cve/published/2023/CVE-2023-52751.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52751: smb: client: fix use-after-free in smb2_query_info_compound()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 smb: client: fix use-after-free in smb2_query_info_compound()

 The following UAF was triggered when running fstests generic/072 with
 KASAN enabled against Windows Server 2022 and mount options
 'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'

   BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]
   Read of size 8 at addr ffff888014941048 by task xfs_io/27534

   CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1
   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
   rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
   Call Trace:
    dump_stack_lvl+0x4a/0x80
    print_report+0xcf/0x650
    ? srso_alias_return_thunk+0x5/0x7f
    ? srso_alias_return_thunk+0x5/0x7f
    ? __phys_addr+0x46/0x90
    kasan_report+0xda/0x110
    ? smb2_query_info_compound+0x423/0x6d0 [cifs]
    ? smb2_query_info_compound+0x423/0x6d0 [cifs]
    smb2_query_info_compound+0x423/0x6d0 [cifs]
    ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]
    ? srso_alias_return_thunk+0x5/0x7f
    ? __stack_depot_save+0x39/0x480
    ? kasan_save_stack+0x33/0x60
    ? kasan_set_track+0x25/0x30
    ? ____kasan_slab_free+0x126/0x170
    smb2_queryfs+0xc2/0x2c0 [cifs]
    ? __pfx_smb2_queryfs+0x10/0x10 [cifs]
    ? __pfx___lock_acquire+0x10/0x10
    smb311_queryfs+0x210/0x220 [cifs]
    ? __pfx_smb311_queryfs+0x10/0x10 [cifs]
    ? srso_alias_return_thunk+0x5/0x7f
    ? __lock_acquire+0x480/0x26c0
    ? lock_release+0x1ed/0x640
    ? srso_alias_return_thunk+0x5/0x7f
    ? do_raw_spin_unlock+0x9b/0x100
    cifs_statfs+0x18c/0x4b0 [cifs]
    statfs_by_dentry+0x9b/0xf0
    fd_statfs+0x4e/0xb0
    __do_sys_fstatfs+0x7f/0xe0
    ? __pfx___do_sys_fstatfs+0x10/0x10
    ? srso_alias_return_thunk+0x5/0x7f
    ? lockdep_hardirqs_on_prepare+0x136/0x200
    ? srso_alias_return_thunk+0x5/0x7f
    do_syscall_64+0x3f/0x90
    entry_SYSCALL_64_after_hwframe+0x6e/0xd8

   Allocated by task 27534:
    kasan_save_stack+0x33/0x60
    kasan_set_track+0x25/0x30
    __kasan_kmalloc+0x8f/0xa0
    open_cached_dir+0x71b/0x1240 [cifs]
    smb2_query_info_compound+0x5c3/0x6d0 [cifs]
    smb2_queryfs+0xc2/0x2c0 [cifs]
    smb311_queryfs+0x210/0x220 [cifs]
    cifs_statfs+0x18c/0x4b0 [cifs]
    statfs_by_dentry+0x9b/0xf0
    fd_statfs+0x4e/0xb0
    __do_sys_fstatfs+0x7f/0xe0
    do_syscall_64+0x3f/0x90
    entry_SYSCALL_64_after_hwframe+0x6e/0xd8

   Freed by task 27534:
    kasan_save_stack+0x33/0x60
    kasan_set_track+0x25/0x30
    kasan_save_free_info+0x2b/0x50
    ____kasan_slab_free+0x126/0x170
    slab_free_freelist_hook+0xd0/0x1e0
    __kmem_cache_free+0x9d/0x1b0
    open_cached_dir+0xff5/0x1240 [cifs]
    smb2_query_info_compound+0x5c3/0x6d0 [cifs]
    smb2_queryfs+0xc2/0x2c0 [cifs]

 This is a race between open_cached_dir() and cached_dir_lease_break()
 where the cache entry for the open directory handle receives a lease
 break while creating it.  And before returning from open_cached_dir(),
 we put the last reference of the new @cfid because of
 !@cfid->has_lease.

 Besides the UAF, while running xfstests a lot of missed lease breaks
 have been noticed in tests that run several concurrent statfs(2) calls
 on those cached fids

   CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame...
   CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...
   CIFS: VFS: \\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108
   CIFS: VFS: Dump pending requests:
   CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame...
   CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...
   CIFS: VFS: \\w22-root1.gandalf.test smb buf 000000005aa7316e len 108
   ...

 To fix both, in open_cached_dir() ensure that @cfid->has_lease is set
 right before sending out compounded request so that any potential
 lease break will be get processed by demultiplex thread while we're
 still caching @cfid.  And, if open failed for some reason, re-check
 @cfid->has_lease to decide whether or not put lease reference.

