Bug 2154177 (CVE-2023-1193) - CVE-2023-1193 kernel: use-after-free in setup_async_work()
Summary: CVE-2023-1193 kernel: use-after-free in setup_async_work()
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-1193
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2175634
Blocks: 2139758
TreeView+ depends on / blocked
 
Reported: 2022-12-16 06:05 UTC by TEJ RATHI
Modified: 2023-07-05 08:58 UTC (History)
39 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-03-06 11:22:30 UTC
Embargoed:

Attachments (Terms of Use)

Description TEJ RATHI 2022-12-16 06:05:20 UTC 
The use-after-free in setup_async_work()

Missing check for syncrhonous state and make ksmbd_work object not be dequeued from linked list before free.
Comment 3 Rohit Keshri 2023-03-06 07:23:03 UTC 
There was no shipped kernel version were seen affected with this problem. These files are not built in our source code.
Comment 4 Rohit Keshri 2023-03-06 07:23:48 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2175634]
Comment 5 Product Security DevOps Team 2023-03-06 11:22:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1193
Comment 6 bugzilla_throwaway 2023-03-06 12:51:07 UTC 
Could you please provide the commit or a link that this CVE refers to? Thanks!
Comment 8 TEJ RATHI 2023-03-13 05:24:57 UTC 
In reply to comment #6:
> Could you please provide the commit or a link that this CVE refers to?
> Thanks!

Forwarding the needinfo to @Rohit.
Comment 10 Rohit Keshri 2023-03-15 18:32:54 UTC 
CIFS creates some asynchronous works to handle defered lock request, those works will be added to linked list , but when it intializes the reponse header, it marks work as synchronouse without any check, making that linked list contains free work after work was done.

When client sends a valid samba LOCK request, the calling flow of KSMBD likes below:

- `handle_ksmbd_work()`
  - `__handle_ksmbd_work()`
    - `__process_request()`
      - `smb2_lock()`

And the crash is as follows:

[   83.655216] ==================================================================
[   83.655588] BUG: KASAN: use-after-free in ksmbd_conn_try_dequeue_request+0x336/0x340
[   83.656014] Write of size 8 at addr ffff8880158549c0 by task kworker/0:7/375
[   83.656319]
[   83.656391] CPU: 0 PID: 375 Comm: kworker/0:7 Not tainted 6.0.6 #5
[   83.656639] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   83.657111] Workqueue: ksmbd-io handle_ksmbd_work
[   83.657348] Call Trace:
[   83.657476]  <TASK>
[   83.657629]  dump_stack_lvl+0x34/0x48
[   83.657837]  print_report.cold+0x5e/0x5e5
[   83.658118]  ? ksmbd_conn_try_dequeue_request+0x336/0x340
[   83.658456]  kasan_report+0xa3/0x130
[   83.658654]  ? _raw_write_lock_irq+0xd1/0xe0
[   83.658891]  ? ksmbd_conn_try_dequeue_request+0x336/0x340
[   83.659128]  ksmbd_conn_try_dequeue_request+0x336/0x340
[   83.659348]  handle_ksmbd_work+0x52f/0x1080
[   83.659527]  process_one_work+0x721/0x1220
[   83.659692]  worker_thread+0x53a/0x1140
[   83.659847]  ? process_one_work+0x1220/0x1220
[   83.660020]  kthread+0x267/0x300
[   83.660152]  ? kthread_complete_and_exit+0x20/0x20
[   83.660357]  ret_from_fork+0x22/0x30
[   83.660502]  </TASK>


We are not aware of a patch fixing this issue.
Comment 11 Justin M. Forbes 2023-03-21 14:20:45 UTC 
Fedora does not enable the KSMBD server.
Note You need to log in before you can comment on or make changes to this bug.