{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-52751", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-21T15:19:24.234Z", "datePublished": "2024-05-21T15:30:40.226Z", "dateUpdated": "2026-05-11T19:32:29.874Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:32:29.874Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in smb2_query_info_compound()\n\nThe following UAF was triggered when running fstests generic/072 with\nKASAN enabled against Windows Server 2022 and mount options\n'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'\n\n BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]\n Read of size 8 at addr ffff888014941048 by task xfs_io/27534\n\n CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n Call Trace:\n dump_stack_lvl+0x4a/0x80\n print_report+0xcf/0x650\n ? srso_alias_return_thunk+0x5/0x7f\n ? srso_alias_return_thunk+0x5/0x7f\n ? __phys_addr+0x46/0x90\n kasan_report+0xda/0x110\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __stack_depot_save+0x39/0x480\n ? kasan_save_stack+0x33/0x60\n ? kasan_set_track+0x25/0x30\n ? ____kasan_slab_free+0x126/0x170\n smb2_queryfs+0xc2/0x2c0 [cifs]\n ? __pfx_smb2_queryfs+0x10/0x10 [cifs]\n ? __pfx___lock_acquire+0x10/0x10\n smb311_queryfs+0x210/0x220 [cifs]\n ? __pfx_smb311_queryfs+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __lock_acquire+0x480/0x26c0\n ? lock_release+0x1ed/0x640\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_raw_spin_unlock+0x9b/0x100\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n ? __pfx___do_sys_fstatfs+0x10/0x10\n ? srso_alias_return_thunk+0x5/0x7f\n ? lockdep_hardirqs_on_prepare+0x136/0x200\n ? srso_alias_return_thunk+0x5/0x7f\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Allocated by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x8f/0xa0\n open_cached_dir+0x71b/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n smb311_queryfs+0x210/0x220 [cifs]\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Freed by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2b/0x50\n ____kasan_slab_free+0x126/0x170\n slab_free_freelist_hook+0xd0/0x1e0\n __kmem_cache_free+0x9d/0x1b0\n open_cached_dir+0xff5/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n\nThis is a race between open_cached_dir() and cached_dir_lease_break()\nwhere the cache entry for the open directory handle receives a lease\nbreak while creating it. And before returning from open_cached_dir(),\nwe put the last reference of the new @cfid because of\n!@cfid->has_lease.\n\nBesides the UAF, while running xfstests a lot of missed lease breaks\nhave been noticed in tests that run several concurrent statfs(2) calls\non those cached fids\n\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108\n CIFS: VFS: Dump pending requests:\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 000000005aa7316e len 108\n ...\n\nTo fix both, in open_cached_dir() ensure that @cfid->has_lease is set\nright before sending out compounded request so that any potential\nlease break will be get processed by demultiplex thread while we're\nstill caching @cfid. And, if open failed for some reason, re-check\n@cfid->has_lease to decide whether or not put lease reference."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/cached_dir.c"], "versions": [{"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7", "lessThan": "6db94d08359c43f2c8fe372811cdee04564a41b9", "status": "affected", "versionType": "git"}, {"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7", "lessThan": "93877b9afc2994c89362007aac480a7b150f386f", "status": "affected", "versionType": "git"}, {"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7", "lessThan": "5c86919455c1edec99ebd3338ad213b59271a71b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/cached_dir.c"], "versions": [{"version": "6.1", "status": "affected"}, {"version": "0", "lessThan": "6.1", "status": "unaffected", "versionType": "semver"}, {"version": "6.5.13", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.3", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.5.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.6.