Bug 2154178 (CVE-2023-1192) - CVE-2023-1192 kernel: use-after-free in smb2_is_status_io_timeout()
Summary: CVE-2023-1192 kernel: use-after-free in smb2_is_status_io_timeout()
Keywords:
Status: NEW
Alias: CVE-2023-1192
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
: CVE-2023-52572 (view as bug list)
Depends On: 2175613 2175614 2175615 2175616 2175617
Blocks: 2267764 2139758
TreeView+ depends on / blocked
 
Reported: 2022-12-16 06:05 UTC by TEJ RATHI
Modified: 2024-04-23 16:40 UTC (History)
44 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. After CIFS transfers response data to a system call, there are still local variable points to the memory region, and if the system call frees it faster than CIFS uses it, CIFS will access a free memory region, leading to a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0637 0 None None None 2024-02-01 00:08:59 UTC
Red Hat Product Errata RHBA-2024:0673 0 None None None 2024-02-05 10:13:21 UTC
Red Hat Product Errata RHBA-2024:0688 0 None None None 2024-02-05 17:04:32 UTC
Red Hat Product Errata RHSA-2023:7539 0 None None None 2023-11-28 15:35:40 UTC
Red Hat Product Errata RHSA-2023:7548 0 None None None 2023-11-28 15:11:34 UTC
Red Hat Product Errata RHSA-2023:7549 0 None None None 2023-11-28 15:23:47 UTC
Red Hat Product Errata RHSA-2023:7749 0 None None None 2023-12-12 17:22:24 UTC
Red Hat Product Errata RHSA-2024:0412 0 None None None 2024-01-24 16:43:07 UTC
Red Hat Product Errata RHSA-2024:0439 0 None None None 2024-01-24 16:35:40 UTC
Red Hat Product Errata RHSA-2024:0448 0 None None None 2024-01-24 16:37:32 UTC
Red Hat Product Errata RHSA-2024:0562 0 None None None 2024-01-30 12:27:43 UTC
Red Hat Product Errata RHSA-2024:0563 0 None None None 2024-01-30 12:26:56 UTC
Red Hat Product Errata RHSA-2024:1250 0 None None None 2024-03-12 00:43:17 UTC
Red Hat Product Errata RHSA-2024:1306 0 None None None 2024-03-13 09:08:47 UTC
Red Hat Product Errata RHSA-2024:2006 0 None None None 2024-04-23 16:40:09 UTC
Red Hat Product Errata RHSA-2024:2008 0 None None None 2024-04-23 16:28:13 UTC

Description TEJ RATHI 2022-12-16 06:05:24 UTC 
A use after free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. 

When client uses CIFS, system calls about file operation will call cifs API to send samba request, and there is a CIFS kernel thread handler `cifs_demultiplex_thread()` which receives response from remote server and transfer those data to corresponding syscall request.

After CIFS transfers response data to system call, there is still a local variable points to the memory region, and if system call frees it faster than CIFS uses it, CIFS will access a free memory region when calls function such as `smb2_is_status_io_timeout()` .

Refer:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d527f51331cace562393a8038d870b3e9916686f

