CVE-2024-35870

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix UAF in smb2_reconnect_server()<br /> <br /> The UAF bug is due to smb2_reconnect_server() accessing a session that<br /> is already being teared down by another thread that is executing<br /> __cifs_put_smb_ses(). This can happen when (a) the client has<br /> connection to the server but no session or (b) another thread ends up<br /> setting @ses-&gt;ses_status again to something different than<br /> SES_EXITING.<br /> <br /> To fix this, we need to make sure to unconditionally set<br /> @ses-&gt;ses_status to SES_EXITING and prevent any other threads from<br /> setting a new status while we&amp;#39;re still tearing it down.<br /> <br /> The following can be reproduced by adding some delay to right after<br /> the ipc is freed in __cifs_put_smb_ses() - which will give<br /> smb2_reconnect_server() worker a chance to run and then accessing<br /> @ses-&gt;ipc:<br /> <br /> kinit ...<br /> mount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10<br /> [disconnect srv]<br /> ls /mnt/1 &amp;&gt;/dev/null<br /> sleep 30<br /> kdestroy<br /> [reconnect srv]<br /> sleep 10<br /> umount /mnt/1<br /> ...<br /> CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed<br /> CIFS: VFS: \\srv Send error in SessSetup = -126<br /> CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed<br /> CIFS: VFS: \\srv Send error in SessSetup = -126<br /> general protection fault, probably for non-canonical address<br /> 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39<br /> 04/01/2014<br /> Workqueue: cifsiod smb2_reconnect_server [cifs]<br /> RIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0<br /> Code: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad<br /> de 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 8b 01 48 39 f8 75<br /> 7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8<br /> RSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83<br /> RAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b<br /> RDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800<br /> RBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000<br /> R13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000<br /> FS: 0000000000000000(0000) GS:ffff888157c00000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? die_addr+0x36/0x90<br /> ? exc_general_protection+0x1c1/0x3f0<br /> ? asm_exc_general_protection+0x26/0x30<br /> ? __list_del_entry_valid_or_report+0x33/0xf0<br /> __cifs_put_smb_ses+0x1ae/0x500 [cifs]<br /> smb2_reconnect_server+0x4ed/0x710 [cifs]<br /> process_one_work+0x205/0x6b0<br /> worker_thread+0x191/0x360<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0xe2/0x110<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x34/0x50<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br />