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.7"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9"}, {"url": "https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f"}, {"url": "https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b"}], "title": "smb: client: fix use-after-free in smb2_query_info_compound()", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:11:36.015Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52751", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:37:15.794672Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:32.822Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:11:36.015Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52751", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:37:15.794672Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:17.248Z"}}], "cna": {"title": "smb: client: fix use-after-free in smb2_query_info_compound()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7", "lessThan": "6db94d08359c43f2c8fe372811cdee04564a41b9", "versionType": "git"}, {"status": "affected", "version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7", "lessThan": "93877b9afc2994c89362007aac480a7b150f386f", "versionType": "git"}, {"status": "affected", "version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7", "lessThan": "5c86919455c1edec99ebd3338ad213b59271a71b", "versionType": "git"}], "programFiles": ["fs/smb/client/cached_dir.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.1"}, {"status": "unaffected", "version": "0", "lessThan": "6.1", "versionType": "semver"}, {"status": "unaffected", "version": "6.5.13", "versionType": "semver", "lessThanOrEqual": "6.5.*"}, {"status": "unaffected", "version": "6.6.3", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/smb/client/cached_dir.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9"}, {"url": "https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f"}, {"url": "https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in smb2_query_info_compound()\n\nThe following UAF was triggered when running fstests generic/072 with\nKASAN enabled against Windows Server 2022 and mount options\n'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'\n\n BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]\n Read of size 8 at addr ffff888014941048 by task xfs_io/27534\n\n CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n Call Trace:\n dump_stack_lvl+0x4a/0x80\n print_report+0xcf/0x650\n ? srso_alias_return_thunk+0x5/0x7f\n ? srso_alias_return_thunk+0x5/0x7f\n ? __phys_addr+0x46/0x90\n kasan_report+0xda/0x110\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __stack_depot_save+0x39/0x480\n ? kasan_save_stack+0x33/0x60\n ? kasan_set_track+0x25/0x30\n ? ____kasan_slab_free+0x126/0x170\n smb2_queryfs+0xc2/0x2c0 [cifs]\n ? __pfx_smb2_queryfs+0x10/0x10 [cifs]\n ? __pfx___lock_acquire+0x10/0x10\n smb311_queryfs+0x210/0x220 [cifs]\n ? __pfx_smb311_queryfs+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __lock_acquire+0x480/0x26c0\n ? lock_release+0x1ed/0x640\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_raw_spin_unlock+0x9b/0x100\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n ? __pfx___do_sys_fstatfs+0x10/0x10\n ? srso_alias_return_thunk+0x5/0x7f\n ? lockdep_hardirqs_on_prepare+0x136/0x200\n ? srso_alias_return_thunk+0x5/0x7f\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Allocated by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x8f/0xa0\n open_cached_dir+0x71b/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n smb311_queryfs+0x210/0x220 [cifs]\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Freed by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2b/0x50\n ____kasan_slab_free+0x126/0x170\n slab_free_freelist_hook+0xd0/0x1e0\n __kmem_cache_free+0x9d/0x1b0\n open_cached_dir+0xff5/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n\nThis is a race between open_cached_dir() and cached_dir_lease_break()\nwhere the cache entry for the open directory handle receives a lease\nbreak while creating it. And before returning from open_cached_dir(),\nwe put the last reference of the new @cfid because of\n!@cfid->has_lease.\n\nBesides the UAF, while running xfstests a lot of missed lease breaks\nhave been noticed in tests that run several concurrent statfs(2) calls\non those cached fids\n\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108\n CIFS: VFS: Dump pending requests:\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 000000005aa7316e len 108\n ...\n\nTo fix both, in open_cached_dir() ensure that @cfid->has_lease is set\nright before sending out compounded request so that any potential\nlease break will be get processed by demultiplex thread while we're\nstill caching @cfid. And, if open failed for some reason, re-check\n@cfid->has_lease to decide whether or not put lease reference."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.5.13", "versionStartIncluding": "6.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.3", "versionStartIncluding": "6.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.7", "versionStartIncluding": "6.1"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-01-05T10:17:07.109Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52751", "state": "PUBLISHED", "dateUpdated": "2026-01-05T10:17:07.109Z", "dateReserved": "2024-05-21T15:19:24.234Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-21T15:30:40.226Z", "assignerShortName": "Linux"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8037DB00-CF94-499F-A19D-763AB1141887", "versionEndExcluding": "6.5.