## KASAN report

```
[   83.686500] ==================================================================
[   83.686821] BUG: KASAN: use-after-free in smb2_is_status_io_timeout+0x6e/0x70
[   83.687136] Read of size 4 at addr ffff8880086d4808 by task cifsd/272
[   83.687409]
[   83.687484] CPU: 1 PID: 272 Comm: cifsd Not tainted 6.0.6 #9
[   83.687731] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/04
[   83.688081] Call Trace:
[   83.688209]  <TASK>
[   83.688306]  dump_stack_lvl+0x34/0x48
[   83.688472]  print_report.cold+0x5e/0x5e5
[   83.688652]  ? smb2_is_status_io_timeout+0x6e/0x70
[   83.688864]  kasan_report+0xa3/0x130
[   83.689025]  ? smb2_is_status_io_timeout+0x6e/0x70
[   83.689237]  smb2_is_status_io_timeout+0x6e/0x70
[   83.689442]  cifs_demultiplex_thread+0xdbe/0x1db0
[   83.689647]  ? update_load_avg+0x124/0x19b0
[   83.689817]  ? cifs_handle_standard+0x600/0x600
[   83.689993]  ? run_rebalance_domains+0x180/0x180
[   83.690172]  ? update_curr+0x233/0x520
[   83.690330]  ? __schedule+0x885/0x1a80
[   83.690488]  ? _raw_spin_lock_irqsave+0x88/0xe0
[   83.690679]  ? __cpuidle_text_end+0x1/0x1
[   83.690838]  ? __kthread_parkme+0x7e/0x150
[   83.691012]  ? cifs_handle_standard+0x600/0x600
[   83.691204]  kthread+0x267/0x300
[   83.691338]  ? kthread_complete_and_exit+0x20/0x20
[   83.691542]  ret_from_fork+0x22/0x30
[   83.691688]  </TASK>
[   83.691780]
[   83.691846] Allocated by task 272:
[   83.691985]  kasan_save_stack+0x1e/0x40
[   83.692142]  __kasan_slab_alloc+0x66/0x80
[   83.692306]  kmem_cache_alloc+0xbf/0x200
[   83.692457]  mempool_alloc+0xfe/0x2d0
[   83.692598]  cifs_small_buf_get+0x2e/0x80
[   83.692752]  allocate_buffers+0x10d/0x320
[   83.692902]  cifs_demultiplex_thread+0x22e/0x1db0
[   83.693082]  kthread+0x267/0x300
[   83.693218]  ret_from_fork+0x22/0x30
[   83.693374]
[   83.693443] Freed by task 399:
[   83.693576]  kasan_save_stack+0x1e/0x40
[   83.693743]  kasan_set_track+0x21/0x30
[   83.693907]  kasan_set_free_info+0x20/0x40
[   83.694083]  __kasan_slab_free+0x108/0x190
[   83.694261]  kmem_cache_free+0x9c/0x340
[   83.694428]  free_rsp_buf+0x4c/0xe0
[   83.694579]  SMB2_open+0x1f6/0x17c0
[   83.694731]  smb2_open_file+0x166/0x650
[   83.694896]  cifs_open+0x82d/0x1b20
[   83.695048]  do_dentry_open+0x441/0x1020
[   83.695219]  path_openat+0x1fbe/0x3850
[   83.695385]  do_filp_open+0x1ac/0x3e0
[   83.695545]  do_open_execat+0xb9/0x5a0
[   83.695706]  bprm_execve+0x35b/0x1250
[   83.695867]  do_execveat_common.isra.0+0x4c6/0x660
[   83.696073]  __x64_sys_execve+0x83/0xb0
[   83.696239]  do_syscall_64+0x3b/0x90
[   83.696394]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   83.696612]
[   83.696683] The buggy address belongs to the object at ffff8880086d4800
[   83.696683]  which belongs to the cache cifs_small_rq of size 448
[   83.697216] The buggy address is located 8 bytes inside of
[   83.697216]  448-byte region [ffff8880086d4800, ffff8880086d49c0)
[   83.697694]
[   83.697766] The buggy address belongs to the physical page:
[   83.698001] page:00000000eca794da refcount:1 mapcount:0 mapping:0000000000000000 inde4
[   83.698401] head:00000000eca794da order:1 compound_mapcount:0 compound_pincount:0
[   83.698716] flags: 0x100000000010200(slab|head|node=0|zone=1)
[   83.698961] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888007748b40
[   83.699290] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   83.699616] page dumped because: kasan: bad access detected
[   83.699852]
[   83.699927] Memory state around the buggy address:
[   83.700130]  ffff8880086d4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   83.700436]  ffff8880086d4780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   83.700742] >ffff8880086d4800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   83.701049]                       ^
[   83.701205]  ffff8880086d4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   83.701508]  ffff8880086d4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   83.701813] ==================================================================
[   83.702134] Disabling lock debugging due to kernel taint
```
Comment 4 Rohit Keshri 2023-03-06 06:37:34 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2175613]
Comment 6 Alex 2023-03-06 08:40:14 UTC 
After CIFS transfers response data to system call, there is still a local variable points to the memory region, and if system call frees it faster than CIFS uses it, CIFS will access a free memory region when calls function such as `smb2_is_status_io_timeout()` .

