Bug 1750410 (CVE-2019-15919)

Summary: CVE-2019-15919 kernel: use-after-free in SMB2_write function in fs/cifs/smb2pdu.c
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mcressma, mjg59, mlangsdo, nmurray, rt-maint, rvrbovsk, steved, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An flaw was discovered in the Linux kernel's CIFS client implementation. While issuing an SMB2_write, a value can be used after it was intended to be freed when CIFS function tracing is enabled. Even though the data is used after being freed, using it to for privilege escalation does not seem possible.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 09:53:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1750411, 1782009, 1782010    
Bug Blocks: 1750412    

Description Marian Rehak 2019-09-09 14:35:09 UTC
An issue was discovered in the Linux kernels CIFS client implementation.
While issuing an SMB2_write a value can be used after it was intended to be freed when CIFS function tracing is enabled.

While no privilege escalation is immediately obvious, Red Hat will not rule out that it may be possible.

Comment 1 Marian Rehak 2019-09-09 14:35:27 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1750411]

Comment 3 Justin M. Forbes 2019-09-10 06:37:28 UTC
This was fixed for Fedora with the 5.0.10 stable kernel updates.

Comment 7 Wade Mealing 2019-12-10 06:06:59 UTC
So, taking a look at the context of this apparent UAF.

	   rc = cifs_send_recv(xid, io_parms->tcon->ses, &rqst,
			       &resp_buftype, flags, &rsp_iov);

	   cifs_small_buf_release(req); <-- FREE HERE.

	   rsp = (struct smb2_write_rsp *)rsp_iov.iov_base;

	   if (rc) {
		   trace_smb3_write_err(xid, req->PersistentFileId,
					io_parms->offset, io_parms->length, rc);
		   cifs_stats_fail_inc(io_parms->tcon, SMB2_WRITE_HE);
		   cifs_dbg(VFS, "Send error in write = %d\n", rc);
	   } else {
		   *nbytes = le32_to_cpu(rsp->DataLength);
		   trace_smb3_write_done(xid, req->PersistentFileId,
					io_parms->offset, *nbytes);

	   free_rsp_buf(resp_buftype, rsp);
	   return rc;

So, we can see that its used in trace_smb3_write_err, which is part of the cifs tracing subsystem (not enabled by default) in the kernel. In this example all it does is print out the req->PersistentFileId.  If an atacker can groom it between free, this may be a null pointer deference, or an information leak.. But I don't see how it can be privesc.

The fix was simply to move the free code after the use below...

Comment 10 Eric Christensen 2019-12-11 19:46:13 UTC

As the CIFS module will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions:

  # echo "install cifs /bin/true" >> /etc/modprobe.d/disable-cifs.conf 
The system will need to be restarted if the CIFS modules are loaded. In most circumstances, the CIFS kernel modules will be unable to be unloaded while any network interfaces are active and the protocol is in use.

If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.