CVE-2023-52741

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52741
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52741.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52741
Related
Published
2024-05-21T16:15:14Z
Modified
2024-09-11T05:02:12.300646Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

cifs: Fix use-after-free in rdata->readintopages()

When the network status is unstable, use-after-free may occur when read data from the server.

BUG: KASAN: use-after-free in readpagesfillpages+0x14c/0x7e0

Call Trace: <TASK> dumpstacklvl+0x38/0x4c printreport+0x16f/0x4a6 kasanreport+0xb7/0x130 readpagesfillpages+0x14c/0x7e0 cifsreadvreceive+0x46d/0xa40 cifsdemultiplexthread+0x121c/0x1490 kthread+0x16b/0x1a0 retfromfork+0x2c/0x50 </TASK>

Allocated by task 2535: kasansavestack+0x22/0x50 kasansettrack+0x25/0x30 _kasankmalloc+0x82/0x90 cifsreaddatadirectalloc+0x2c/0x110 cifsreaddataalloc+0x2d/0x60 cifsreadahead+0x393/0xfe0 readpages+0x12f/0x470 pagecacheraunbounded+0x1b1/0x240 filemapgetpages+0x1c8/0x9a0 filemapread+0x1c0/0x540 cifsstrictreadv+0x21b/0x240 vfsread+0x395/0x4b0 ksysread+0xb8/0x150 dosyscall64+0x3f/0x90 entrySYSCALL64after_hwframe+0x72/0xdc

Freed by task 79: kasansavestack+0x22/0x50 kasansettrack+0x25/0x30 kasansavefreeinfo+0x2e/0x50 _kasanslabfree+0x10e/0x1a0 _kmemcachefree+0x7a/0x1a0 cifsreaddatarelease+0x49/0x60 processonework+0x46c/0x760 workerthread+0x2a4/0x6f0 kthread+0x16b/0x1a0 retfromfork+0x2c/0x50

Last potentially related work creation: kasansavestack+0x22/0x50 _kasanrecordauxstack+0x95/0xb0 insertwork+0x2b/0x130 _queuework+0x1fe/0x660 queueworkon+0x4b/0x60 smb2readvcallback+0x396/0x800 cifsabortconnection+0x474/0x6a0 cifsreconnect+0x5cb/0xa50 cifsreadvfromsocket.cold+0x22/0x6c cifsreadpagefromsocket+0xc1/0x100 readpagesfillpages.cold+0x2f/0x46 cifsreadvreceive+0x46d/0xa40 cifsdemultiplexthread+0x121c/0x1490 kthread+0x16b/0x1a0 retfrom_fork+0x2c/0x50

The following function calls will cause UAF of the rdata pointer.

readpagesfillpages cifsreadpagefromsocket cifsreadvfromsocket cifsreconnect _cifsreconnect cifsabortconnection mid->callback() --> smb2readvcallback queuework(&rdata->work) # if the worker completes first, # the rdata is freed cifsreadvcomplete krefput cifsreaddatarelease kfree(rdata) return rdata->... # UAF in readpagesfillpages()

Similarly, this problem also occurs in the uncachefillpages().

Fix this by adjusts the order of condition judgment in the return statement.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.178-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}