The use-after-free in smb2_is_status_io_timeout() Local variable points to memory region which may be freed in other thread.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2175613]
After CIFS transfers response data to system call, there is still a local variable points to the memory region, and if system call frees it faster than CIFS uses it, CIFS will access a free memory region when calls function such as `smb2_is_status_io_timeout()` . For the Red Hat Enterprise Linux it is enabled as module: CONFIG_CIFS=m KSMBD and CIFS are the implementation of in-kernel samba server and CIFS, they are often disabled by default Linux configuration, but you can enable then by adding configuration below. ``` CONFIG_SMB_SERVER=y CONFIG_SMB_SERVER_CHECK_CAP_NET_ADMIN=y CONFIG_CIFS=y CONFIG_CIFS_STATS2=y CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y CONFIG_CIFS_DEBUG=y ```
Hi, is there more information for this? No related commit message can be found in the Linux Kernel. if not, please reject the CVE.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5 This was fixed for Fedora with the 6.3.4 stable kernel update.