What is the severity of CVE-2024-50047?

CVE-2024-50047 has been classified as a high-severity vulnerability due to the potential for denial of service caused by a slab-use-after-free issue.

How do I fix CVE-2024-50047?

To fix CVE-2024-50047, update the Linux kernel to a version that is greater than 6.6.57 or between 6.7 and 6.11.4 inclusive.

Which Linux kernel versions are vulnerable to CVE-2024-50047?

Kernel versions prior to 6.6.57 and those between 6.7 and 6.11.4 are vulnerable to CVE-2024-50047.

What are the potential impacts of CVE-2024-50047?

The potential impacts of CVE-2024-50047 include system crashes and service interruptions due to the denial-of-service capability.

Is CVE-2024-50047 related to the SMB client functionality?

Yes, CVE-2024-50047 involves an issue in the SMB client related to asynchronous decryption processes.

Vulnerability/
CVE-2024-50047

high

7.8

CWE

416

21/10/2024

2/2/2025

CVE-2024-50047: smb: client: fix UAF in async decryption

First published: Mon Oct 21 2024(Updated: )

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in async decryption Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API. Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ================================================================== [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110 [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] [ 194.200032] Call Trace: [ 194.200191] <TASK> [ 194.200327] dump_stack_lvl+0x4e/0x70 [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110 [ 194.200809] print_report+0x174/0x505 [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 194.201352] ? srso_return_thunk+0x5/0x5f [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0 [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202128] kasan_report+0xc8/0x150 [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202616] gf128mul_4k_lle+0xc1/0x110 [ 194.202863] ghash_update+0x184/0x210 [ 194.203103] shash_ahash_update+0x184/0x2a0 [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 [ 194.203651] ? srso_return_thunk+0x5/0x5f [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] [ 194.208507] ? srso_return_thunk+0x5/0x5f [ 194.209205] ? srso_return_thunk+0x5/0x5f [ 194.209925] ? srso_return_thunk+0x5/0x5f [ 194.210443] ? srso_return_thunk+0x5/0x5f [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] [ 194.214670] ? srso_return_thunk+0x5/0x5f [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] This is because TFM is being used in parallel. Fix this by allocating a new AEAD TFM for async decryption, but keep the existing one for synchronous READ cases (similar to what is done in smb3_calc_signature()). Also remove the calls to aead_request_set_callback() and crypto_wait_req() since it's always going to be a synchronous operation.

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Affected Software	Affected Version	How to fix
Linux Kernel	<6.6.57
Linux Kernel	>=6.7<6.11.4
debian/linux	<=5.10.223-1<=5.10.226-1<=6.1.123-1	6.1.128-1 6.12.12-1 6.12.15-1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-50047?
CVE-2024-50047 has been classified as a high-severity vulnerability due to the potential for denial of service caused by a slab-use-after-free issue.
How do I fix CVE-2024-50047?
To fix CVE-2024-50047, update the Linux kernel to a version that is greater than 6.6.57 or between 6.7 and 6.11.4 inclusive.
Which Linux kernel versions are vulnerable to CVE-2024-50047?
Kernel versions prior to 6.6.57 and those between 6.7 and 6.11.4 are vulnerable to CVE-2024-50047.
What are the potential impacts of CVE-2024-50047?
The potential impacts of CVE-2024-50047 include system crashes and service interruptions due to the denial-of-service capability.
Is CVE-2024-50047 related to the SMB client functionality?
Yes, CVE-2024-50047 involves an issue in the SMB client related to asynchronous decryption processes.

agent/title
agent/first-publish-date
agent/type
agent/author
agent/severity
agent/remedy
agent/weakness
collector/mitre-cve
source/MITRE
agent/last-modified-date
collector/nvd-api
source/NVD
agent/software-canonical-lookup
collector/usn-cve
source/Ubuntu
collector/launchpad-cve
source/Launchpad
collector/security-tracker-debian
source/Debian
agent/references
agent/source
agent/softwarecombine
agent/tags
agent/description
agent/event
vendor/linux
canonical/linux kernel
version/linux kernel/6.7
package-manager/debian

CVE-2024-50047: smb: client: fix UAF in async decryption

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-50047?

How do I fix CVE-2024-50047?

Which Linux kernel versions are vulnerable to CVE-2024-50047?

What are the potential impacts of CVE-2024-50047?

Is CVE-2024-50047 related to the SMB client functionality?

Company

Resources

Contact

Frequently Asked Questions

What is the severity of CVE-2024-50047?

How do I fix CVE-2024-50047?

Which Linux kernel versions are vulnerable to CVE-2024-50047?

What are the potential impacts of CVE-2024-50047?

Is CVE-2024-50047 related to the SMB client functionality?