| From bippy-1.1.0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@kernel.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2023-52757: smb: client: fix potential deadlock when releasing mids |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| smb: client: fix potential deadlock when releasing mids |
| |
| All release_mid() callers seem to hold a reference of @mid so there is |
| no need to call kref_put(&mid->refcount, __release_mid) under |
| @server->mid_lock spinlock. If they don't, then an use-after-free bug |
| would have occurred anyways. |
| |
| By getting rid of such spinlock also fixes a potential deadlock as |
| shown below |
| |
| CPU 0 CPU 1 |
| ------------------------------------------------------------------ |
| cifs_demultiplex_thread() cifs_debug_data_proc_show() |
| release_mid() |
| spin_lock(&server->mid_lock); |
| spin_lock(&cifs_tcp_ses_lock) |
| spin_lock(&server->mid_lock) |
| __release_mid() |
| smb2_find_smb_tcon() |
| spin_lock(&cifs_tcp_ses_lock) *deadlock* |
| |
| The Linux kernel CVE team has assigned CVE-2023-52757 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 5.10.237 with commit 99f476e27aad5964ab13777d84fda67d1356dec1 |
| Fixed in 5.15.181 with commit ce49569079a9d4cad26c0f1d4653382fd9a5ca7a |
| Fixed in 6.1.64 with commit 9eb44db68c5b7f5aa22b8fc7de74a3e2e08d1f29 |
| Fixed in 6.5.13 with commit b9bb9607b1fc12fca51f5632da25b36975f599bf |
| Fixed in 6.6.3 with commit c1a5962f1462b64fe7b69f20a4b6af8067bc2d26 |
| Fixed in 6.7 with commit e6322fd177c6885a21dd4609dc5e5c973d1a2eb7 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2023-52757 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| fs/smb/client/cifsproto.h |
| fs/smb/client/smb2misc.c |
| fs/smb/client/transport.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/99f476e27aad5964ab13777d84fda67d1356dec1 |
| https://git.kernel.org/stable/c/ce49569079a9d4cad26c0f1d4653382fd9a5ca7a |
| https://git.kernel.org/stable/c/9eb44db68c5b7f5aa22b8fc7de74a3e2e08d1f29 |
| https://git.kernel.org/stable/c/b9bb9607b1fc12fca51f5632da25b36975f599bf |
| https://git.kernel.org/stable/c/c1a5962f1462b64fe7b69f20a4b6af8067bc2d26 |
| https://git.kernel.org/stable/c/e6322fd177c6885a21dd4609dc5e5c973d1a2eb7 |
