CVE-2023-53246

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL<br /> <br /> When compiled with CONFIG_CIFS_DFS_UPCALL disabled, cifs_dfs_d_automount<br /> is NULL. cifs.ko logic for mapping CIFS_FATTR_DFS_REFERRAL attributes to<br /> S_AUTOMOUNT and corresponding dentry flags is retained regardless of<br /> CONFIG_CIFS_DFS_UPCALL, leading to a NULL pointer dereference in<br /> VFS follow_automount() when traversing a DFS referral link:<br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> ...<br /> Call Trace:<br /> <br /> __traverse_mounts+0xb5/0x220<br /> ? cifs_revalidate_mapping+0x65/0xc0 [cifs]<br /> step_into+0x195/0x610<br /> ? lookup_fast+0xe2/0xf0<br /> path_lookupat+0x64/0x140<br /> filename_lookup+0xc2/0x140<br /> ? __create_object+0x299/0x380<br /> ? kmem_cache_alloc+0x119/0x220<br /> ? user_path_at_empty+0x31/0x50<br /> user_path_at_empty+0x31/0x50<br /> __x64_sys_chdir+0x2a/0xd0<br /> ? exit_to_user_mode_prepare+0xca/0x100<br /> do_syscall_64+0x42/0x90<br /> entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> <br /> This fix adds an inline cifs_dfs_d_automount() {return -EREMOTE} handler<br /> when CONFIG_CIFS_DFS_UPCALL is disabled. An alternative would be to<br /> avoid flagging S_AUTOMOUNT, etc. without CONFIG_CIFS_DFS_UPCALL. This<br /> approach was chosen as it provides more control over the error path.