CVE-2024-53186
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free in SMB request handling
A race condition exists between SMB request handling in
ksmbd_conn_handler_loop() and the freeing of ksmbd_conn in the
workqueue handler handle_ksmbd_work(). This leads to a UAF.
- KASAN: slab-use-after-free Read in handle_ksmbd_work
- KASAN: slab-use-after-free in rtlock_slowlock_locked
This race condition arises as follows:
ksmbd_conn_handler_loop()waits forconn->r_countto reach zero:wait_event(conn->r_count_q, atomic_read(&conn->r_count) == 0);- Meanwhile,
handle_ksmbd_work()decrementsconn->r_countusingatomic_dec_return(&conn->r_count), and if it reaches zero, callsksmbd_conn_free(), which freesconn. - However, after
handle_ksmbd_work()decrementsconn->r_count, it may still accessconn->r_count_qin the following line:waitqueue_active(&conn->r_count_q)orwake_up(&conn->r_count_q)This results in a UAF, asconnhas already been freed.
The discovery of this UAF can be referenced in the following PR for syzkaller's support for SMB requests.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 18f06bacc197d4ac9b518ad1c69999bc3d83e7aa < a96f9eb7add30ba0fafcfe7b7aca090978196800 | affected |
| Linux | Linux | e9dac92f4482a382e8c0fe1bc243da5fc3526b0c < f20b77f7897e6aab9ce5527e6016ad2be5d70a33 | affected |
| Linux | Linux | ee426bfb9d09b29987369b897fe9b6485ac2be27 < 96261adb998a3b513468b6ce17dbec76be5507d4 | affected |
| Linux | Linux | ee426bfb9d09b29987369b897fe9b6485ac2be27 < 9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e | affected |
| Linux | Linux | 9fd3cde4628bcd3549ab95061f2bab74d2ed4f3b | affected |
| Linux | Linux | 6.6.55 < 6.6.64 | affected |
| Linux | Linux | 6.11.3 < 6.11.11 | affected |
| Linux | Linux | 6.10.14 < 6.11 | affected |
| Linux | Linux | 6.12 | affected |
| Linux | Linux | 0 < 6.12 | unaffected |
| Linux | Linux | 6.6.64 <= 6.6.* | unaffected |
| Linux | Linux | 6.11.11 <= 6.11.* | unaffected |
| Linux | Linux | 6.12.2 <= 6.12.* | unaffected |
| Linux | Linux | 6.13 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://git.kernel.org/stable/c/a96f9eb7add30ba0fafcfe7b7aca090978196800
- https://git.kernel.org/stable/c/f20b77f7897e6aab9ce5527e6016ad2be5d70a33
- https://git.kernel.org/stable/c/96261adb998a3b513468b6ce17dbec76be5507d4
- https://git.kernel.org/stable/c/9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.