CVE-2023-53052

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-53052
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53052.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-53052
Downstream
Related
Published
2025-05-02T15:55:07Z
Modified
2025-10-16T00:29:08.697305Z
Summary
cifs: fix use-after-free bug in refresh_cache_worker()
Details

In the Linux kernel, the following vulnerability has been resolved:

cifs: fix use-after-free bug in refreshcacheworker()

The UAF bug occurred because we were putting DFS root sessions in cifs_umount() while DFS cache refresher was being executed.

Make DFS root sessions have same lifetime as DFS tcons so we can avoid the use-after-free bug is DFS cache refresher and other places that require IPCs to get new DFS referrals on. Also, get rid of mount group handling in DFS cache as we no longer need it.

This fixes below use-after-free bug catched by KASAN

[ 379.946955] BUG: KASAN: use-after-free in refreshtcon.isra.0+0x10b/0xc10 [cifs] [ 379.947642] Read of size 8 at addr ffff888018f57030 by task kworker/u4:3/56 [ 379.948096] [ 379.948208] CPU: 0 PID: 56 Comm: kworker/u4:3 Not tainted 6.2.0-rc7-lku #23 [ 379.948661] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552-rebuilt.opensuse.org 04/01/2014 [ 379.949368] Workqueue: cifs-dfscache refreshcacheworker [cifs] [ 379.949942] Call Trace: [ 379.950113] <TASK> [ 379.950260] dumpstacklvl+0x50/0x67 [ 379.950510] printreport+0x16a/0x48e [ 379.950759] ? _virtaddrvalid+0xd8/0x160 [ 379.951040] ? _physaddr+0x41/0x80 [ 379.951285] kasanreport+0xdb/0x110 [ 379.951533] ? _refreshtcon.isra.0+0x10b/0xc10 [cifs] [ 379.952056] ? _refreshtcon.isra.0+0x10b/0xc10 [cifs] [ 379.952585] _refreshtcon.isra.0+0x10b/0xc10 [cifs] [ 379.953096] ? _pfxrefreshtcon.isra.0+0x10/0x10 [cifs] [ 379.953637] ? pfxmutexlock+0x10/0x10 [ 379.953915] ? lockrelease+0xb6/0x720 [ 379.954167] ? _pfxlockacquire+0x10/0x10 [ 379.954443] ? refreshcacheworker+0x34e/0x6d0 [cifs] [ 379.954960] ? _pfxwbworkfn+0x10/0x10 [ 379.955239] refreshcacheworker+0x4ad/0x6d0 [cifs] [ 379.955755] ? _pfxrefreshcacheworker+0x10/0x10 [cifs] [ 379.956323] ? _pfxlockacquired+0x10/0x10 [ 379.956615] ? readwordatatime+0xe/0x20 [ 379.956898] ? lockdephardirqsonprepare+0x12/0x220 [ 379.957235] processonework+0x535/0x990 [ 379.957509] ? _pfxprocessonework+0x10/0x10 [ 379.957812] ? lockacquired+0xb7/0x5f0 [ 379.958069] ? _listaddvalid+0x37/0xd0 [ 379.958341] ? _listaddvalid+0x37/0xd0 [ 379.958611] workerthread+0x8e/0x630 [ 379.958861] ? _pfxworkerthread+0x10/0x10 [ 379.959148] kthread+0x17d/0x1b0 [ 379.959369] ? _pfxkthread+0x10/0x10 [ 379.959630] retfrom_fork+0x2c/0x50 [ 379.959879] </TASK>

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6916881f443f67f6893b504fa2171468c8aed915
Fixed
5a89d81c1a3c152837ea204fd29572228e54ce0b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6916881f443f67f6893b504fa2171468c8aed915
Fixed
396935de145589c8bfe552fa03a5e38604071829

Affected versions

v6.*

v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.2.1
v6.2.2
v6.2.3
v6.2.4
v6.2.5
v6.2.6
v6.2.7
v6.3-rc1

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.2.8