CVE-2023-1192: Use-after-free in smb2_is_status_io_timeout()
First published: Fri Dec 16 2022(Updated: )
A use after free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. When client uses CIFS, system calls about file operation will call cifs API to send samba request, and there is a CIFS kernel thread handler `cifs_demultiplex_thread()` which receives response from remote server and transfer those data to corresponding syscall request. After CIFS transfers response data to system call, there is still a local variable points to the memory region, and if system call frees it faster than CIFS uses it, CIFS will access a free memory region when calls function such as `smb2_is_status_io_timeout()` . Refer: <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d527f51331cace562393a8038d870b3e9916686f">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d527f51331cace562393a8038d870b3e9916686f</a> ## KASAN report ``` [ 83.686500] ================================================================== [ 83.686821] BUG: KASAN: use-after-free in smb2_is_status_io_timeout+0x6e/0x70 [ 83.687136] Read of size 4 at addr ffff8880086d4808 by task cifsd/272 [ 83.687409] [ 83.687484] CPU: 1 PID: 272 Comm: cifsd Not tainted 6.0.6 #9 [ 83.687731] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/04 [ 83.688081] Call Trace: [ 83.688209] <TASK> [ 83.688306] dump_stack_lvl+0x34/0x48 [ 83.688472] print_report.cold+0x5e/0x5e5 [ 83.688652] ? smb2_is_status_io_timeout+0x6e/0x70 [ 83.688864] kasan_report+0xa3/0x130 [ 83.689025] ? smb2_is_status_io_timeout+0x6e/0x70 [ 83.689237] smb2_is_status_io_timeout+0x6e/0x70 [ 83.689442] cifs_demultiplex_thread+0xdbe/0x1db0 [ 83.689647] ? update_load_avg+0x124/0x19b0 [ 83.689817] ? cifs_handle_standard+0x600/0x600 [ 83.689993] ? run_rebalance_domains+0x180/0x180 [ 83.690172] ? update_curr+0x233/0x520 [ 83.690330] ? __schedule+0x885/0x1a80 [ 83.690488] ? _raw_spin_lock_irqsave+0x88/0xe0 [ 83.690679] ? __cpuidle_text_end+0x1/0x1 [ 83.690838] ? __kthread_parkme+0x7e/0x150 [ 83.691012] ? cifs_handle_standard+0x600/0x600 [ 83.691204] kthread+0x267/0x300 [ 83.691338] ? kthread_complete_and_exit+0x20/0x20 [ 83.691542] ret_from_fork+0x22/0x30 [ 83.691688] </TASK> [ 83.691780] [ 83.691846] Allocated by task 272: [ 83.691985] kasan_save_stack+0x1e/0x40 [ 83.692142] __kasan_slab_alloc+0x66/0x80 [ 83.692306] kmem_cache_alloc+0xbf/0x200 [ 83.692457] mempool_alloc+0xfe/0x2d0 [ 83.692598] cifs_small_buf_get+0x2e/0x80 [ 83.692752] allocate_buffers+0x10d/0x320 [ 83.692902] cifs_demultiplex_thread+0x22e/0x1db0 [ 83.693082] kthread+0x267/0x300 [ 83.693218] ret_from_fork+0x22/0x30 [ 83.693374] [ 83.693443] Freed by task 399: [ 83.693576] kasan_save_stack+0x1e/0x40 [ 83.693743] kasan_set_track+0x21/0x30 [ 83.693907] kasan_set_free_info+0x20/0x40 [ 83.694083] __kasan_slab_free+0x108/0x190 [ 83.694261] kmem_cache_free+0x9c/0x340 [ 83.694428] free_rsp_buf+0x4c/0xe0 [ 83.694579] SMB2_open+0x1f6/0x17c0 [ 83.694731] smb2_open_file+0x166/0x650 [ 83.694896] cifs_open+0x82d/0x1b20 [ 83.695048] do_dentry_open+0x441/0x1020 [ 83.695219] path_openat+0x1fbe/0x3850 [ 83.695385] do_filp_open+0x1ac/0x3e0 [ 83.695545] do_open_execat+0xb9/0x5a0 [ 83.695706] bprm_execve+0x35b/0x1250 [ 83.695867] do_execveat_common.isra.0+0x4c6/0x660 [ 83.696073] __x64_sys_execve+0x83/0xb0 [ 83.696239] do_syscall_64+0x3b/0x90 [ 83.696394] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 83.696612] [ 83.696683] The buggy address belongs to the object at ffff8880086d4800 [ 83.696683] which belongs to the cache cifs_small_rq of size 448 [ 83.697216] The buggy address is located 8 bytes inside of [ 83.697216] 448-byte region [ffff8880086d4800, ffff8880086d49c0) [ 83.697694] [ 83.697766] The buggy address belongs to the physical page: [ 83.698001] page:00000000eca794da refcount:1 mapcount:0 mapping:0000000000000000 inde4 [ 83.698401] head:00000000eca794da order:1 compound_mapcount:0 compound_pincount:0 [ 83.698716] flags: 0x100000000010200(slab|head|node=0|zone=1) [ 83.698961] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888007748b40 [ 83.699290] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 83.699616] page dumped because: kasan: bad access detected [ 83.699852] [ 83.699927] Memory state around the buggy address: [ 83.700130] ffff8880086d4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.700436] ffff8880086d4780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 83.700742] >ffff8880086d4800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.701049] ^ [ 83.701205] ffff8880086d4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.701508] ffff8880086d4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.701813] ================================================================== [ 83.702134] Disabling lock debugging due to kernel taint ```
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Linux kernel | <6.4 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 | |
| IBM QRadar SIEM | <=7.5 - 7.5.0 UP8 IF01 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2023-1192
- https://bugzilla.redhat.com/show_bug.cgi?id=2154178
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d527f51331cace562393a8038d870b3e9916686f
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2175613
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2154178#c12
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2154178#c13
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2154178#c14
- https://www.linuxkernelcves.com/cves/CVE-2023-1192
- https://access.redhat.com/errata/RHSA-2023:7548
- https://access.redhat.com/errata/RHSA-2023:7549
- https://access.redhat.com/errata/RHSA-2023:7539
- https://access.redhat.com/errata/RHSA-2023:7749
- https://lore.kernel.org/linux-cifs/ZZgFEX3QNWWj_VxA@eldamar.lan
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2154178#c25
- https://access.redhat.com/errata/RHSA-2024:0439
- https://access.redhat.com/errata/RHSA-2024:0448
- https://access.redhat.com/errata/RHSA-2024:0412
- https://access.redhat.com/errata/RHSA-2024:0563
- https://access.redhat.com/errata/RHSA-2024:0562
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2267746
- https://access.redhat.com/security/cve/CVE-2023-52572
- https://access.redhat.com/errata/RHSA-2024:1250
- https://lore.kernel.org/all/2024030256-CVE-2023-52572-2b92@gregkh/T/#u
- https://access.redhat.com/errata/RHSA-2024:1306
- https://access.redhat.com/errata/RHSA-2024:2008
- https://access.redhat.com/errata/RHSA-2024:2006
- https://exchange.xforce.ibmcloud.com/vulnerabilities/270454
- https://www.ibm.com/support/pages/node/7150684 (Advisory)
- agent/type
- agent/first-publish-date
- agent/author
- agent/remedy
- agent/title
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-1192
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/ibm-support
- source/IBM
- vendor/linux
- canonical/linux linux kernel
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/9.0
- vendor/ibm
- canonical/ibm qradar siem
- version/ibm qradar siem/7.5 - 7.5.0 up8 if01