CVE-2024-26928: Linux Kernel SMB Client Vulnerability Resolved - UAF in "cifs_debug_files_proc_show()" Function

A recent vulnerability reported and resolved in the Linux kernel deals with the Server Message Block (SMB) protocol, which is widely used for sharing files, printers, and other resources on a network. The Linux implementation of SMB, commonly known as the "Common Internet File System" (CIFS), had a potential Use-After-Free (UAF) issue that could cause unexpected behavior or crashes. This vulnerability has been assigned the identifier CVE-2024-26928, and its resolution has been incorporated in the Linux kernel source code.

Vulnerability Details

The vulnerability discovered in the Linux kernel's CIFS implementation deals with a function called "cifs_debug_files_proc_show()". As the name suggests, this function serves to display debug information about open CIFS files (such as sessions, tree connections, and inodes) in the "/proc" filesystem. The bug lies in the fact that it did not properly handle "sessions that are being teared down", leading to potential UAF situations.

The code snippet where the vulnerability resided is as follows

static int cifs_debug_files_proc_show(struct seq_file *s, void *v)
{
   // ...
   if (SMB2_proc_skip_tcon(cli->server) &&
       c->status != CifsExiting &&
       c->tid != (uint16_t)-1) {
       // ...
   }
   // ...
}

This function would iterate through the list of sessions and, if certain conditions were met, perform actions on the related memory structures. However, it did not check if the session was in the process of being teared down, marked by the status "SES_EXITING".

Resolution and Patch

The developers of the Linux kernel have resolved this issue by adding a condition to skip sessions with the "SES_EXITING" status. Here's the fixed code snippet:

static int cifs_debug_files_proc_show(struct seq_file *s, void *v)
{
   // ...
   if (SMB2_proc_skip_tcon(cli->server) &&
       c->status != CifsExiting &&
       c->status != SesExiting &&     // Added this condition
       c->tid != (uint16_t)-1) {
       // ...
   }
   // ...
}

This small change ensures that the function will not perform actions on memory structures that are about to be freed, avoiding the UAF issue.

References

For more information about Linux CIFS implementation, see the Linux CIFS Project Homepage.

For details about the original patch and discussion within the Linux kernel community, check out the Linux Kernel Mailing List post.

Exploit Details

As of now, there are no known exploits in the wild that take advantage of this vulnerability. However, the bug could potentially be used to destabilize a Linux system or gain unauthorized access to resources. It is therefore crucial that users apply the latest available kernel updates to protect themselves from possible future attacks exploiting this vulnerability.

Timeline

Published on: 04/28/2024 12:15:21 UTC
Last modified on: 05/29/2024 05:25:10 UTC