CVE-2023-52741

In the Linux kernel, the following vulnerability has been resolved: cifs: Fix use-after-free in rdata->read_into_pages() When the network status is unstable, use-after-free may occur when read data from the server. BUG: KASAN: use-after-free in readpages_fill_pages+0x14c/0x7e0 Call Trace: <TASK> dump_stack_lvl+0x38/0x4c print_report+0x16f/0x4a6 kasan_report+0xb7/0x130 readpages_fill_pages+0x14c/0x7e0 cifs_readv_receive+0x46d/0xa40 cifs_demultiplex_thread+0x121c/0x1490 kthread+0x16b/0x1a0 ret_from_fork+0x2c/0x50 </TASK> Allocated by task 2535: kasan_save_stack+0x22/0x50 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x82/0x90 cifs_readdata_direct_alloc+0x2c/0x110 cifs_readdata_alloc+0x2d/0x60 cifs_readahead+0x393/0xfe0 read_pages+0x12f/0x470 page_cache_ra_unbounded+0x1b1/0x240 filemap_get_pages+0x1c8/0x9a0 filemap_read+0x1c0/0x540 cifs_strict_readv+0x21b/0x240 vfs_read+0x395/0x4b0 ksys_read+0xb8/0x150 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 79: kasan_save_stack+0x22/0x50 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2e/0x50 __kasan_slab_free+0x10e/0x1a0 __kmem_cache_free+0x7a/0x1a0 cifs_readdata_release+0x49/0x60 process_one_work+0x46c/0x760 worker_thread+0x2a4/0x6f0 kthread+0x16b/0x1a0 ret_from_fork+0x2c/0x50 Last potentially related work creation: kasan_save_stack+0x22/0x50 __kasan_record_aux_stack+0x95/0xb0 insert_work+0x2b/0x130 __queue_work+0x1fe/0x660 queue_work_on+0x4b/0x60 smb2_readv_callback+0x396/0x800 cifs_abort_connection+0x474/0x6a0 cifs_reconnect+0x5cb/0xa50 cifs_readv_from_socket.cold+0x22/0x6c cifs_read_page_from_socket+0xc1/0x100 readpages_fill_pages.cold+0x2f/0x46 cifs_readv_receive+0x46d/0xa40 cifs_demultiplex_thread+0x121c/0x1490 kthread+0x16b/0x1a0 ret_from_fork+0x2c/0x50 The following function calls will cause UAF of the rdata pointer. readpages_fill_pages cifs_read_page_from_socket cifs_readv_from_socket cifs_reconnect __cifs_reconnect cifs_abort_connection mid->callback() --> smb2_readv_callback queue_work(&rdata->work) # if the worker completes first, # the rdata is freed cifs_readv_complete kref_put cifs_readdata_release kfree(rdata) return rdata->... # UAF in readpages_fill_pages() Similarly, this problem also occurs in the uncache_fill_pages(). Fix this by adjusts the order of condition judgment in the return statement.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/2b693fe3f760c87fd9768e759f6297f743a1b3b0	Patch
https://git.kernel.org/stable/c/3684a2f6affa1ca52a5d4a12f04d0652efdee65e	Patch
https://git.kernel.org/stable/c/aa5465aeca3c66fecdf7efcf554aed79b4c4b211	Patch
https://git.kernel.org/stable/c/d1fba1e096ffc7ec11df863a97c50203c47315b9	Patch
https://git.kernel.org/stable/c/2b693fe3f760c87fd9768e759f6297f743a1b3b0	Patch
https://git.kernel.org/stable/c/3684a2f6affa1ca52a5d4a12f04d0652efdee65e	Patch
https://git.kernel.org/stable/c/aa5465aeca3c66fecdf7efcf554aed79b4c4b211	Patch
https://git.kernel.org/stable/c/d1fba1e096ffc7ec11df863a97c50203c47315b9	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc7::::::

History

06 Jan 2025, 20:40

Type	Values Removed	Values Added
CPE		cpe:2.3:o:linux:linux_kernel:6.2:rc6:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.2:rc7:::::: cpe:2.3:o:linux:linux_kernel:6.2:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.2:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.2:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.2:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.2:rc4::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CWE		CWE-416
First Time		Linux linux Kernel Linux
References	~~() https://git.kernel.org/stable/c/2b693fe3f760c87fd9768e759f6297f743a1b3b0 -~~	() https://git.kernel.org/stable/c/2b693fe3f760c87fd9768e759f6297f743a1b3b0 - Patch
References	~~() https://git.kernel.org/stable/c/3684a2f6affa1ca52a5d4a12f04d0652efdee65e -~~	() https://git.kernel.org/stable/c/3684a2f6affa1ca52a5d4a12f04d0652efdee65e - Patch
References	~~() https://git.kernel.org/stable/c/aa5465aeca3c66fecdf7efcf554aed79b4c4b211 -~~	() https://git.kernel.org/stable/c/aa5465aeca3c66fecdf7efcf554aed79b4c4b211 - Patch
References	~~() https://git.kernel.org/stable/c/d1fba1e096ffc7ec11df863a97c50203c47315b9 -~~	() https://git.kernel.org/stable/c/d1fba1e096ffc7ec11df863a97c50203c47315b9 - Patch

