lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <15436477.7601.1709663408600@app142018.ycg3.service-now.com>
Date: Tue, 5 Mar 2024 10:30:08 -0800 (PST)
From: Red Hat Product Security <secalert@...hat.com>
To: security@...e.de, rfrohl@...e.de, cve@...nel.org,
	gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org
Subject: Re: Re: CVE-2023-52572: cifs: Fix UAF in cifs_demultiplex_thread()

Hello!

INC2885107 (Re: CVE-2023-52572: cifs: Fix UAF in cifs_demultiplex_thread()) has been updated.

Opened for: rfrohl@...e.de
Followers: cve@...nel.org, linux-kernel@...r.kernel.org, gregkh@...uxfoundation.org, security@...e.de

Rohit Keshri updated your request with the following comments:

Hello Robert,
 Thank you for reaching to Red Hat Product Security.
 I have reviewed the flaws, CVE-2023-1192 has the correct patch used in the reference.
 Also, CVE-2023-52572 is a duplicate of CVE-2023-1192, which we will soon request for the same.
 I will also share some observation for CVE-2023-1192 while it us under investigation:
~~~
## TL;DR
 After CIFS transfers response data to system call, there is still a local variable points to the memory region, and if system call frees it faster than CIFS uses it, CIFS will access a free memory region when calls function such as `smb2_is_status_io_timeout()` .
 ## Detail
 When client uses CIFS, system calls about file operation will call cifs API to send samba request, and there is a CIFS kernel thread handler `cifs_demultiplex_thread()` which receives response from remote server and transfer those data to corresponding syscall request.
 In the beginning, CIFS kernel thread will allocate memory chunk to `server->smallbuf` in function `allocate_buffers()` and assign the pointer to local variable `buf` . Then cifs kernel thread will get a `struct mid_q_entry` instance from `server->ops->find_mid()` , this struct is used to transfer data between kernel thread and system call. Then cifs kernel thread calls `standard_receive3()` to receive response from server, saving data into `server->smallbuf`, assigning `server->smallbuf` to `mid_q_entry` instance `mids[0]`, and marking this `mid_q_entry` has been received response finally.
~~~
 Please let us know if there are any further queries on this please.
 Regards,
Rohit

How can I track and update my request?

To respond, reply to this email. You may also create a new email and include the request number (INC2885107) in the subject.

Thank you,
Product Security

Ref:MSG86263708
Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