For the Red Hat Enterprise Linux it is enabled as module:
CONFIG_CIFS=m

KSMBD and CIFS are the implementation of in-kernel samba server and CIFS, they are often disabled by default Linux configuration, but you can enable then by adding configuration below.

```
CONFIG_SMB_SERVER=y
CONFIG_SMB_SERVER_CHECK_CAP_NET_ADMIN=y

CONFIG_CIFS=y
CONFIG_CIFS_STATS2=y
CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y
CONFIG_CIFS_DEBUG=y
```
Comment 11 Marcus Meissner 2023-07-09 09:22:25 UTC 
Hi,

is there more information for this?

No related commit message can be found in the Linux Kernel.

if not, please reject the CVE.
Comment 12 Justin M. Forbes 2023-07-18 18:41:49 UTC 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5

This was fixed for Fedora with the 6.3.4 stable kernel update.
Comment 13 Salvatore Bonaccorso 2023-09-23 15:15:19 UTC 
(In reply to Justin M. Forbes from comment #12)
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
> commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5
> 
> This was fixed for Fedora with the 6.3.4 stable kernel update.

Is this correct? The referenced fix is in fs/ntfs3 but the issue seems to be cifs related?
Comment 14 TEJ RATHI 2023-09-25 08:23:41 UTC 
In reply to comment #13:
> (In reply to Justin M. Forbes from comment #12)
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
> > commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5
> > 
> > This was fixed for Fedora with the 6.3.4 stable kernel update.
> 
> Is this correct? The referenced fix is in fs/ntfs3 but the issue seems to be
> cifs related?

Transferring needinfo to Alex.
Comment 15 Alex 2023-10-19 17:15:17 UTC 
In reply to comment #14:
> In reply to comment #13:
> > (In reply to Justin M. Forbes from comment #12)
> > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
> > > commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5
> > > 
> > > This was fixed for Fedora with the 6.3.4 stable kernel update.
> > 
> > Is this correct? The referenced fix is in fs/ntfs3 but the issue seems to be
> > cifs related?
> 
> Transferring needinfo to Alex.

Since this one is Low priority one, keeping it as is (means keep Fedora not affected even if patch id=98bea253aa noted incorrectly).
More details (that is comment after analyses of this bug for Red Hat Linux 9):
"This does not look exploitable and at worst, dereferencing an int from the free'e memory can trigger a spurious reconnect to the server which should not cause any disruption to the application, except a syscall might be slightly delayed.
It is not fixed in the upstream kernel yet, but there are still several other issues in upstream kernel that can trigger reconnections like this that will be fixed over time."
Comment 16 Rohit Keshri 2023-10-31 13:10:33 UTC 
After CIFS transfers response data to system call, there is still a local variable points to the memory region, and if system call frees it faster than CIFS uses it, CIFS will access a free memory region when calls function such as `smb2_is_status_io_timeout()` .
Comment 19 Justin M. Forbes 2023-11-23 13:44:10 UTC 
(In reply to Salvatore Bonaccorso from comment #13)
> (In reply to Justin M. Forbes from comment #12)
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
> > commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5
> > 
> > This was fixed for Fedora with the 6.3.4 stable kernel update.
> 
> Is this correct? The referenced fix is in fs/ntfs3 but the issue seems to be
> cifs related?

