Bug 2154178 (CVE-2023-1192)
| Summary: | CVE-2023-1192 kernel: use-after-free in smb2_is_status_io_timeout() | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | TEJ RATHI <trathi> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | acaringi, allarkin, ben, bhu, carnil, chwhite, crwood, ddepaula, debarbos, dfreiber, drow, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, lgoncalv, lmlikith, lzampier, meissner, mpoole, nmurray, ptalbert, qzhao, rkeshri, rogbas, rvrbovsk, scweaver, steve.beattie, tyberry, vkumar, walters, williams, ybuenos |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. After CIFS transfers response data to a system call, there are still local variable points to the memory region, and if the system call frees it faster than CIFS uses it, CIFS will access a free memory region, leading to a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2175613, 2175614, 2175615, 2175616, 2175617 | ||
| Bug Blocks: | 2267764, 2139758 | ||
|
Description
TEJ RATHI
2022-12-16 06:05:24 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2175613] After CIFS transfers response data to system call, there is still a local variable points to the memory region, and if system call frees it faster than CIFS uses it, CIFS will access a free memory region when calls function such as `smb2_is_status_io_timeout()` . For the Red Hat Enterprise Linux it is enabled as module: CONFIG_CIFS=m KSMBD and CIFS are the implementation of in-kernel samba server and CIFS, they are often disabled by default Linux configuration, but you can enable then by adding configuration below. ``` CONFIG_SMB_SERVER=y CONFIG_SMB_SERVER_CHECK_CAP_NET_ADMIN=y CONFIG_CIFS=y CONFIG_CIFS_STATS2=y CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y CONFIG_CIFS_DEBUG=y ``` Hi, is there more information for this? No related commit message can be found in the Linux Kernel. if not, please reject the CVE. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5 This was fixed for Fedora with the 6.3.4 stable kernel update. (In reply to Justin M. Forbes from comment #12) > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ > commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5 > > This was fixed for Fedora with the 6.3.4 stable kernel update. Is this correct? The referenced fix is in fs/ntfs3 but the issue seems to be cifs related? In reply to comment #13: > (In reply to Justin M. Forbes from comment #12) > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ > > commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5 > > > > This was fixed for Fedora with the 6.3.4 stable kernel update. > > Is this correct? The referenced fix is in fs/ntfs3 but the issue seems to be > cifs related? Transferring needinfo to Alex. In reply to comment #14: > In reply to comment #13: > > (In reply to Justin M. Forbes from comment #12) > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ > > > commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5 > > > > > > This was fixed for Fedora with the 6.3.4 stable kernel update. > > > > Is this correct? The referenced fix is in fs/ntfs3 but the issue seems to be > > cifs related? > > Transferring needinfo to Alex. Since this one is Low priority one, keeping it as is (means keep Fedora not affected even if patch id=98bea253aa noted incorrectly). More details (that is comment after analyses of this bug for Red Hat Linux 9): "This does not look exploitable and at worst, dereferencing an int from the free'e memory can trigger a spurious reconnect to the server which should not cause any disruption to the application, except a syscall might be slightly delayed. It is not fixed in the upstream kernel yet, but there are still several other issues in upstream kernel that can trigger reconnections like this that will be fixed over time." After CIFS transfers response data to system call, there is still a local variable points to the memory region, and if system call frees it faster than CIFS uses it, CIFS will access a free memory region when calls function such as `smb2_is_status_io_timeout()` . (In reply to Salvatore Bonaccorso from comment #13) > (In reply to Justin M. Forbes from comment #12) > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ > > commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5 > > > > This was fixed for Fedora with the 6.3.4 stable kernel update. > > Is this correct? The referenced fix is in fs/ntfs3 but the issue seems to be > cifs related? It appears it may not be. I got the "fix" reference by looking up the CVE on https://www.linuxkernelcves.com/cves/CVE-2023-1192 while going through older CVEs that had been open for a bit. While I had not noticed their data being incorrect before, it appears this time to be. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7548 https://access.redhat.com/errata/RHSA-2023:7548 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7549 https://access.redhat.com/errata/RHSA-2023:7549 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2023:7539 https://access.redhat.com/errata/RHSA-2023:7539 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7749 https://access.redhat.com/errata/RHSA-2023:7749 smb2_is_status_io_timeout() is only ever called from cifs_demultiplex_thread().
That happens after it conditionally decrypts the original receive buffer (buf) into
one or more new buffers (bufs[...]), or otherwise sets bufs[0] = buf. The
decryption process looks like it can free the original buffer, resulting in the
reported UAF.
If the error code is part of the encrypted payload, then I think the check for an
I/O timeout should use bufs[0] like other code further down the function:
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -1236,7 +1236,7 @@ cifs_demultiplex_thread(void *p)
}
if (server->ops->is_status_io_timeout &&
- server->ops->is_status_io_timeout(buf)) {
+ server->ops->is_status_io_timeout(bufs[0])) {
num_io_timeout++;
if (num_io_timeout > MAX_STATUS_IO_TIMEOUT) {
cifs_server_dbg(VFS,
--- END ---
If the error code does not get encrypted, then the timeout check needs to be done
further up the function.
Does anyone have a reproducer for this?
Asked upstream in https://lore.kernel.org/linux-cifs/ZZgFEX3QNWWj_VxA@eldamar.lan In reply to comment #25: > Asked upstream in > https://lore.kernel.org/linux-cifs/ZZgFEX3QNWWj_VxA@eldamar.lan Transferring needinfo to Alex The patch is: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d527f51331cace562393a8038d870b3e9916686f This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:0439 https://access.redhat.com/errata/RHSA-2024:0439 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:0448 https://access.redhat.com/errata/RHSA-2024:0448 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0412 https://access.redhat.com/errata/RHSA-2024:0412 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:0563 https://access.redhat.com/errata/RHSA-2024:0563 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2024:0562 https://access.redhat.com/errata/RHSA-2024:0562 *** Bug 2267746 has been marked as a duplicate of this bug. *** CVE-2023-52572 is a duplicate of CVE-2023-1192 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:1250 https://access.redhat.com/errata/RHSA-2024:1250 The CNA for the kernel is asking we mark this CVE as duplicate rather than CVE-2023-52572 See upstream thread https://lore.kernel.org/all/2024030256-CVE-2023-52572-2b92@gregkh/T/#u This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:1306 https://access.redhat.com/errata/RHSA-2024:1306 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2024:2008 https://access.redhat.com/errata/RHSA-2024:2008 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Telecommunications Update Service Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Via RHSA-2024:2006 https://access.redhat.com/errata/RHSA-2024:2006 |