CVE-2023-53427
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/09/2025
Last modified:
19/09/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
cifs: Fix warning and UAF when destroy the MR list<br />
<br />
If the MR allocate failed, the MR recovery work not initialized<br />
and list not cleared. Then will be warning and UAF when release<br />
the MR:<br />
<br />
WARNING: CPU: 4 PID: 824 at kernel/workqueue.c:3066 __flush_work.isra.0+0xf7/0x110<br />
CPU: 4 PID: 824 Comm: mount.cifs Not tainted 6.1.0-rc5+ #82<br />
RIP: 0010:__flush_work.isra.0+0xf7/0x110<br />
Call Trace:<br />
<br />
__cancel_work_timer+0x2ba/0x2e0<br />
smbd_destroy+0x4e1/0x990<br />
_smbd_get_connection+0x1cbd/0x2110<br />
smbd_get_connection+0x21/0x40<br />
cifs_get_tcp_session+0x8ef/0xda0<br />
mount_get_conns+0x60/0x750<br />
cifs_mount+0x103/0xd00<br />
cifs_smb3_do_mount+0x1dd/0xcb0<br />
smb3_get_tree+0x1d5/0x300<br />
vfs_get_tree+0x41/0xf0<br />
path_mount+0x9b3/0xdd0<br />
__x64_sys_mount+0x190/0x1d0<br />
do_syscall_64+0x35/0x80<br />
entry_SYSCALL_64_after_hwframe+0x46/0xb0<br />
<br />
BUG: KASAN: use-after-free in smbd_destroy+0x4fc/0x990<br />
Read of size 8 at addr ffff88810b156a08 by task mount.cifs/824<br />
CPU: 4 PID: 824 Comm: mount.cifs Tainted: G W 6.1.0-rc5+ #82<br />
Call Trace:<br />
dump_stack_lvl+0x34/0x44<br />
print_report+0x171/0x472<br />
kasan_report+0xad/0x130<br />
smbd_destroy+0x4fc/0x990<br />
_smbd_get_connection+0x1cbd/0x2110<br />
smbd_get_connection+0x21/0x40<br />
cifs_get_tcp_session+0x8ef/0xda0<br />
mount_get_conns+0x60/0x750<br />
cifs_mount+0x103/0xd00<br />
cifs_smb3_do_mount+0x1dd/0xcb0<br />
smb3_get_tree+0x1d5/0x300<br />
vfs_get_tree+0x41/0xf0<br />
path_mount+0x9b3/0xdd0<br />
__x64_sys_mount+0x190/0x1d0<br />
do_syscall_64+0x35/0x80<br />
entry_SYSCALL_64_after_hwframe+0x46/0xb0<br />
<br />
Allocated by task 824:<br />
kasan_save_stack+0x1e/0x40<br />
kasan_set_track+0x21/0x30<br />
__kasan_kmalloc+0x7a/0x90<br />
_smbd_get_connection+0x1b6f/0x2110<br />
smbd_get_connection+0x21/0x40<br />
cifs_get_tcp_session+0x8ef/0xda0<br />
mount_get_conns+0x60/0x750<br />
cifs_mount+0x103/0xd00<br />
cifs_smb3_do_mount+0x1dd/0xcb0<br />
smb3_get_tree+0x1d5/0x300<br />
vfs_get_tree+0x41/0xf0<br />
path_mount+0x9b3/0xdd0<br />
__x64_sys_mount+0x190/0x1d0<br />
do_syscall_64+0x35/0x80<br />
entry_SYSCALL_64_after_hwframe+0x46/0xb0<br />
<br />
Freed by task 824:<br />
kasan_save_stack+0x1e/0x40<br />
kasan_set_track+0x21/0x30<br />
kasan_save_free_info+0x2a/0x40<br />
____kasan_slab_free+0x143/0x1b0<br />
__kmem_cache_free+0xc8/0x330<br />
_smbd_get_connection+0x1c6a/0x2110<br />
smbd_get_connection+0x21/0x40<br />
cifs_get_tcp_session+0x8ef/0xda0<br />
mount_get_conns+0x60/0x750<br />
cifs_mount+0x103/0xd00<br />
cifs_smb3_do_mount+0x1dd/0xcb0<br />
smb3_get_tree+0x1d5/0x300<br />
vfs_get_tree+0x41/0xf0<br />
path_mount+0x9b3/0xdd0<br />
__x64_sys_mount+0x190/0x1d0<br />
do_syscall_64+0x35/0x80<br />
entry_SYSCALL_64_after_hwframe+0x46/0xb0<br />
<br />
Let&#39;s initialize the MR recovery work before MR allocate to prevent<br />
the warning, remove the MRs from the list to prevent the UAF.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/275a3d2b9408fc4895e342f772cab9a89960546e
- https://git.kernel.org/stable/c/2d0c4f5f618f58eba03385363717703bee873c64
- https://git.kernel.org/stable/c/3524d6da0fe88aee79f06be6572955d16ad76b39
- https://git.kernel.org/stable/c/3e161c2791f8e661eed24a2c624087084d910215
- https://git.kernel.org/stable/c/41832c62a75dad530dc5a2856c92ae5459d497e5
- https://git.kernel.org/stable/c/7cbd5bdb5bd4404a5da4309521134b42c65846c0
- https://git.kernel.org/stable/c/cfd85a0922c4696d768965e686ad805a58d9d834