A use after free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. When client uses CIFS, system calls about file operation will call cifs API to send samba request, and there is a CIFS kernel thread handler `cifs_demultiplex_thread()` which receives response from remote server and transfer those data to corresponding syscall request. After CIFS transfers response data to system call, there is still a local variable points to the memory region, and if system call frees it faster than CIFS uses it, CIFS will access a free memory region when calls function such as `smb2_is_status_io_timeout()` . Refer: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d527f51331cace562393a8038d870b3e9916686f ## KASAN report ``` [ 83.686500] ================================================================== [ 83.686821] BUG: KASAN: use-after-free in smb2_is_status_io_timeout+0x6e/0x70 [ 83.687136] Read of size 4 at addr ffff8880086d4808 by task cifsd/272 [ 83.687409] [ 83.687484] CPU: 1 PID: 272 Comm: cifsd Not tainted 6.0.6 #9 [ 83.687731] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/04 [ 83.688081] Call Trace: [ 83.688209] <TASK> [ 83.688306] dump_stack_lvl+0x34/0x48 [ 83.688472] print_report.cold+0x5e/0x5e5 [ 83.688652] ? smb2_is_status_io_timeout+0x6e/0x70 [ 83.688864] kasan_report+0xa3/0x130 [ 83.689025] ? smb2_is_status_io_timeout+0x6e/0x70 [ 83.689237] smb2_is_status_io_timeout+0x6e/0x70 [ 83.689442] cifs_demultiplex_thread+0xdbe/0x1db0 [ 83.689647] ? update_load_avg+0x124/0x19b0 [ 83.689817] ? cifs_handle_standard+0x600/0x600 [ 83.689993] ? run_rebalance_domains+0x180/0x180 [ 83.690172] ? update_curr+0x233/0x520 [ 83.690330] ? __schedule+0x885/0x1a80 [ 83.690488] ? _raw_spin_lock_irqsave+0x88/0xe0 [ 83.690679] ? __cpuidle_text_end+0x1/0x1 [ 83.690838] ? __kthread_parkme+0x7e/0x150 [ 83.691012] ? cifs_handle_standard+0x600/0x600 [ 83.691204] kthread+0x267/0x300 [ 83.691338] ? kthread_complete_and_exit+0x20/0x20 [ 83.691542] ret_from_fork+0x22/0x30 [ 83.691688] </TASK> [ 83.691780] [ 83.691846] Allocated by task 272: [ 83.691985] kasan_save_stack+0x1e/0x40 [ 83.692142] __kasan_slab_alloc+0x66/0x80 [ 83.692306] kmem_cache_alloc+0xbf/0x200 [ 83.692457] mempool_alloc+0xfe/0x2d0 [ 83.692598] cifs_small_buf_get+0x2e/0x80 [ 83.692752] allocate_buffers+0x10d/0x320 [ 83.692902] cifs_demultiplex_thread+0x22e/0x1db0 [ 83.693082] kthread+0x267/0x300 [ 83.693218] ret_from_fork+0x22/0x30 [ 83.693374] [ 83.693443] Freed by task 399: [ 83.693576] kasan_save_stack+0x1e/0x40 [ 83.693743] kasan_set_track+0x21/0x30 [ 83.693907] kasan_set_free_info+0x20/0x40 [ 83.694083] __kasan_slab_free+0x108/0x190 [ 83.694261] kmem_cache_free+0x9c/0x340 [ 83.694428] free_rsp_buf+0x4c/0xe0 [ 83.694579] SMB2_open+0x1f6/0x17c0 [ 83.694731] smb2_open_file+0x166/0x650 [ 83.694896] cifs_open+0x82d/0x1b20 [ 83.695048] do_dentry_open+0x441/0x1020 [ 83.695219] path_openat+0x1fbe/0x3850 [ 83.695385] do_filp_open+0x1ac/0x3e0 [ 83.695545] do_open_execat+0xb9/0x5a0 [ 83.695706] bprm_execve+0x35b/0x1250 [ 83.695867] do_execveat_common.isra.0+0x4c6/0x660 [ 83.696073] __x64_sys_execve+0x83/0xb0 [ 83.696239] do_syscall_64+0x3b/0x90 [ 83.696394] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 83.696612] [ 83.696683] The buggy address belongs to the object at ffff8880086d4800 [ 83.696683] which belongs to the cache cifs_small_rq of size 448 [ 83.697216] The buggy address is located 8 bytes inside of [ 83.697216] 448-byte region [ffff8880086d4800, ffff8880086d49c0) [ 83.697694] [ 83.697766] The buggy address belongs to the physical page: [ 83.698001] page:00000000eca794da refcount:1 mapcount:0 mapping:0000000000000000 inde4 [ 83.698401] head:00000000eca794da order:1 compound_mapcount:0 compound_pincount:0 [ 83.698716] flags: 0x100000000010200(slab|head|node=0|zone=1) [ 83.698961] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888007748b40 [ 83.699290] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 83.699616] page dumped because: kasan: bad access detected [ 83.699852] [ 83.699927] Memory state around the buggy address: [ 83.700130] ffff8880086d4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.700436] ffff8880086d4780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 83.700742] >ffff8880086d4800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.701049] ^ [ 83.701205] ffff8880086d4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.701508] ffff8880086d4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.701813] ================================================================== [ 83.702134] Disabling lock debugging due to kernel taint ```
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2175613]
After CIFS transfers response data to system call, there is still a local variable points to the memory region, and if system call frees it faster than CIFS uses it, CIFS will access a free memory region when calls function such as `smb2_is_status_io_timeout()` . For the Red Hat Enterprise Linux it is enabled as module: CONFIG_CIFS=m KSMBD and CIFS are the implementation of in-kernel samba server and CIFS, they are often disabled by default Linux configuration, but you can enable then by adding configuration below. ``` CONFIG_SMB_SERVER=y CONFIG_SMB_SERVER_CHECK_CAP_NET_ADMIN=y CONFIG_CIFS=y CONFIG_CIFS_STATS2=y CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y CONFIG_CIFS_DEBUG=y ```
Hi, is there more information for this? No related commit message can be found in the Linux Kernel. if not, please reject the CVE.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5 This was fixed for Fedora with the 6.3.4 stable kernel update.
