Bug 2154178 (CVE-2023-1192)

Summary: CVE-2023-1192 kernel: use-after-free in smb2_is_status_io_timeout()
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, bhu, chwhite, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, lgoncalv, lleshchi, lzampier, meissner, nmurray, ptalbert, qzhao, rogbas, rvrbovsk, scweaver, steve.beattie, swood, tyberry, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2175613, 2175614, 2175615, 2175616, 2175617    
Bug Blocks: 2139758    

Description TEJ RATHI 2022-12-16 06:05:24 UTC 
The use-after-free in smb2_is_status_io_timeout()

Local variable points to memory region which may be freed in other thread.
Comment 4 Rohit Keshri 2023-03-06 06:37:34 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2175613]
Comment 6 Alex 2023-03-06 08:40:14 UTC 
After CIFS transfers response data to system call, there is still a local variable points to the memory region, and if system call frees it faster than CIFS uses it, CIFS will access a free memory region when calls function such as `smb2_is_status_io_timeout()` .

For the Red Hat Enterprise Linux it is enabled as module:
CONFIG_CIFS=m

KSMBD and CIFS are the implementation of in-kernel samba server and CIFS, they are often disabled by default Linux configuration, but you can enable then by adding configuration below.

```
CONFIG_SMB_SERVER=y
CONFIG_SMB_SERVER_CHECK_CAP_NET_ADMIN=y

CONFIG_CIFS=y
CONFIG_CIFS_STATS2=y
CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y
CONFIG_CIFS_DEBUG=y
```
Comment 11 Marcus Meissner 2023-07-09 09:22:25 UTC 
Hi,

is there more information for this?

No related commit message can be found in the Linux Kernel.

if not, please reject the CVE.
Comment 12 Justin M. Forbes 2023-07-18 18:41:49 UTC 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5

This was fixed for Fedora with the 6.3.4 stable kernel update.