21 Nov 2024, 08:40

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/2b693fe3f760c87fd9768e759f6297f743a1b3b0 -~~	() https://git.kernel.org/stable/c/2b693fe3f760c87fd9768e759f6297f743a1b3b0 -
References	~~() https://git.kernel.org/stable/c/3684a2f6affa1ca52a5d4a12f04d0652efdee65e -~~	() https://git.kernel.org/stable/c/3684a2f6affa1ca52a5d4a12f04d0652efdee65e -
References	~~() https://git.kernel.org/stable/c/aa5465aeca3c66fecdf7efcf554aed79b4c4b211 -~~	() https://git.kernel.org/stable/c/aa5465aeca3c66fecdf7efcf554aed79b4c4b211 -
References	~~() https://git.kernel.org/stable/c/d1fba1e096ffc7ec11df863a97c50203c47315b9 -~~	() https://git.kernel.org/stable/c/d1fba1e096ffc7ec11df863a97c50203c47315b9 -
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cifs: corrige el use after free en rdata->read_into_pages(). Cuando el estado de la red es inestable, puede ocurrir el use after free al leer datos del servidor. BUG: KASAN: use after free en readpages_fill_pages+0x14c/0x7e0 Seguimiento de llamadas: dump_stack_lvl+0x38/0x4c print_report+0x16f/0x4a6 kasan_report+0xb7/0x130 readpages_fill_pages+0x14c/0x7e0 cifs_readv_receive+0x 46d/0xa40 cifs_demultiplex_thread+0x121c/ 0x1490 kthread+0x16b/0x1a0 ret_from_fork+0x2c/0x50 Asignado por tarea 2535: kasan_save_stack+0x22/0x50 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x82/0x90 cifs_readdata_direct_alloc+0x2c /0x110 cifs_readdata_alloc+0x2d/0x60 cifs_readahead+0x393/0xfe0 read_pages+0x12f/0x470 page_cache_ra_unbounded+0x1b1/0x240 filemap_get_pages+0x1c8/0x9a0 filemap_read+0x1c0/0x540 cifs_strict_readv+0x21b/0x240 vfs_read+0x395/0x4b0 ksys_read+0xb8/0 x150 do_syscall_64+0x3f/0x90 Entry_SYSCALL_64_after_hwframe+0x72/0xdc Liberado por la tarea 79: kasan_save_stack+0x22/0x50 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2e/0x50 __kasan_slab_free+0x10e/0x1a0 __kmem_cache_free+0x7a/0x1a0 cifs_readdata_release+0x49/0x60 Process_one_work+0x46c /0x760 worker_thread+0x2a4/0x6f0 kthread+0x16b/0x1a0 ret_from_fork+0x2c/0x50 Última creación de trabajo potencialmente relacionado: kasan_save_stack+0x22/0x50 __kasan_record_aux_stack+0x95/0xb0 insert_work+0x2b/0x130 __queue_work+0x1fe/0x660 queue_work_on+0x4b/0x60 smb2_readv_callback+0x396/0x800 ion+0x474/0x6a0 cifs_reconnect+0x5cb/0xa50 cifs_readv_from_socket.cold+ 0x22/0x6c cifs_read_page_from_socket+0xc1/0x100 readpages_fill_pages.cold+0x2f/0x46 cifs_readv_receive+0x46d/0xa40 cifs_demultiplex_thread+0x121c/0x1490 kthread+0x16b/0x1a0 x2c/0x50 Las siguientes llamadas a funciones causarán UAF del puntero rdata. readpages_fill_pages cifs_read_page_from_socket cifs_readv_from_socket cifs_reconnect __cifs_reconnect cifs_abort_connection mid->callback() --> smb2_readv_callback queue_work(&rdata->work) # si el trabajador completa primero, # los rdata se liberan cifs_readv_complete kref_put cifs_readdata_release kfree( rdata) devolver rdata->... # UAF en readpages_fill_pages() De manera similar, este problema también ocurre en uncache_fill_pages(). Solucione este problema ajustando el orden del juicio de condición en la declaración de devolución.

21 May 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-21 16:15

Updated : 2025-01-06 20:40

NVD link : CVE-2023-52741

Mitre link : CVE-2023-52741

CVE.ORG link : CVE-2023-52741

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

7.8 /10