lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025081654-CVE-2025-38527-c389@gregkh>
Date: Sat, 16 Aug 2025 13:13:58 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38527: smb: client: fix use-after-free in cifs_oplock_break

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix use-after-free in cifs_oplock_break

A race condition can occur in cifs_oplock_break() leading to a
use-after-free of the cinode structure when unmounting:

  cifs_oplock_break()
    _cifsFileInfo_put(cfile)
      cifsFileInfo_put_final()
        cifs_sb_deactive()
          [last ref, start releasing sb]
            kill_sb()
              kill_anon_super()
                generic_shutdown_super()
                  evict_inodes()
                    dispose_list()
                      evict()
                        destroy_inode()
                          call_rcu(&inode->i_rcu, i_callback)
    spin_lock(&cinode->open_file_lock)  <- OK
                            [later] i_callback()
                              cifs_free_inode()
                                kmem_cache_free(cinode)
    spin_unlock(&cinode->open_file_lock)  <- UAF
    cifs_done_oplock_break(cinode)       <- UAF

The issue occurs when umount has already released its reference to the
superblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this
releases the last reference, triggering the immediate cleanup of all
inodes under RCU. However, cifs_oplock_break() continues to access the
cinode after this point, resulting in use-after-free.

Fix this by holding an extra reference to the superblock during the
entire oplock break operation. This ensures that the superblock and
its inodes remain valid until the oplock break completes.

The Linux kernel CVE team has assigned CVE-2025-38527 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.1 with commit b98749cac4a695f084a5ff076f4510b23e353ecd and fixed in 6.1.147 with commit 0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b
	Issue introduced in 5.1 with commit b98749cac4a695f084a5ff076f4510b23e353ecd and fixed in 6.6.100 with commit 2baaf5bbab2ac474c4f92c10fcb3310f824db995
	Issue introduced in 5.1 with commit b98749cac4a695f084a5ff076f4510b23e353ecd and fixed in 6.12.40 with commit 09bce2138a30ef10d8821c8c3f73a4ab7a5726bc
	Issue introduced in 5.1 with commit b98749cac4a695f084a5ff076f4510b23e353ecd and fixed in 6.15.8 with commit da11bd4b697b393a207f19a2ed7d382a811a3ddc
	Issue introduced in 5.1 with commit b98749cac4a695f084a5ff076f4510b23e353ecd and fixed in 6.16 with commit 705c79101ccf9edea5a00d761491a03ced314210
	Issue introduced in 3.16.72 with commit 2429fcf06d3cb962693868ab0a927c9038f12a2d
	Issue introduced in 4.9.171 with commit 1ee4f2d7cdcd4508cc3cbe3b2622d7177b89da12
	Issue introduced in 4.14.114 with commit 53fc31a4853e30d6e8f142b824f724da27ff3e40
	Issue introduced in 4.19.37 with commit 8092ecc306d81186a64cda42411121f4d35aaff4
	Issue introduced in 5.0.10 with commit ebac4d0adf68f8962bd82fcf483936edd6ec095b

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38527
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/smb/client/file.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b
	https://git.kernel.org/stable/c/2baaf5bbab2ac474c4f92c10fcb3310f824db995
	https://git.kernel.org/stable/c/09bce2138a30ef10d8821c8c3f73a4ab7a5726bc
	https://git.kernel.org/stable/c/da11bd4b697b393a207f19a2ed7d382a811a3ddc
	https://git.kernel.org/stable/c/705c79101ccf9edea5a00d761491a03ced314210

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