CVE-2023-52752: Linux Kernel SMB Client Use-After-Free Vulnerability Fixed
A vulnerability found in the Linux kernel has been addressed, which resolves a use-after-free bug pertaining to the SMB client. This post contains details about the vulnerability, the code snippet illustrating the fix, and links to the original references.
Vulnerability Details
The vulnerability has been assigned ID CVE-2023-52752 and occurs in the following function of the Linux kernel:
smb: client: fix use-after-free bug in cifs_debug_data_proc_show()
The fix addresses a specific issue, skipping SMB sessions that are in the process of being torn down (e.g., @"ses->ses_status == SES_EXITING") in cifs_debug_data_proc_show() – this prevents a use-after-free situation in @ses.
A general protection fault (GPF) triggers when the cifs_debug_data_proc_show() function is called while mounting or unmounting:
[ 816.251274] general protection fault, probably for non-canonical
address x6b6b6b6b6b6b6d81: 000 [#1] PREEMPT SMP NOPTI
...
[ 816.260138] Call Trace:
[ 816.260329] <TASK>
[ 816.260499] ? die_addr+x36/x90
[ 816.260762] ? exc_general_protection+x1b3/x410
[ 816.261126] ? asm_exc_general_protection+x26/x30
[ 816.261502] ? cifs_debug_tcon+xbd/x240 [cifs]
[ 816.261878] ? cifs_debug_tcon+xab/x240 [cifs]
[ 816.262249] cifs_debug_data_proc_show+x516/xdb [cifs]
[ 816.262689] ? seq_read_iter+x379/x470
[ 816.262995] seq_read_iter+x118/x470
[ 816.263291] proc_reg_read_iter+x53/x90
[ 816.263596] ? srso_alias_return_thunk+x5/x7f
[ 816.263945] vfs_read+x201/x350
[ 816.264211] ksys_read+x75/x100
[ 816.264472] do_syscall_64+x3f/x90
[ 816.264750] entry_SYSCALL_64_after_hwframe+x6e/xd8
[ 816.265135] RIP: 0033:x7fd5e669d381
The fix prevents the issue by ensuring that SMB sessions currently in the process of tearing down are skipped, avoiding the use-after-free situation.
Original References
[1] Linux kernel source: https://github.com/torvalds/linux/blob/master/fs/cifs/connect.c#L4135
[2] Linux commit fixing the vulnerability: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a6d18e1fa7445c1ad6dff6019df2dce8ed719aed
[3] Report on the Linux kernel mailing list: https://lkml.org/lkml/2021/8/30/1204
Conclusion
The Linux kernel vulnerability CVE-2023-52752 has now been fixed, addressing a use-after-free bug in the SMB client. The fix prevents potential crashes and improves the overall stability of the system. Make sure your Linux kernel is up to date to avoid this issue and ensure a more secure and stable environment.
Timeline
Published on: 05/21/2024 16:15:14 UTC
Last modified on: 08/02/2024 23:11:35 UTC