2.1 KiB
CVE-2024-53186
Description
In the Linux kernel, the following vulnerability has been resolved:ksmbd: fix use-after-free in SMB request handlingA race condition exists between SMB request handling inksmbd_conn_handler_loop() and the freeing of ksmbd_conn in theworkqueue handler handle_ksmbd_work(). This leads to a UAF.- KASAN: slab-use-after-free Read in handle_ksmbd_work- KASAN: slab-use-after-free in rtlock_slowlock_lockedThis race condition arises as follows:- ksmbd_conn_handler_loop() waits for conn->r_count to reach zero: wait_event(conn->r_count_q, atomic_read(&conn->r_count) == 0);- Meanwhile, handle_ksmbd_work() decrements conn->r_count using atomic_dec_return(&conn->r_count), and if it reaches zero, calls ksmbd_conn_free(), which frees conn.- However, after handle_ksmbd_work() decrements conn->r_count, it may still access conn->r_count_q in the following line: waitqueue_active(&conn->r_count_q) or wake_up(&conn->r_count_q) This results in a UAF, as conn has already been freed.The discovery of this UAF can be referenced in the following PR forsyzkaller's support for SMB requests.
POC
Reference
No PoCs from references.