2324423 – (CVE-2024-50152) CVE-2024-50152 kernel: smb: client: fix possible double free in smb2_set_ea()

Bug 2324423 (CVE-2024-50152) - CVE-2024-50152 kernel: smb: client: fix possible double free in smb2_set_ea()

Summary: CVE-2024-50152 kernel: smb: client: fix possible double free in smb2_set_ea()

Keywords:
Status:	NEW
Alias:	CVE-2024-50152
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2324453
Blocks:
TreeView+	depends on / blocked

Reported:	2024-11-07 17:02 UTC by OSIDB Bzimport
Modified:	2024-11-21 15:15 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-11-07 17:02:09 UTC

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix possible double free in smb2_set_ea()

Clang static checker(scan-build) warning：
fs/smb/client/smb2ops.c:1304:2: Attempt to free released memory.
 1304 |         kfree(ea);
      |         ^~~~~~~~~

There is a double free in such case:
'ea is initialized to NULL' -> 'first successful memory allocation for
ea' -> 'something failed, goto sea_exit' -> 'first memory release for ea'
-> 'goto replay_again' -> 'second goto sea_exit before allocate memory
for ea' -> 'second memory release for ea resulted in double free'.

Re-initialie 'ea' to NULL near to the replay_again label, it can fix this
double free problem.

Comment 1 Robb Gatica 2024-11-07 19:39:19 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024110745-CVE-2024-50152-535e@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.