| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091856-CVE-2023-53427-f56c@gregkh> Date: Thu, 18 Sep 2025 18:04:18 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53427: cifs: Fix warning and UAF when destroy the MR list From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: cifs: Fix warning and UAF when destroy the MR list If the MR allocate failed, the MR recovery work not initialized and list not cleared. Then will be warning and UAF when release the MR: WARNING: CPU: 4 PID: 824 at kernel/workqueue.c:3066 __flush_work.isra.0+0xf7/0x110 CPU: 4 PID: 824 Comm: mount.cifs Not tainted 6.1.0-rc5+ #82 RIP: 0010:__flush_work.isra.0+0xf7/0x110 Call Trace: <TASK> __cancel_work_timer+0x2ba/0x2e0 smbd_destroy+0x4e1/0x990 _smbd_get_connection+0x1cbd/0x2110 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 BUG: KASAN: use-after-free in smbd_destroy+0x4fc/0x990 Read of size 8 at addr ffff88810b156a08 by task mount.cifs/824 CPU: 4 PID: 824 Comm: mount.cifs Tainted: G W 6.1.0-rc5+ #82 Call Trace: dump_stack_lvl+0x34/0x44 print_report+0x171/0x472 kasan_report+0xad/0x130 smbd_destroy+0x4fc/0x990 _smbd_get_connection+0x1cbd/0x2110 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Allocated by task 824: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7a/0x90 _smbd_get_connection+0x1b6f/0x2110 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 824: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 ____kasan_slab_free+0x143/0x1b0 __kmem_cache_free+0xc8/0x330 _smbd_get_connection+0x1c6a/0x2110 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Let's initialize the MR recovery work before MR allocate to prevent the warning, remove the MRs from the list to prevent the UAF. The Linux kernel CVE team has assigned CVE-2023-53427 to this issue. Affected and fixed versions =========================== Issue introduced in 4.16 with commit c7398583340a6d82b8bb7f7f21edcde27dc6a898 and fixed in 4.19.276 with commit 275a3d2b9408fc4895e342f772cab9a89960546e Issue introduced in 4.16 with commit c7398583340a6d82b8bb7f7f21edcde27dc6a898 and fixed in 5.4.235 with commit 3524d6da0fe88aee79f06be6572955d16ad76b39 Issue introduced in 4.16 with commit c7398583340a6d82b8bb7f7f21edcde27dc6a898 and fixed in 5.10.173 with commit cfd85a0922c4696d768965e686ad805a58d9d834 Issue introduced in 4.16 with commit c7398583340a6d82b8bb7f7f21edcde27dc6a898 and fixed in 5.15.99 with commit 7cbd5bdb5bd4404a5da4309521134b42c65846c0 Issue introduced in 4.16 with commit c7398583340a6d82b8bb7f7f21edcde27dc6a898 and fixed in 6.1.16 with commit 41832c62a75dad530dc5a2856c92ae5459d497e5 Issue introduced in 4.16 with commit c7398583340a6d82b8bb7f7f21edcde27dc6a898 and fixed in 6.2.3 with commit 2d0c4f5f618f58eba03385363717703bee873c64 Issue introduced in 4.16 with commit c7398583340a6d82b8bb7f7f21edcde27dc6a898 and fixed in 6.3 with commit 3e161c2791f8e661eed24a2c624087084d910215 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53427 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/cifs/smbdirect.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/275a3d2b9408fc4895e342f772cab9a89960546e https://git.kernel.org/stable/c/3524d6da0fe88aee79f06be6572955d16ad76b39 https://git.kernel.org/stable/c/cfd85a0922c4696d768965e686ad805a58d9d834 https://git.kernel.org/stable/c/7cbd5bdb5bd4404a5da4309521134b42c65846c0 https://git.kernel.org/stable/c/41832c62a75dad530dc5a2856c92ae5459d497e5 https://git.kernel.org/stable/c/2d0c4f5f618f58eba03385363717703bee873c64 https://git.kernel.org/stable/c/3e161c2791f8e661eed24a2c624087084d910215
Powered by blists - more mailing lists