admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
cvelist/2024/53xxx/CVE-2024-53186.json
CVE Team acb2663c65
"-Synchronized-Data."
2024-12-29 03:20:19 +00:00

134 lines
7.4 KiB
JSON
Raw Blame History

{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"CVE_data_meta": {
"ID": "CVE-2024-53186",
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in SMB request handling\n\nA race condition exists between SMB request handling in\n`ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the\nworkqueue handler `handle_ksmbd_work()`. This leads to a UAF.\n- KASAN: slab-use-after-free Read in handle_ksmbd_work\n- KASAN: slab-use-after-free in rtlock_slowlock_locked\n\nThis race condition arises as follows:\n- `ksmbd_conn_handler_loop()` waits for `conn->r_count` to reach zero:\n `wait_event(conn->r_count_q, atomic_read(&conn->r_count) == 0);`\n- Meanwhile, `handle_ksmbd_work()` decrements `conn->r_count` using\n `atomic_dec_return(&conn->r_count)`, and if it reaches zero, calls\n `ksmbd_conn_free()`, which frees `conn`.\n- However, after `handle_ksmbd_work()` decrements `conn->r_count`,\n it may still access `conn->r_count_q` in the following line:\n `waitqueue_active(&conn->r_count_q)` or `wake_up(&conn->r_count_q)`\n This results in a UAF, as `conn` has already been freed.\n\nThe discovery of this UAF can be referenced in the following PR for\nsyzkaller's support for SMB requests."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "18f06bacc197d4ac9b518ad1c69999bc3d83e7aa",
"version_value": "a96f9eb7add30ba0fafcfe7b7aca090978196800"
},
{
"version_affected": "<",
"version_name": "e9dac92f4482a382e8c0fe1bc243da5fc3526b0c",
"version_value": "f20b77f7897e6aab9ce5527e6016ad2be5d70a33"
},
{
"version_affected": "<",
"version_name": "ee426bfb9d09b29987369b897fe9b6485ac2be27",
"version_value": "96261adb998a3b513468b6ce17dbec76be5507d4"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "6.12",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.12",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.64",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.11",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.2",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13-rc1",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/a96f9eb7add30ba0fafcfe7b7aca090978196800",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/a96f9eb7add30ba0fafcfe7b7aca090978196800"
},
{
"url": "https://git.kernel.org/stable/c/f20b77f7897e6aab9ce5527e6016ad2be5d70a33",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/f20b77f7897e6aab9ce5527e6016ad2be5d70a33"
},
{
"url": "https://git.kernel.org/stable/c/96261adb998a3b513468b6ce17dbec76be5507d4",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/96261adb998a3b513468b6ce17dbec76be5507d4"
},
{
"url": "https://git.kernel.org/stable/c/9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e"
}
]
},
"generator": {
"engine": "bippy-5f407fcff5a0"
}
}
Reference in New Issue View Git Blame Copy Permalink