* Information on use-after-free in smb2_is_status_io_timeout()?
@ 2024-01-05 13:33 Salvatore Bonaccorso
2024-01-05 14:04 ` Paulo Alcantara
0 siblings, 1 reply; 3+ messages in thread
From: Salvatore Bonaccorso @ 2024-01-05 13:33 UTC (permalink / raw)
To: Steve French, Paulo Alcantara, Ronnie Sahlberg, Shyam Prasad N,
Tom Talpey, Ben Hutchings
Cc: linux-cifs, samba-technical, linux-kernel
Hi,
There is a Red Hat bugzilla report in
https://bugzilla.redhat.com/show_bug.cgi?id=2154178 about a
use-after-free in smb2_is_status_io_timeout() . While the commit noted
initially there seems not correct, Ben Hutchings raised a question on
more information in
https://bugzilla.redhat.com/show_bug.cgi?id=2154178#c24 .
(there is a CVE assigned for it, CVE-2023-1192)
To quote the initial message in RHBZ#2154178:
> A use after free flaw was found in smb2_is_status_io_timeout() in CIFS
> in the Linux Kernel. After CIFS transfers response data to system
> call, there is still a local variable points to the memory region, and
> if system call frees it faster than CIFS uses it, CIFS will access a
> free memory region leading to a denial of service.
Ben asked:
> smb2_is_status_io_timeout() is only ever called from cifs_demultiplex_thread().
> That happens after it conditionally decrypts the original receive buffer (buf) into
> one or more new buffers (bufs[...]), or otherwise sets bufs[0] = buf. The
> decryption process looks like it can free the original buffer, resulting in the
> reported UAF.
>
> If the error code is part of the encrypted payload, then I think the check for an
> I/O timeout should use bufs[0] like other code further down the function:
>
> --- a/fs/smb/client/connect.c
> +++ b/fs/smb/client/connect.c
> @@ -1236,7 +1236,7 @@ cifs_demultiplex_thread(void *p)
> }
>
> if (server->ops->is_status_io_timeout &&
> - server->ops->is_status_io_timeout(buf)) {
> + server->ops->is_status_io_timeout(bufs[0])) {
> num_io_timeout++;
> if (num_io_timeout > MAX_STATUS_IO_TIMEOUT) {
> cifs_server_dbg(VFS,
> --- END ---
>
> If the error code does not get encrypted, then the timeout check needs to be done
> further up the function.
>
> Does anyone have a reproducer for this?
Does anyone knows more on this issue?
Regards,
Salvatore
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Information on use-after-free in smb2_is_status_io_timeout()?
2024-01-05 13:33 Information on use-after-free in smb2_is_status_io_timeout()? Salvatore Bonaccorso
@ 2024-01-05 14:04 ` Paulo Alcantara
2024-01-05 18:14 ` Ben Hutchings
0 siblings, 1 reply; 3+ messages in thread
From: Paulo Alcantara @ 2024-01-05 14:04 UTC (permalink / raw)
To: Salvatore Bonaccorso, Steve French, Ronnie Sahlberg,
Shyam Prasad N, Tom Talpey, Ben Hutchings
Cc: linux-cifs, samba-technical, linux-kernel
Salvatore Bonaccorso <carnil@debian.org> writes:
> There is a Red Hat bugzilla report in
> https://bugzilla.redhat.com/show_bug.cgi?id=2154178 about a
> use-after-free in smb2_is_status_io_timeout() . While the commit noted
> initially there seems not correct, Ben Hutchings raised a question on
> more information in
> https://bugzilla.redhat.com/show_bug.cgi?id=2154178#c24 .
>
> (there is a CVE assigned for it, CVE-2023-1192)
That is supposed to be fixed by
d527f51331ca ("cifs: Fix UAF in cifs_demultiplex_thread()")
While the commit refers to an UAF in ->is_network_name_deleted(), this
should also work for smb2_is_status_io_timeout(), AFAICT.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Information on use-after-free in smb2_is_status_io_timeout()?
2024-01-05 14:04 ` Paulo Alcantara
@ 2024-01-05 18:14 ` Ben Hutchings
0 siblings, 0 replies; 3+ messages in thread
From: Ben Hutchings @ 2024-01-05 18:14 UTC (permalink / raw)
To: Paulo Alcantara, Salvatore Bonaccorso, Steve French,
Ronnie Sahlberg, Shyam Prasad N, Tom Talpey
Cc: linux-cifs, samba-technical, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 948 bytes --]
On Fri, 2024-01-05 at 11:04 -0300, Paulo Alcantara wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
>
> > There is a Red Hat bugzilla report in
> > https://bugzilla.redhat.com/show_bug.cgi?id=2154178 about a
> > use-after-free in smb2_is_status_io_timeout() . While the commit noted
> > initially there seems not correct, Ben Hutchings raised a question on
> > more information in
> > https://bugzilla.redhat.com/show_bug.cgi?id=2154178#c24 .
> >
> > (there is a CVE assigned for it, CVE-2023-1192)
>
> That is supposed to be fixed by
>
> d527f51331ca ("cifs: Fix UAF in cifs_demultiplex_thread()")
>
> While the commit refers to an UAF in ->is_network_name_deleted(), this
> should also work for smb2_is_status_io_timeout(), AFAICT.
I think that's a different UAF bug that happens to affect the same
function.
Ben.
--
Ben Hutchings - Debian developer, member of kernel, installer and LTS
teams
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-01-05 18:15 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-05 13:33 Information on use-after-free in smb2_is_status_io_timeout()? Salvatore Bonaccorso
2024-01-05 14:04 ` Paulo Alcantara
2024-01-05 18:14 ` Ben Hutchings
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).