It appears it may not be. I got the "fix" reference by looking up the CVE on https://www.linuxkernelcves.com/cves/CVE-2023-1192 while going through older CVEs that had been open for a bit. While I had not noticed their data being incorrect before, it appears this time to be.
Comment 20 errata-xmlrpc 2023-11-28 15:11:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7548 https://access.redhat.com/errata/RHSA-2023:7548
Comment 21 errata-xmlrpc 2023-11-28 15:23:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7549 https://access.redhat.com/errata/RHSA-2023:7549
Comment 22 errata-xmlrpc 2023-11-28 15:35:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7539 https://access.redhat.com/errata/RHSA-2023:7539
Comment 23 errata-xmlrpc 2023-12-12 17:22:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7749 https://access.redhat.com/errata/RHSA-2023:7749
Comment 24 Ben Hutchings 2023-12-18 23:09:09 UTC 
smb2_is_status_io_timeout() is only ever called from cifs_demultiplex_thread().
That happens after it conditionally decrypts the original receive buffer (buf) into
one or more new buffers (bufs[...]), or otherwise sets bufs[0] = buf.  The
decryption process looks like it can free the original buffer, resulting in the
reported UAF.

If the error code is part of the encrypted payload, then I think the check for an
I/O timeout should use bufs[0] like other code further down the function:

--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -1236,7 +1236,7 @@ cifs_demultiplex_thread(void *p)
                }
 
                if (server->ops->is_status_io_timeout &&
-                   server->ops->is_status_io_timeout(buf)) {
+                   server->ops->is_status_io_timeout(bufs[0])) {
                        num_io_timeout++;
                        if (num_io_timeout > MAX_STATUS_IO_TIMEOUT) {
                                cifs_server_dbg(VFS,
--- END ---

If the error code does not get encrypted, then the timeout check needs to be done
further up the function.

Does anyone have a reproducer for this?
Comment 25 Salvatore Bonaccorso 2024-01-05 13:56:28 UTC 
Asked upstream in https://lore.kernel.org/linux-cifs/ZZgFEX3QNWWj_VxA@eldamar.lan
Comment 26 TEJ RATHI 2024-01-08 11:45:21 UTC 
In reply to comment #25:
> Asked upstream in
> https://lore.kernel.org/linux-cifs/ZZgFEX3QNWWj_VxA@eldamar.lan

Transferring needinfo to Alex
Comment 28 Alex 2024-01-18 13:45:01 UTC 
The patch is:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d527f51331cace562393a8038d870b3e9916686f
Comment 29 errata-xmlrpc 2024-01-24 16:35:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0439 https://access.redhat.com/errata/RHSA-2024:0439
Comment 30 errata-xmlrpc 2024-01-24 16:37:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0448 https://access.redhat.com/errata/RHSA-2024:0448
Comment 31 errata-xmlrpc 2024-01-24 16:43:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0412 https://access.redhat.com/errata/RHSA-2024:0412
Comment 32 errata-xmlrpc 2024-01-30 12:26:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:0563 https://access.redhat.com/errata/RHSA-2024:0563
Comment 33 errata-xmlrpc 2024-01-30 12:27:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:0562 https://access.redhat.com/errata/RHSA-2024:0562
Comment 35 Rohit Keshri 2024-03-05 18:31:05 UTC 
*** Bug 2267746 has been marked as a duplicate of this bug. ***
Comment 36 Rohit Keshri 2024-03-08 10:10:41 UTC 
CVE-2023-52572 is a duplicate of CVE-2023-1192
Comment 37 errata-xmlrpc 2024-03-12 00:43:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1250 https://access.redhat.com/errata/RHSA-2024:1250
Comment 38 Martin Poole 2024-03-12 11:46:50 UTC 
The CNA for the kernel is asking we mark this CVE as duplicate rather than CVE-2023-52572

See upstream thread

https://lore.kernel.org/all/2024030256-CVE-2023-52572-2b92@gregkh/T/#u
Comment 39 errata-xmlrpc 2024-03-13 09:08:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1306 https://access.redhat.com/errata/RHSA-2024:1306
Comment 42 errata-xmlrpc 2024-04-23 16:28:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:2008 https://access.redhat.com/errata/RHSA-2024:2008
Comment 43 errata-xmlrpc 2024-04-23 16:40:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:2006 https://access.redhat.com/errata/RHSA-2024:2006
Note You need to log in before you can comment on or make changes to this bug.