in smb2_reconnect_server()"), we made sure to call ->logoff() only when @ses was known to be good (e.g. valid ->auth_key.response), so it's safe to access signing key when @ses->ses_status == SES_EXITING.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 32811d242ff6f28da2ab18c90a15e32fd958e774 < 39619c65ab4bbb3e78c818f537687653e112764d | affected |
| Linux | Linux | 32811d242ff6f28da2ab18c90a15e32fd958e774 < 0e2b654a3848bf9da3b0d54c1ccf3f1b8c635591 | affected |
| Linux | Linux | 32811d242ff6f28da2ab18c90a15e32fd958e774 < 343d7fe6df9e247671440a932b6a73af4fa86d95 | affected |
| Linux | Linux | 3.12 | affected |
| Linux | Linux | 0 < 3.12 | unaffected |
| Linux | Linux | 6.6.70 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.2 <= 6.12.* | unaffected |
| Linux | Linux | 6.13 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://git.kernel.org/stable/c/39619c65ab4bbb3e78c818f537687653e112764d
- https://git.kernel.org/stable/c/0e2b654a3848bf9da3b0d54c1ccf3f1b8c635591
- https://git.kernel.org/stable/c/343d7fe6df9e247671440a932b6a73af4fa86d95
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.