(In reply to Justin M. Forbes from comment #12) > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ > commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5 > > This was fixed for Fedora with the 6.3.4 stable kernel update. Is this correct? The referenced fix is in fs/ntfs3 but the issue seems to be cifs related?
In reply to comment #13: > (In reply to Justin M. Forbes from comment #12) > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ > > commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5 > > > > This was fixed for Fedora with the 6.3.4 stable kernel update. > > Is this correct? The referenced fix is in fs/ntfs3 but the issue seems to be > cifs related? Transferring needinfo to Alex.
In reply to comment #14: > In reply to comment #13: > > (In reply to Justin M. Forbes from comment #12) > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ > > > commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5 > > > > > > This was fixed for Fedora with the 6.3.4 stable kernel update. > > > > Is this correct? The referenced fix is in fs/ntfs3 but the issue seems to be > > cifs related? > > Transferring needinfo to Alex. Since this one is Low priority one, keeping it as is (means keep Fedora not affected even if patch id=98bea253aa noted incorrectly). More details (that is comment after analyses of this bug for Red Hat Linux 9): "This does not look exploitable and at worst, dereferencing an int from the free'e memory can trigger a spurious reconnect to the server which should not cause any disruption to the application, except a syscall might be slightly delayed. It is not fixed in the upstream kernel yet, but there are still several other issues in upstream kernel that can trigger reconnections like this that will be fixed over time."
After CIFS transfers response data to system call, there is still a local variable points to the memory region, and if system call frees it faster than CIFS uses it, CIFS will access a free memory region when calls function such as `smb2_is_status_io_timeout()` .
(In reply to Salvatore Bonaccorso from comment #13) > (In reply to Justin M. Forbes from comment #12) > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ > > commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5 > > > > This was fixed for Fedora with the 6.3.4 stable kernel update. > > Is this correct? The referenced fix is in fs/ntfs3 but the issue seems to be > cifs related? It appears it may not be. I got the "fix" reference by looking up the CVE on https://www.linuxkernelcves.com/cves/CVE-2023-1192 while going through older CVEs that had been open for a bit. While I had not noticed their data being incorrect before, it appears this time to be.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7548 https://access.redhat.com/errata/RHSA-2023:7548
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7549 https://access.redhat.com/errata/RHSA-2023:7549
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2023:7539 https://access.redhat.com/errata/RHSA-2023:7539
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7749 https://access.redhat.com/errata/RHSA-2023:7749
smb2_is_status_io_timeout() is only ever called from cifs_demultiplex_thread(). That happens after it conditionally decrypts the original receive buffer (buf) into one or more new buffers (bufs[...]), or otherwise sets bufs[0] = buf. The decryption process looks like it can free the original buffer, resulting in the reported UAF. If the error code is part of the encrypted payload, then I think the check for an I/O timeout should use bufs[0] like other code further down the function: --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -1236,7 +1236,7 @@ cifs_demultiplex_thread(void *p) } if (server->ops->is_status_io_timeout && - server->ops->is_status_io_timeout(buf)) { + server->ops->is_status_io_timeout(bufs[0])) { num_io_timeout++; if (num_io_timeout > MAX_STATUS_IO_TIMEOUT) { cifs_server_dbg(VFS, --- END --- If the error code does not get encrypted, then the timeout check needs to be done further up the function. Does anyone have a reproducer for this?
Asked upstream in https://lore.kernel.org/linux-cifs/ZZgFEX3QNWWj_VxA@eldamar.lan
In reply to comment #25: > Asked upstream in > https://lore.kernel.org/linux-cifs/ZZgFEX3QNWWj_VxA@eldamar.lan Transferring needinfo to Alex
The patch is: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d527f51331cace562393a8038d870b3e9916686f
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:0439 https://access.redhat.com/errata/RHSA-2024:0439
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:0448 https://access.redhat.com/errata/RHSA-2024:0448
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0412 https://access.redhat.com/errata/RHSA-2024:0412
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:0563 https://access.redhat.com/errata/RHSA-2024:0563
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2024:0562 https://access.redhat.com/errata/RHSA-2024:0562
*** Bug 2267746 has been marked as a duplicate of this bug. ***
CVE-2023-52572 is a duplicate of CVE-2023-1192
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:1250 https://access.redhat.com/errata/RHSA-2024:1250
The CNA for the kernel is asking we mark this CVE as duplicate rather than CVE-2023-52572 See upstream thread https://lore.kernel.org/all/2024030256-CVE-2023-52572-2b92@gregkh/T/#u
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:1306 https://access.redhat.com/errata/RHSA-2024:1306
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2024:2008 https://access.redhat.com/errata/RHSA-2024:2008
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Telecommunications Update Service Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Via RHSA-2024:2006 https://access.redhat.com/errata/RHSA-2024:2006