 The Linux kernel CVE team has assigned CVE-2023-52751 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.5.13 with commit 6db94d08359c43f2c8fe372811cdee04564a41b9
 	Fixed in 6.6.3 with commit 93877b9afc2994c89362007aac480a7b150f386f
 	Fixed in 6.7 with commit 5c86919455c1edec99ebd3338ad213b59271a71b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52751
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/smb/client/cached_dir.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9
 	https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f
 	https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52751: smb: client: fix use-after-free in smb2_query_info_compound()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	smb: client: fix use-after-free in smb2_query_info_compound()

	The following UAF was triggered when running fstests generic/072 with
	KASAN enabled against Windows Server 2022 and mount options
	'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'

	BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]
	Read of size 8 at addr ffff888014941048 by task xfs_io/27534

	CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
	rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
	Call Trace:
	dump_stack_lvl+0x4a/0x80
	print_report+0xcf/0x650
	? srso_alias_return_thunk+0x5/0x7f
	? srso_alias_return_thunk+0x5/0x7f
	? __phys_addr+0x46/0x90
	kasan_report+0xda/0x110
	? smb2_query_info_compound+0x423/0x6d0 [cifs]
	? smb2_query_info_compound+0x423/0x6d0 [cifs]
	smb2_query_info_compound+0x423/0x6d0 [cifs]
	? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]
	? srso_alias_return_thunk+0x5/0x7f
	? __stack_depot_save+0x39/0x480
	? kasan_save_stack+0x33/0x60
	? kasan_set_track+0x25/0x30
	? ____kasan_slab_free+0x126/0x170
	smb2_queryfs+0xc2/0x2c0 [cifs]
	? __pfx_smb2_queryfs+0x10/0x10 [cifs]
	? __pfx___lock_acquire+0x10/0x10
	smb311_queryfs+0x210/0x220 [cifs]
	? __pfx_smb311_queryfs+0x10/0x10 [cifs]
	? srso_alias_return_thunk+0x5/0x7f
	? __lock_acquire+0x480/0x26c0
	? lock_release+0x1ed/0x640
	? srso_alias_return_thunk+0x5/0x7f
	? do_raw_spin_unlock+0x9b/0x100
	cifs_statfs+0x18c/0x4b0 [cifs]
	statfs_by_dentry+0x9b/0xf0
	fd_statfs+0x4e/0xb0
	__do_sys_fstatfs+0x7f/0xe0
	? __pfx___do_sys_fstatfs+0x10/0x10
	? srso_alias_return_thunk+0x5/0x7f
	? lockdep_hardirqs_on_prepare+0x136/0x200
	? srso_alias_return_thunk+0x5/0x7f
	do_syscall_64+0x3f/0x90
	entry_SYSCALL_64_after_hwframe+0x6e/0xd8

	Allocated by task 27534:
	kasan_save_stack+0x33/0x60
	kasan_set_track+0x25/0x30
	__kasan_kmalloc+0x8f/0xa0
	open_cached_dir+0x71b/0x1240 [cifs]
	smb2_query_info_compound+0x5c3/0x6d0 [cifs]
	smb2_queryfs+0xc2/0x2c0 [cifs]
	smb311_queryfs+0x210/0x220 [cifs]
	cifs_statfs+0x18c/0x4b0 [cifs]
	statfs_by_dentry+0x9b/0xf0
	fd_statfs+0x4e/0xb0
	__do_sys_fstatfs+0x7f/0xe0
	do_syscall_64+0x3f/0x90
	entry_SYSCALL_64_after_hwframe+0x6e/0xd8

	Freed by task 27534:
	kasan_save_stack+0x33/0x60
	kasan_set_track+0x25/0x30
	kasan_save_free_info+0x2b/0x50
	____kasan_slab_free+0x126/0x170
	slab_free_freelist_hook+0xd0/0x1e0
	__kmem_cache_free+0x9d/0x1b0
	open_cached_dir+0xff5/0x1240 [cifs]
	smb2_query_info_compound+0x5c3/0x6d0 [cifs]
	smb2_queryfs+0xc2/0x2c0 [cifs]

	This is a race between open_cached_dir() and cached_dir_lease_break()
	where the cache entry for the open directory handle receives a lease
	break while creating it. And before returning from open_cached_dir(),
	we put the last reference of the new @cfid because of
	!@cfid->has_lease.

	Besides the UAF, while running xfstests a lot of missed lease breaks
	have been noticed in tests that run several concurrent statfs(2) calls
	on those cached fids

	CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame...
	CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...
	CIFS: VFS: \\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108
	CIFS: VFS: Dump pending requests:
	CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame...
	CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...
	CIFS: VFS: \\w22-root1.gandalf.test smb buf 000000005aa7316e len 108
	...

	To fix both, in open_cached_dir() ensure that @cfid->has_lease is set
	right before sending out compounded request so that any potential
	lease break will be get processed by demultiplex thread while we're
	still caching @cfid. And, if open failed for some reason, re-check
	@cfid->has_lease to decide whether or not put lease reference.

	The Linux kernel CVE team has assigned CVE-2023-52751 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.5.13 with commit 6db94d08359c43f2c8fe372811cdee04564a41b9
	Fixed in 6.6.3 with commit 93877b9afc2994c89362007aac480a7b150f386f
	Fixed in 6.7 with commit 5c86919455c1edec99ebd3338ad213b59271a71b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52751
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/smb/client/cached_dir.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9
	https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f
	https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b