CVE-2024-46796

If smb2compoundop() is called with a valid @cfile and returned -EINVAL, we need to call cifsgetwritable_path() before retrying it as the reference of @cfile was already dropped by previous call.

This fixes the following KASAN splat when running fstests generic/013 against Windows Server 2022:

CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detachifpending+0xab/0x200 Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176

CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifsoplockbreak [cifs] Call Trace: <TASK> dumpstacklvl+0x5d/0x80 ? detachifpending+0xab/0x200 printreport+0x156/0x4d9 ? detachifpending+0xab/0x200 ? virtaddrvalid+0x145/0x300 ? _physaddr+0x46/0x90 ? detachifpending+0xab/0x200 kasanreport+0xda/0x110 ? detachifpending+0xab/0x200 detachifpending+0xab/0x200 timerdelete+0x96/0xe0 ? _pfxtimerdelete+0x10/0x10 ? rcuiswatching+0x20/0x50 trytograbpending+0x46/0x3b0 _cancelwork+0x89/0x1b0 ? _pfxcancelwork+0x10/0x10 ? kasansavetrack+0x14/0x30 cifsclosedeferredfile+0x110/0x2c0 [cifs] ? _pfxcifsclosedeferredfile+0x10/0x10 [cifs] ? _pfxdownread+0x10/0x10 cifsoplockbreak+0x4c1/0xa50 [cifs] ? _pfxcifsoplockbreak+0x10/0x10 [cifs] ? lockisheldtype+0x85/0xf0 ? markheldlocks+0x1a/0x90 processonework+0x4c6/0x9f0 ? findheldlock+0x8a/0xa0 ? _pfxprocessonework+0x10/0x10 ? lockacquired+0x220/0x550 ? _listaddvalidorreport+0x37/0x100 workerthread+0x2e4/0x570 ? _kthreadparkme+0xd1/0xf0 ? _pfxworkerthread+0x10/0x10 kthread+0x17f/0x1c0 ? kthread+0xda/0x1c0 ? _pfxkthread+0x10/0x10 retfromfork+0x31/0x60 ? _pfxkthread+0x10/0x10 retfromfork_asm+0x1a/0x30 </TASK>

Allocated by task 1118: kasansavestack+0x30/0x50 kasansavetrack+0x14/0x30 _kasankmalloc+0xaa/0xb0 cifsnewfileinfo+0xc8/0x9d0 [cifs] cifsatomicopen+0x467/0x770 [cifs] lookupopen.isra.0+0x665/0x8b0 pathopenat+0x4c3/0x1380 dofilpopen+0x167/0x270 dosysopenat2+0x129/0x160 _x64syscreat+0xad/0xe0 dosyscall64+0xbb/0x1d0 entrySYSCALL64after_hwframe+0x77/0x7f

Freed by task 83: kasansavestack+0x30/0x50 kasansavetrack+0x14/0x30 kasansavefreeinfo+0x3b/0x70 poisonslabobject+0xe9/0x160 _kasanslabfree+0x32/0x50 kfree+0xf2/0x300 processonework+0x4c6/0x9f0 workerthread+0x2e4/0x570 kthread+0x17f/0x1c0 retfromfork+0x31/0x60 retfromforkasm+0x1a/0x30

Last potentially related work creation: kasansavestack+0x30/0x50 _kasanrecordauxstack+0xad/0xc0 insertwork+0x29/0xe0 _queuework+0x5ea/0x760 queueworkon+0x6d/0x90 _cifsFileInfoput+0x3f6/0x770 [cifs] smb2compoundop+0x911/0x3940 [cifs] smb2setpathsize+0x228/0x270 [cifs] cifssetfilesize+0x197/0x460 [cifs] cifssetattr+0xd9c/0x14b0 [cifs] notifychange+0x4e3/0x740 dotruncate+0xfa/0x180 vfstruncate+0x195/0x200 _x64systruncate+0x109/0x150 dosyscall64+0xbb/0x1d0 entrySYSCALL64after_hwframe+0x77/0x7f

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

1e60bc0e954389af82f1d9a85f13a63f6572350f

Fixed

5a72d1edb0843e4c927a4096f81e631031c25c28

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

71f15c90e785d1de4bcd65a279e7256684c25c0d

Fixed

762099898309218b4a7954f3d49e985dc4dfd638

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

71f15c90e785d1de4bcd65a279e7256684c25c0d

Fixed

f9c169b51b6ce20394594ef674d6b10efba31220

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.10.1

v6.10.2

v6.10.3

v6.10.4

v6.10.5

v6.10.6

v6.10.7

v6.10.8

v6.10.9

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.50

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2024-46796-394dab2e",
        "target": {
            "file": "fs/smb/client/smb2inode.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f9c169b51b6ce20394594ef674d6b10efba31220",
        "digest": {
            "line_hashes": [
                "36606257472106029994955698600669545672",
                "22145252202456151318028701601333782143",
                "39653575452769371226261704172098437179",
                "186746883724608733600903714878798770132"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2024-46796-7c457be9",
        "target": {
            "file": "fs/smb/client/smb2inode.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@762099898309218b4a7954f3d49e985dc4dfd638",
        "digest": {
            "line_hashes": [
                "36606257472106029994955698600669545672",
                "22145252202456151318028701601333782143",
                "39653575452769371226261704172098437179",
                "186746883724608733600903714878798770132"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2024-46796-824b8d25",
        "target": {
            "file": "fs/smb/client/smb2inode.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a72d1edb0843e4c927a4096f81e631031c25c28",
        "digest": {
            "line_hashes": [
                "36606257472106029994955698600669545672",
                "22145252202456151318028701601333782143",
                "39653575452769371226261704172098437179",
                "186746883724608733600903714878798770132"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2024-46796-82cc3082",
        "target": {
            "file": "fs/smb/client/smb2inode.c",
            "function": "smb2_set_path_size"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@762099898309218b4a7954f3d49e985dc4dfd638",
        "digest": {
            "function_hash": "210709122037928722405910979899242114917",
            "length": 825.0
        },
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2024-46796-891c6d5b",
        "target": {
            "file": "fs/smb/client/smb2inode.c",
            "function": "smb2_set_path_size"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f9c169b51b6ce20394594ef674d6b10efba31220",
        "digest": {
            "function_hash": "210709122037928722405910979899242114917",
            "length": 825.0
        },
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2024-46796-d0500c72",
        "target": {
            "file": "fs/smb/client/smb2inode.c",
            "function": "smb2_set_path_size"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a72d1edb0843e4c927a4096f81e631031c25c28",
        "digest": {
            "function_hash": "210709122037928722405910979899242114917",
            "length": 825.0
        },
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.51

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.10.10