Bug 2154177 (CVE-2023-1193)

Summary: CVE-2023-1193 kernel: use-after-free in setup_async_work()
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, bugzilla_throwaway, carnil, chwhite, crwood, ddepaula, debarbos, dfreiber, dhoward, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, qzhao, rkeshri, rogbas, rvrbovsk, scweaver, steve.beattie, tyberry, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Kernel 6.3-rc6 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-06 11:22:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2175634    
Bug Blocks: 2139758    

Description TEJ RATHI 2022-12-16 06:05:20 UTC 
A use-after-free flaw was found in setup_async_work in KSMBD implementation of in-kernel samba server and CIFS in the Linux kernel. This flaw could allow an attacker to crash because of accessing the freed work.

CIFS creates some asynchronous works to handle defered lock request, those works will be added to linked list , but when it intializes the reponse header, it marks work as synchronouse without any check, making that linked list contains free work after work was done.

Refer:
https://lkml.kernel.org/linux-cifs/20230401084951.6085-2-linkinjeon@kernel.org/T/
Comment 3 Rohit Keshri 2023-03-06 07:23:03 UTC 
There was no shipped kernel version were seen affected with this problem. These files are not built in our source code.
Comment 4 Rohit Keshri 2023-03-06 07:23:48 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2175634]
Comment 5 Product Security DevOps Team 2023-03-06 11:22:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1193
Comment 6 bugzilla_throwaway 2023-03-06 12:51:07 UTC 
Could you please provide the commit or a link that this CVE refers to? Thanks!
Comment 8 TEJ RATHI 2023-03-13 05:24:57 UTC 
In reply to comment #6:
> Could you please provide the commit or a link that this CVE refers to?
> Thanks!

Forwarding the needinfo to @Rohit.
Comment 10 Rohit Keshri 2023-03-15 18:32:54 UTC 
CIFS creates some asynchronous works to handle defered lock request, those works will be added to linked list , but when it intializes the reponse header, it marks work as synchronouse without any check, making that linked list contains free work after work was done.

When client sends a valid samba LOCK request, the calling flow of KSMBD likes below:

- `handle_ksmbd_work()`
  - `__handle_ksmbd_work()`
    - `__process_request()`
      - `smb2_lock()`

And the crash is as follows:

[   83.655216] ==================================================================
[   83.655588] BUG: KASAN: use-after-free in ksmbd_conn_try_dequeue_request+0x336/0x340
[   83.656014] Write of size 8 at addr ffff8880158549c0 by task kworker/0:7/375
[   83.656319]
[   83.656391] CPU: 0 PID: 375 Comm: kworker/0:7 Not tainted 6.0.6 #5
[   83.656639] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   83.657111] Workqueue: ksmbd-io handle_ksmbd_work
[   83.657348] Call Trace:
[   83.657476]  <TASK>
[   83.657629]  dump_stack_lvl+0x34/0x48
[   83.657837]  print_report.cold+0x5e/0x5e5
[   83.658118]  ? ksmbd_conn_try_dequeue_request+0x336/0x340
[   83.658456]  kasan_report+0xa3/0x130
[   83.658654]  ? _raw_write_lock_irq+0xd1/0xe0
[   83.658891]  ? ksmbd_conn_try_dequeue_request+0x336/0x340
[   83.659128]  ksmbd_conn_try_dequeue_request+0x336/0x340
[   83.659348]  handle_ksmbd_work+0x52f/0x1080
[   83.659527]  process_one_work+0x721/0x1220
[   83.659692]  worker_thread+0x53a/0x1140
[   83.659847]  ? process_one_work+0x1220/0x1220
[   83.660020]  kthread+0x267/0x300
[   83.660152]  ? kthread_complete_and_exit+0x20/0x20
[   83.660357]  ret_from_fork+0x22/0x30
[   83.660502]  </TASK>


We are not aware of a patch fixing this issue.
Comment 11 Justin M. Forbes 2023-03-21 14:20:45 UTC 
Fedora does not enable the KSMBD server.
Comment 12 Salvatore Bonaccorso 2023-09-23 15:11:40 UTC 
Is https://git.kernel.org/linus/3a9b557f44ea8f216aab515a7db20e23f0eb51b9 the upstream fix for this issue?
Comment 13 TEJ RATHI 2023-09-25 08:25:55 UTC 
In reply to comment #12:
> Is https://git.kernel.org/linus/3a9b557f44ea8f216aab515a7db20e23f0eb51b9 the
> upstream fix for this issue?

Forwarding needinfo to Alex.
Comment 14 Rohit Keshri 2023-10-04 12:02:09 UTC 
In reply to comment #12:
> Is https://git.kernel.org/linus/3a9b557f44ea8f216aab515a7db20e23f0eb51b9 the
> upstream fix for this issue?

Hello Carnil, yes, We have also updated this to our cve page. Thank you.