CVE-2023-52741

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: Fix use-after-free in rdata-&gt;read_into_pages()<br /> <br /> When the network status is unstable, use-after-free may occur when<br /> read data from the server.<br /> <br /> BUG: KASAN: use-after-free in readpages_fill_pages+0x14c/0x7e0<br /> <br /> Call Trace:<br /> <br /> dump_stack_lvl+0x38/0x4c<br /> print_report+0x16f/0x4a6<br /> kasan_report+0xb7/0x130<br /> readpages_fill_pages+0x14c/0x7e0<br /> cifs_readv_receive+0x46d/0xa40<br /> cifs_demultiplex_thread+0x121c/0x1490<br /> kthread+0x16b/0x1a0<br /> ret_from_fork+0x2c/0x50<br /> <br /> <br /> Allocated by task 2535:<br /> kasan_save_stack+0x22/0x50<br /> kasan_set_track+0x25/0x30<br /> __kasan_kmalloc+0x82/0x90<br /> cifs_readdata_direct_alloc+0x2c/0x110<br /> cifs_readdata_alloc+0x2d/0x60<br /> cifs_readahead+0x393/0xfe0<br /> read_pages+0x12f/0x470<br /> page_cache_ra_unbounded+0x1b1/0x240<br /> filemap_get_pages+0x1c8/0x9a0<br /> filemap_read+0x1c0/0x540<br /> cifs_strict_readv+0x21b/0x240<br /> vfs_read+0x395/0x4b0<br /> ksys_read+0xb8/0x150<br /> do_syscall_64+0x3f/0x90<br /> entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> <br /> Freed by task 79:<br /> kasan_save_stack+0x22/0x50<br /> kasan_set_track+0x25/0x30<br /> kasan_save_free_info+0x2e/0x50<br /> __kasan_slab_free+0x10e/0x1a0<br /> __kmem_cache_free+0x7a/0x1a0<br /> cifs_readdata_release+0x49/0x60<br /> process_one_work+0x46c/0x760<br /> worker_thread+0x2a4/0x6f0<br /> kthread+0x16b/0x1a0<br /> ret_from_fork+0x2c/0x50<br /> <br /> Last potentially related work creation:<br /> kasan_save_stack+0x22/0x50<br /> __kasan_record_aux_stack+0x95/0xb0<br /> insert_work+0x2b/0x130<br /> __queue_work+0x1fe/0x660<br /> queue_work_on+0x4b/0x60<br /> smb2_readv_callback+0x396/0x800<br /> cifs_abort_connection+0x474/0x6a0<br /> cifs_reconnect+0x5cb/0xa50<br /> cifs_readv_from_socket.cold+0x22/0x6c<br /> cifs_read_page_from_socket+0xc1/0x100<br /> readpages_fill_pages.cold+0x2f/0x46<br /> cifs_readv_receive+0x46d/0xa40<br /> cifs_demultiplex_thread+0x121c/0x1490<br /> kthread+0x16b/0x1a0<br /> ret_from_fork+0x2c/0x50<br /> <br /> The following function calls will cause UAF of the rdata pointer.<br /> <br /> readpages_fill_pages<br /> cifs_read_page_from_socket<br /> cifs_readv_from_socket<br /> cifs_reconnect<br /> __cifs_reconnect<br /> cifs_abort_connection<br /> mid-&gt;callback() --&gt; smb2_readv_callback<br /> queue_work(&amp;rdata-&gt;work) # if the worker completes first,<br /> # the rdata is freed<br /> cifs_readv_complete<br /> kref_put<br /> cifs_readdata_release<br /> kfree(rdata)<br /> return rdata-&gt;... # UAF in readpages_fill_pages()<br /> <br /> Similarly, this problem also occurs in the uncache_fill_pages().<br /> <br /> Fix this by adjusts the order of condition judgment in the return<br /> statement.