CVE-2024-53186

Summary

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in SMB request handling

A race condition exists between SMB request handling in ksmbd_conn_handler_loop() and the freeing of ksmbd_conn in the workqueue handler handle_ksmbd_work(). This leads to a UAF.

  • KASAN: slab-use-after-free Read in handle_ksmbd_work
  • KASAN: slab-use-after-free in rtlock_slowlock_locked

This race condition arises as follows:

  • ksmbd_conn_handler_loop() waits for conn->r_count to reach zero: wait_event(conn->r_count_q, atomic_read(&conn->r_count) == 0);
  • Meanwhile, handle_ksmbd_work() decrements conn->r_count using atomic_dec_return(&conn->r_count), and if it reaches zero, calls ksmbd_conn_free(), which frees conn.
  • However, after handle_ksmbd_work() decrements conn->r_count, it may still access conn->r_count_q in the following line: waitqueue_active(&conn->r_count_q) or wake_up(&conn->r_count_q) This results in a UAF, as conn has already been freed.

The discovery of this UAF can be referenced in the following PR for syzkaller's support for SMB requests.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux18f06bacc197d4ac9b518ad1c69999bc3d83e7aa < a96f9eb7add30ba0fafcfe7b7aca090978196800affected
LinuxLinuxe9dac92f4482a382e8c0fe1bc243da5fc3526b0c < f20b77f7897e6aab9ce5527e6016ad2be5d70a33affected
LinuxLinuxee426bfb9d09b29987369b897fe9b6485ac2be27 < 96261adb998a3b513468b6ce17dbec76be5507d4affected
LinuxLinuxee426bfb9d09b29987369b897fe9b6485ac2be27 < 9a8c5d89d327ff58e9b2517f8a6afb4181d32c6eaffected
LinuxLinux9fd3cde4628bcd3549ab95061f2bab74d2ed4f3baffected
LinuxLinux6.6.55 < 6.6.64affected
LinuxLinux6.11.3 < 6.11.11affected
LinuxLinux6.10.14 < 6.11affected
LinuxLinux6.12affected
LinuxLinux0 < 6.12unaffected
LinuxLinux6.6.64 <= 6.6.*unaffected
LinuxLinux6.11.11 <= 6.11.*unaffected
LinuxLinux6.12.2 <= 6.12.*unaffected
LinuxLinux6.13 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References