ghsa-w9v5-63v9-9qvj
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free in SMB request handling
A race condition exists between SMB request handling in
ksmbd_conn_handler_loop() and the freeing of ksmbd_conn in the
workqueue handler handle_ksmbd_work(). This leads to a UAF.
- KASAN: slab-use-after-free Read in handle_ksmbd_work
- KASAN: slab-use-after-free in rtlock_slowlock_locked
This race condition arises as follows:
- ksmbd_conn_handler_loop() waits for conn->r_count to reach zero:
wait_event(conn->r_count_q, atomic_read(&conn->r_count) == 0);
- Meanwhile, handle_ksmbd_work() decrements conn->r_count using
atomic_dec_return(&conn->r_count), and if it reaches zero, calls
ksmbd_conn_free(), which frees conn.
- However, after handle_ksmbd_work() decrements conn->r_count,
it may still access conn->r_count_q in the following line:
waitqueue_active(&conn->r_count_q) or wake_up(&conn->r_count_q)
This results in a UAF, as conn has already been freed.
The discovery of this UAF can be referenced in the following PR for syzkaller's support for SMB requests.
{
"affected": [],
"aliases": [
"CVE-2024-53186"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T14:15:26Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in SMB request handling\n\nA race condition exists between SMB request handling in\n`ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the\nworkqueue handler `handle_ksmbd_work()`. This leads to a UAF.\n- KASAN: slab-use-after-free Read in handle_ksmbd_work\n- KASAN: slab-use-after-free in rtlock_slowlock_locked\n\nThis race condition arises as follows:\n- `ksmbd_conn_handler_loop()` waits for `conn-\u003er_count` to reach zero:\n `wait_event(conn-\u003er_count_q, atomic_read(\u0026conn-\u003er_count) == 0);`\n- Meanwhile, `handle_ksmbd_work()` decrements `conn-\u003er_count` using\n `atomic_dec_return(\u0026conn-\u003er_count)`, and if it reaches zero, calls\n `ksmbd_conn_free()`, which frees `conn`.\n- However, after `handle_ksmbd_work()` decrements `conn-\u003er_count`,\n it may still access `conn-\u003er_count_q` in the following line:\n `waitqueue_active(\u0026conn-\u003er_count_q)` or `wake_up(\u0026conn-\u003er_count_q)`\n This results in a UAF, as `conn` has already been freed.\n\nThe discovery of this UAF can be referenced in the following PR for\nsyzkaller\u0027s support for SMB requests.",
"id": "GHSA-w9v5-63v9-9qvj",
"modified": "2025-01-14T18:31:53Z",
"published": "2024-12-27T15:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53186"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/96261adb998a3b513468b6ce17dbec76be5507d4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a96f9eb7add30ba0fafcfe7b7aca090978196800"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f20b77f7897e6aab9ce5527e6016ad2be5d70a33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.