CVE-2023-52751
- ULN >
- Oracle Linux CVE repository >
- CVE-2023-52751
CVE Details
| Release Date: | 2024-05-21 |
Description
In the Linux kernel, the following vulnerability has been resolved:\nsmb: client: fix use-after-free in smb2_query_info_compound()\nThe following UAF was triggered when running fstests generic/072 with\nKASAN enabled against Windows Server 2022 and mount options\n'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'\nBUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]\nRead of size 8 at addr ffff888014941048 by task xfs_io/27534\nCPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\nCall Trace:\ndump_stack_lvl+0x4a/0x80\nprint_report+0xcf/0x650\n? srso_alias_return_thunk+0x5/0x7f\n? srso_alias_return_thunk+0x5/0x7f\n? __phys_addr+0x46/0x90\nkasan_report+0xda/0x110\n? smb2_query_info_compound+0x423/0x6d0 [cifs]\n? smb2_query_info_compound+0x423/0x6d0 [cifs]\nsmb2_query_info_compound+0x423/0x6d0 [cifs]\n? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]\n? srso_alias_return_thunk+0x5/0x7f\n? __stack_depot_save+0x39/0x480\n? kasan_save_stack+0x33/0x60\n? kasan_set_track+0x25/0x30\n? ____kasan_slab_free+0x126/0x170\nsmb2_queryfs+0xc2/0x2c0 [cifs]\n? __pfx_smb2_queryfs+0x10/0x10 [cifs]\n? __pfx___lock_acquire+0x10/0x10\nsmb311_queryfs+0x210/0x220 [cifs]\n? __pfx_smb311_queryfs+0x10/0x10 [cifs]\n? srso_alias_return_thunk+0x5/0x7f\n? __lock_acquire+0x480/0x26c0\n? lock_release+0x1ed/0x640\n? srso_alias_return_thunk+0x5/0x7f\n? do_raw_spin_unlock+0x9b/0x100\ncifs_statfs+0x18c/0x4b0 [cifs]\nstatfs_by_dentry+0x9b/0xf0\nfd_statfs+0x4e/0xb0\n__do_sys_fstatfs+0x7f/0xe0\n? __pfx___do_sys_fstatfs+0x10/0x10\n? srso_alias_return_thunk+0x5/0x7f\n? lockdep_hardirqs_on_prepare+0x136/0x200\n? srso_alias_return_thunk+0x5/0x7f\ndo_syscall_64+0x3f/0x90\nentry_SYSCALL_64_after_hwframe+0x6e/0xd8\nAllocated by task 27534:\nkasan_save_stack+0x33/0x60\nkasan_set_track+0x25/0x30\n__kasan_kmalloc+0x8f/0xa0\nopen_cached_dir+0x71b/0x1240 [cifs]\nsmb2_query_info_compound+0x5c3/0x6d0 [cifs]\nsmb2_queryfs+0xc2/0x2c0 [cifs]\nsmb311_queryfs+0x210/0x220 [cifs]\ncifs_statfs+0x18c/0x4b0 [cifs]\nstatfs_by_dentry+0x9b/0xf0\nfd_statfs+0x4e/0xb0\n__do_sys_fstatfs+0x7f/0xe0\ndo_syscall_64+0x3f/0x90\nentry_SYSCALL_64_after_hwframe+0x6e/0xd8\nFreed by task 27534:\nkasan_save_stack+0x33/0x60\nkasan_set_track+0x25/0x30\nkasan_save_free_info+0x2b/0x50\n____kasan_slab_free+0x126/0x170\nslab_free_freelist_hook+0xd0/0x1e0\n__kmem_cache_free+0x9d/0x1b0\nopen_cached_dir+0xff5/0x1240 [cifs]\nsmb2_query_info_compound+0x5c3/0x6d0 [cifs]\nsmb2_queryfs+0xc2/0x2c0 [cifs]\nThis is a race between open_cached_dir() and cached_dir_lease_break()\nwhere the cache entry for the open directory handle receives a lease\nbreak while creating it. And before returning from open_cached_dir(),\nwe put the last reference of the new @cfid because of\n!@cfid->has_lease.\nBesides the UAF, while running xfstests a lot of missed lease breaks\nhave been noticed in tests that run several concurrent statfs(2) calls\non those cached fids\nCIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame...\nCIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\nCIFS: VFS: \\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108\nCIFS: VFS: Dump pending requests:\nCIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame...\nCIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\nCIFS: VFS: \\w22-root1.gandalf.test smb buf 000000005aa7316e len 108\n...\nTo fix both, in open_cached_dir() ensure that @cfid->has_lease is set\nright before sending out compounded request so that any potential\nlease break will be get processed by demultiplex thread while we're\nstill caching @cfid. And, if open failed for some reason, re-check\n@cfid->has_lease to decide whether or not put lease reference.
See more information about CVE-2023-52751 from MITRE CVE dictionary and NIST NVD
CVSS Scoring
NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.
| Base Score: | 7.1 | CVSS Vector: | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
| Attack Vector: | Local network | Attack Complexity: | Low |
| Privileges Required: | Low | User Interaction: | None |
| Scope: | Unchanged | Confidentiality Impact: | High |
| Integrity Impact: | None | Availability Impact: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 9 (kernel) | ELSA-2024-9315 | 2024-11-14 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
