CVE-2023-52572

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: Fix UAF in cifs_demultiplex_thread()<br /> <br /> There is a UAF when xfstests on cifs:<br /> <br /> BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160<br /> Read of size 4 at addr ffff88810103fc08 by task cifsd/923<br /> <br /> CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45<br /> ...<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x34/0x44<br /> print_report+0x171/0x472<br /> kasan_report+0xad/0x130<br /> kasan_check_range+0x145/0x1a0<br /> smb2_is_network_name_deleted+0x27/0x160<br /> cifs_demultiplex_thread.cold+0x172/0x5a4<br /> kthread+0x165/0x1a0<br /> ret_from_fork+0x1f/0x30<br /> <br /> <br /> Allocated by task 923:<br /> kasan_save_stack+0x1e/0x40<br /> kasan_set_track+0x21/0x30<br /> __kasan_slab_alloc+0x54/0x60<br /> kmem_cache_alloc+0x147/0x320<br /> mempool_alloc+0xe1/0x260<br /> cifs_small_buf_get+0x24/0x60<br /> allocate_buffers+0xa1/0x1c0<br /> cifs_demultiplex_thread+0x199/0x10d0<br /> kthread+0x165/0x1a0<br /> ret_from_fork+0x1f/0x30<br /> <br /> Freed by task 921:<br /> kasan_save_stack+0x1e/0x40<br /> kasan_set_track+0x21/0x30<br /> kasan_save_free_info+0x2a/0x40<br /> ____kasan_slab_free+0x143/0x1b0<br /> kmem_cache_free+0xe3/0x4d0<br /> cifs_small_buf_release+0x29/0x90<br /> SMB2_negotiate+0x8b7/0x1c60<br /> smb2_negotiate+0x51/0x70<br /> cifs_negotiate_protocol+0xf0/0x160<br /> cifs_get_smb_ses+0x5fa/0x13c0<br /> mount_get_conns+0x7a/0x750<br /> cifs_mount+0x103/0xd00<br /> cifs_smb3_do_mount+0x1dd/0xcb0<br /> smb3_get_tree+0x1d5/0x300<br /> vfs_get_tree+0x41/0xf0<br /> path_mount+0x9b3/0xdd0<br /> __x64_sys_mount+0x190/0x1d0<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> The UAF is because:<br /> <br /> mount(pid: 921) | cifsd(pid: 923)<br /> -------------------------------|-------------------------------<br /> | cifs_demultiplex_thread<br /> SMB2_negotiate |<br /> cifs_send_recv |<br /> compound_send_recv |<br /> smb_send_rqst |<br /> wait_for_response |<br /> wait_event_state [1] |<br /> | standard_receive3<br /> | cifs_handle_standard<br /> | handle_mid<br /> | mid-&gt;resp_buf = buf; [2]<br /> | dequeue_mid [3]<br /> KILL the process [4] |<br /> resp_iov[i].iov_base = buf |<br /> free_rsp_buf [5] |<br /> | is_network_name_deleted [6]<br /> | callback<br /> <br /> 1. After send request to server, wait the response until<br /> mid-&gt;mid_state != SUBMITTED;<br /> 2. Receive response from server, and set it to mid;<br /> 3. Set the mid state to RECEIVED;<br /> 4. Kill the process, the mid state already RECEIVED, get 0;<br /> 5. Handle and release the negotiate response;<br /> 6. UAF.<br /> <br /> It can be easily reproduce with add some delay in [3] - [6].<br /> <br /> Only sync call has the problem since async call&amp;#39;s callback is<br /> executed in cifsd process.<br /> <br /> Add an extra state to mark the mid state to READY before wakeup the<br /> waitter, then it can get the resp safely.