| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Mar 2024 11:38:49 +0100 From: Robert Frohl <rfrohl@...e.com> To: cve@...nel.org, linux-kernel@...r.kernel.org, linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: Re: CVE-2023-52572: cifs: Fix UAF in cifs_demultiplex_thread() Hi all, this seems to be a duplicate of CVE-2023-1192 [0], even though NVD lists another, wrong patch. The RH bug has more details [1]. Cheers, Robert [0] https://nvd.nist.gov/vuln/detail/CVE-2023-1192 [1] https://bugzilla.redhat.com/show_bug.cgi?id=2154178#c28 On 02.03.24 23:00, Greg Kroah-Hartman wrote: > Description > =========== > > In the Linux kernel, the following vulnerability has been resolved: > > cifs: Fix UAF in cifs_demultiplex_thread() > > There is a UAF when xfstests on cifs: > > BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160 > Read of size 4 at addr ffff88810103fc08 by task cifsd/923 > > CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45 > ... > Call Trace: > <TASK> > dump_stack_lvl+0x34/0x44 > print_report+0x171/0x472 > kasan_report+0xad/0x130 > kasan_check_range+0x145/0x1a0 > smb2_is_network_name_deleted+0x27/0x160 > cifs_demultiplex_thread.cold+0x172/0x5a4 > kthread+0x165/0x1a0 > ret_from_fork+0x1f/0x30 > </TASK> > > Allocated by task 923: > kasan_save_stack+0x1e/0x40 > kasan_set_track+0x21/0x30 > __kasan_slab_alloc+0x54/0x60 > kmem_cache_alloc+0x147/0x320 > mempool_alloc+0xe1/0x260 > cifs_small_buf_get+0x24/0x60 > allocate_buffers+0xa1/0x1c0 > cifs_demultiplex_thread+0x199/0x10d0 > kthread+0x165/0x1a0 > ret_from_fork+0x1f/0x30 > > Freed by task 921: > kasan_save_stack+0x1e/0x40 > kasan_set_track+0x21/0x30 > kasan_save_free_info+0x2a/0x40 > ____kasan_slab_free+0x143/0x1b0 > kmem_cache_free+0xe3/0x4d0 > cifs_small_buf_release+0x29/0x90 > SMB2_negotiate+0x8b7/0x1c60 > smb2_negotiate+0x51/0x70 > cifs_negotiate_protocol+0xf0/0x160 > cifs_get_smb_ses+0x5fa/0x13c0 > mount_get_conns+0x7a/0x750 > cifs_mount+0x103/0xd00 > cifs_smb3_do_mount+0x1dd/0xcb0 > smb3_get_tree+0x1d5/0x300 > vfs_get_tree+0x41/0xf0 > path_mount+0x9b3/0xdd0 > __x64_sys_mount+0x190/0x1d0 > do_syscall_64+0x35/0x80 > entry_SYSCALL_64_after_hwframe+0x46/0xb0 > > The UAF is because: > > mount(pid: 921) | cifsd(pid: 923) > -------------------------------|------------------------------- > | cifs_demultiplex_thread > SMB2_negotiate | > cifs_send_recv | > compound_send_recv | > smb_send_rqst | > wait_for_response | > wait_event_state [1] | > | standard_receive3 > | cifs_handle_standard > | handle_mid > | mid->resp_buf = buf; [2] > | dequeue_mid [3] > KILL the process [4] | > resp_iov[i].iov_base = buf | > free_rsp_buf [5] | > | is_network_name_deleted [6] > | callback > > 1. After send request to server, wait the response until > mid->mid_state != SUBMITTED; > 2. Receive response from server, and set it to mid; > 3. Set the mid state to RECEIVED; > 4. Kill the process, the mid state already RECEIVED, get 0; > 5. Handle and release the negotiate response; > 6. UAF. > > It can be easily reproduce with add some delay in [3] - [6]. > > Only sync call has the problem since async call's callback is > executed in cifsd process. > > Add an extra state to mark the mid state to READY before wakeup the > waitter, then it can get the resp safely. > > The Linux kernel CVE team has assigned CVE-2023-52572 to this issue. > > > Affected and fixed versions > =========================== > > Issue introduced in 2.6.16 with commit ec637e3ffb6b and fixed in 6.1.56 with commit 908b3b5e97d2 > Issue introduced in 2.6.16 with commit ec637e3ffb6b and fixed in 6.5.6 with commit 76569e3819e0 > Issue introduced in 2.6.16 with commit ec637e3ffb6b and fixed in 6.6 with commit d527f51331ca > > Please see https://www.kernel.org or a full list of currently supported > kernel versions by the kernel community. > > Unaffected versions might change over time as fixes are backported to > older supported kernel versions. The official CVE entry at > https://cve.org/CVERecord/?id=CVE-2023-52572 > will be updated if fixes are backported, please check that for the most > up to date information about this issue. > > > Affected files > ============== > > The file(s) affected by this issue are: > fs/smb/client/cifsglob.h > fs/smb/client/transport.c > > > Mitigation > ========== > > The Linux kernel CVE team recommends that you update to the latest > stable kernel version for this, and many other bugfixes. Individual > changes are never tested alone, but rather are part of a larger kernel > release. Cherry-picking individual commits is not recommended or > supported by the Linux kernel community at all. If however, updating to > the latest release is impossible, the individual changes to resolve this > issue can be found at these commits: > https://git.kernel.org/stable/c/908b3b5e97d25e879de3d1f172a255665491c2c3 > https://git.kernel.org/stable/c/76569e3819e0bb59fc19b1b8688b017e627c268a > https://git.kernel.org/stable/c/d527f51331cace562393a8038d870b3e9916686f > -- Security Engineer, SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany, GF: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg) GPG: D29F 82AA 9FD5 9D6E 74B1 6370 089E DB3D 230A 2404 Download attachment "OpenPGP_0x089EDB3D230A2404.asc" of type "application/pgp-keys" (11850 bytes) Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)
Powered by blists - more mailing lists