[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <ae3d431d-d93f-4fe4-99c9-7157bebaff79@suse.com>
Date: Tue, 5 Mar 2024 11:38:49 +0100
From: Robert Frohl <rfrohl@...e.com>
To: cve@...nel.org, linux-kernel@...r.kernel.org,
linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: CVE-2023-52572: cifs: Fix UAF in cifs_demultiplex_thread()
Hi all,
this seems to be a duplicate of CVE-2023-1192 [0], even though NVD lists
another, wrong patch. The RH bug has more details [1].
Cheers,
Robert
[0] https://nvd.nist.gov/vuln/detail/CVE-2023-1192
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2154178#c28
On 02.03.24 23:00, Greg Kroah-Hartman wrote:
> Description
> ===========
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> cifs: Fix UAF in cifs_demultiplex_thread()
>
> There is a UAF when xfstests on cifs:
>
> BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160
> Read of size 4 at addr ffff88810103fc08 by task cifsd/923
>
> CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45
> ...
> Call Trace:
> <TASK>
> dump_stack_lvl+0x34/0x44
> print_report+0x171/0x472
> kasan_report+0xad/0x130
> kasan_check_range+0x145/0x1a0
> smb2_is_network_name_deleted+0x27/0x160
> cifs_demultiplex_thread.cold+0x172/0x5a4
> kthread+0x165/0x1a0
> ret_from_fork+0x1f/0x30
> </TASK>
>
> Allocated by task 923:
> kasan_save_stack+0x1e/0x40
> kasan_set_track+0x21/0x30
> __kasan_slab_alloc+0x54/0x60
> kmem_cache_alloc+0x147/0x320
> mempool_alloc+0xe1/0x260
> cifs_small_buf_get+0x24/0x60
> allocate_buffers+0xa1/0x1c0
> cifs_demultiplex_thread+0x199/0x10d0
> kthread+0x165/0x1a0
> ret_from_fork+0x1f/0x30
>
> Freed by task 921:
> kasan_save_stack+0x1e/0x40
> kasan_set_track+0x21/0x30
> kasan_save_free_info+0x2a/0x40
> ____kasan_slab_free+0x143/0x1b0
> kmem_cache_free+0xe3/0x4d0
> cifs_small_buf_release+0x29/0x90
> SMB2_negotiate+0x8b7/0x1c60
> smb2_negotiate+0x51/0x70
> cifs_negotiate_protocol+0xf0/0x160
> cifs_get_smb_ses+0x5fa/0x13c0
> mount_get_conns+0x7a/0x750
> cifs_mount+0x103/0xd00
> cifs_smb3_do_mount+0x1dd/0xcb0
> smb3_get_tree+0x1d5/0x300
> vfs_get_tree+0x41/0xf0
> path_mount+0x9b3/0xdd0
> __x64_sys_mount+0x190/0x1d0
> do_syscall_64+0x35/0x80
> entry_SYSCALL_64_after_hwframe+0x46/0xb0
>
> The UAF is because:
>
> mount(pid: 921) | cifsd(pid: 923)
> -------------------------------|-------------------------------
> | cifs_demultiplex_thread
> SMB2_negotiate |
> cifs_send_recv |
> compound_send_recv |
> smb_send_rqst |
> wait_for_response |
> wait_event_state [1] |
> | standard_receive3
> | cifs_handle_standard
> | handle_mid
> | mid->resp_buf = buf; [2]
> | dequeue_mid [3]
> KILL the process [4] |
> resp_iov[i].iov_base = buf |
> free_rsp_buf [5] |
> | is_network_name_deleted [6]
> | callback
>
> 1. After send request to server, wait the response until
> mid->mid_state != SUBMITTED;
> 2. Receive response from server, and set it to mid;
> 3. Set the mid state to RECEIVED;
> 4. Kill the process, the mid state already RECEIVED, get 0;
> 5. Handle and release the negotiate response;
> 6. UAF.
>
> It can be easily reproduce with add some delay in [3] - [6].
>
> Only sync call has the problem since async call's callback is
> executed in cifsd process.
>
> Add an extra state to mark the mid state to READY before wakeup the
> waitter, then it can get the resp safely.
>
> The Linux kernel CVE team has assigned CVE-2023-52572 to this issue.
>
>
> Affected and fixed versions
> ===========================
>
> Issue introduced in 2.6.16 with commit ec637e3ffb6b and fixed in 6.1.56 with commit 908b3b5e97d2
> Issue introduced in 2.6.16 with commit ec637e3ffb6b and fixed in 6.5.6 with commit 76569e3819e0
> Issue introduced in 2.6.16 with commit ec637e3ffb6b and fixed in 6.6 with commit d527f51331ca
>
> Please see https://www.kernel.org or a full list of currently supported
> kernel versions by the kernel community.
>
> Unaffected versions might change over time as fixes are backported to
> older supported kernel versions. The official CVE entry at
> https://cve.org/CVERecord/?id=CVE-2023-52572
> will be updated if fixes are backported, please check that for the most
> up to date information about this issue.
>
>
> Affected files
> ==============
>
> The file(s) affected by this issue are:
> fs/smb/client/cifsglob.h
> fs/smb/client/transport.c
>
>
> Mitigation
> ==========
>
> The Linux kernel CVE team recommends that you update to the latest
> stable kernel version for this, and many other bugfixes. Individual
> changes are never tested alone, but rather are part of a larger kernel
> release. Cherry-picking individual commits is not recommended or
> supported by the Linux kernel community at all. If however, updating to
> the latest release is impossible, the individual changes to resolve this
> issue can be found at these commits:
> https://git.kernel.org/stable/c/908b3b5e97d25e879de3d1f172a255665491c2c3
> https://git.kernel.org/stable/c/76569e3819e0bb59fc19b1b8688b017e627c268a
> https://git.kernel.org/stable/c/d527f51331cace562393a8038d870b3e9916686f
>
--
Security Engineer, SUSE Software Solutions Germany GmbH, Frankenstraße
146, 90461 Nürnberg, Germany, GF: Ivo Totev, Andrew McDonald, Werner
Knoblich (HRB 36809, AG Nürnberg)
GPG: D29F 82AA 9FD5 9D6E 74B1 6370 089E DB3D 230A 2404
Download attachment "OpenPGP_0x089EDB3D230A2404.asc" of type "application/pgp-keys" (11850 bytes)
Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)
Powered by blists - more mailing lists