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B58252FA-A49C-411F-9B28-DC5FE44BC5A0", "versionEndExcluding": "6.6.3", "versionStartIncluding": "6.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in smb2_query_info_compound()\n\nThe following UAF was triggered when running fstests generic/072 with\nKASAN enabled against Windows Server 2022 and mount options\n'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'\n\n BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]\n Read of size 8 at addr ffff888014941048 by task xfs_io/27534\n\n CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n Call Trace:\n dump_stack_lvl+0x4a/0x80\n print_report+0xcf/0x650\n ? srso_alias_return_thunk+0x5/0x7f\n ? srso_alias_return_thunk+0x5/0x7f\n ? __phys_addr+0x46/0x90\n kasan_report+0xda/0x110\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __stack_depot_save+0x39/0x480\n ? kasan_save_stack+0x33/0x60\n ? kasan_set_track+0x25/0x30\n ? ____kasan_slab_free+0x126/0x170\n smb2_queryfs+0xc2/0x2c0 [cifs]\n ? __pfx_smb2_queryfs+0x10/0x10 [cifs]\n ? __pfx___lock_acquire+0x10/0x10\n smb311_queryfs+0x210/0x220 [cifs]\n ? __pfx_smb311_queryfs+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __lock_acquire+0x480/0x26c0\n ? lock_release+0x1ed/0x640\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_raw_spin_unlock+0x9b/0x100\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n ? __pfx___do_sys_fstatfs+0x10/0x10\n ? srso_alias_return_thunk+0x5/0x7f\n ? lockdep_hardirqs_on_prepare+0x136/0x200\n ? srso_alias_return_thunk+0x5/0x7f\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Allocated by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x8f/0xa0\n open_cached_dir+0x71b/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n smb311_queryfs+0x210/0x220 [cifs]\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Freed by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2b/0x50\n ____kasan_slab_free+0x126/0x170\n slab_free_freelist_hook+0xd0/0x1e0\n __kmem_cache_free+0x9d/0x1b0\n open_cached_dir+0xff5/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n\nThis is a race between open_cached_dir() and cached_dir_lease_break()\nwhere the cache entry for the open directory handle receives a lease\nbreak while creating it. And before returning from open_cached_dir(),\nwe put the last reference of the new @cfid because of\n!@cfid->has_lease.\n\nBesides the UAF, while running xfstests a lot of missed lease breaks\nhave been noticed in tests that run several concurrent statfs(2) calls\non those cached fids\n\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108\n CIFS: VFS: Dump pending requests:\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 000000005aa7316e len 108\n ...\n\nTo fix both, in open_cached_dir() ensure that @cfid->has_lease is set\nright before sending out compounded request so that any potential\nlease break will be get processed by demultiplex thread while we're\nstill caching @cfid. And, if open failed for some reason, re-check\n@cfid->has_lease to decide whether or not put lease reference."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: smb: client: corrige use-after-free en smb2_query_info_compound(). El siguiente UAF se activ\u00f3 al ejecutar fstests generic/072 con KASAN habilitado en Windows Server 2022 y opciones de montaje 'multicanal, max_channels=2,vers=3.1.1,mfsymlinks,noperm' BUG: KASAN: slab-use-after-free en smb2_query_info_compound+0x423/0x6d0 [cifs] Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff888014941048 por tarea xfs_io/27534 CPU: 0 PID : 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1 Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 01/04/2014 Llamada Seguimiento: dump_stack_lvl+0x4a/0x80 print_report+0xcf/0x650 ? srso_alias_return_thunk+0x5/0x7f? srso_alias_return_thunk+0x5/0x7f? __phys_addr+0x46/0x90 kasan_report+0xda/0x110 ? smb2_query_info_compound+0x423/0x6d0 [cifs]? smb2_query_info_compound+0x423/0x6d0 [cifs] smb2_query_info_compound+0x423/0x6d0 [cifs] ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0x7f? __stack_depot_save+0x39/0x480? kasan_save_stack+0x33/0x60? kasan_set_track+0x25/0x30? ____kasan_slab_free+0x126/0x170 smb2_queryfs+0xc2/0x2c0 [cifs] ? __pfx_smb2_queryfs+0x10/0x10 [cifs] ? __pfx___lock_acquire+0x10/0x10 smb311_queryfs+0x210/0x220 [cifs]? __pfx_smb311_queryfs+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0x7f? __lock_acquire+0x480/0x26c0? lock_release+0x1ed/0x640? srso_alias_return_thunk+0x5/0x7f? do_raw_spin_unlock+0x9b/0x100 cifs_statfs+0x18c/0x4b0 [cifs] statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 __do_sys_fstatfs+0x7f/0xe0 ? __pfx___do_sys_fstatfs+0x10/0x10 ? srso_alias_return_thunk+0x5/0x7f? lockdep_hardirqs_on_prepare+0x136/0x200? srso_alias_return_thunk+0x5/0x7f do_syscall_64+0x3f/0x90 Entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Asignado por tarea 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x8f /0xa0 open_cached_dir+0x71b/0x1240 [cifs] smb2_query_info_compound+0x5c3/0x6d0 [cifs ] smb2_queryfs+0xc2/0x2c0 [cifs] smb311_queryfs+0x210/0x220 [cifs] cifs_statfs+0x18c/0x4b0 [cifs] statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 statfs+0x7f/0xe0 do_syscall_64+0x3f/0x90 entrada_SYSCALL_64_after_hwframe+0x6e/0xd8 Liberado por la tarea 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x50 ____kasan_slab_free+0x126/0x170 slab_free_freelist_hook+0xd0/0x1e0 __kmem_cache_free+0x9d/0x 1b0 open_cached_dir+0xff5/0x1240 [cifs] smb2_query_info_compound+0x5c3/0x6d0 [cifs ] smb2_queryfs+0xc2/0x2c0 [cifs] Esta es una ejecuci\u00f3n entre open_cached_dir() y cached_dir_lease_break() donde la entrada de cach\u00e9 para el identificador de directorio abierto recibe una interrupci\u00f3n de arrendamiento mientras se crea. Y antes de volver de open_cached_dir(), ponemos la \u00faltima referencia del nuevo @cfid por !@cfid->has_lease. Adem\u00e1s de UAF, al ejecutar xfstests se han observado muchas interrupciones de arrendamiento perdidas en pruebas que ejecutan varias llamadas statfs(2) simult\u00e1neas en esos fids almacenados en cach\u00e9 CIFS: VFS: \\\\w22-root1.gandalf.test No hay tarea para activar, desconocida marco... CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Banderas: 0x1... CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108 CIFS: VFS : Volcado de solicitudes pendientes: CIFS: VFS: \\\\w22-root1.gandalf.test No hay tarea para activar, marco desconocido... CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Banderas: 0x1 ... CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 000000005aa7316e len 108 ... Para arreglar ambos, en open_cached_dir() aseg\u00farese de que @cfid->has_lease est\u00e9 configurado justo antes de enviar una solicitud compuesta para que cualquier La posible interrupci\u00f3n del arrendamiento ser\u00e1 procesada por el subproceso demultiplex mientras todav\u00eda estamos almacenando en cach\u00e9 @cfid. Y, si la apertura falla por alg\u00fan motivo, vuelva a verificar @cfid->has_lease para decidir si coloca o no la referencia del arrendamiento."}], "id": "CVE-2023-52751", "lastModified": "2025-01-06T20:27:16.983", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-21T16:15:14.763", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:9315", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:9315", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "kernel: smb: client: fix use-after-free in smb2_query_info_compound()", "id": "2282748", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282748"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nsmb: client: fix use-after-free in smb2_query_info_compound()\nThe following UAF was triggered when running fstests generic/072 with\nKASAN enabled against Windows Server 2022 and mount options\n'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'\nBUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]\nRead of size 8 at addr ffff888014941048 by task xfs_io/27534\nCPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\nCall Trace:\ndump_stack_lvl+0x4a/0x80\nprint_report+0xcf/0x650\n? srso_alias_return_thunk+0x5/0x7f\n? srso_alias_return_thunk+0x5/0x7f\n? __phys_addr+0x46/0x90\nkasan_report+0xda/0x110\n? smb2_query_info_compound+0x423/0x6d0 [cifs]\n? smb2_query_info_compound+0x423/0x6d0 [cifs]\nsmb2_query_info_compound+0x423/0x6d0 [cifs]\n? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]\n? srso_alias_return_thunk+0x5/0x7f\n? __stack_depot_save+0x39/0x480\n? kasan_save_stack+0x33/0x60\n? kasan_set_track+0x25/0x30\n? ____kasan_slab_free+0x126/0x170\nsmb2_queryfs+0xc2/0x2c0 [cifs]\n? __pfx_smb2_queryfs+0x10/0x10 [cifs]\n? __pfx___lock_acquire+0x10/0x10\nsmb311_queryfs+0x210/0x220 [cifs]\n? __pfx_smb311_queryfs+0x10/0x10 [cifs]\n? srso_alias_return_thunk+0x5/0x7f\n? __lock_acquire+0x480/0x26c0\n? lock_release+0x1ed/0x640\n? srso_alias_return_thunk+0x5/0x7f\n? do_raw_spin_unlock+0x9b/0x100\ncifs_statfs+0x18c/0x4b0 [cifs]\nstatfs_by_dentry+0x9b/0xf0\nfd_statfs+0x4e/0xb0\n__do_sys_fstatfs+0x7f/0xe0\n? __pfx___do_sys_fstatfs+0x10/0x10\n? srso_alias_return_thunk+0x5/0x7f\n? lockdep_hardirqs_on_prepare+0x136/0x200\n? srso_alias_return_thunk+0x5/0x7f\ndo_syscall_64+0x3f/0x90\nentry_SYSCALL_64_after_hwframe+0x6e/0xd8\nAllocated by task 27534:\nkasan_save_stack+0x33/0x60\nkasan_set_track+0x25/0x30\n__kasan_kmalloc+0x8f/0xa0\nopen_cached_dir+0x71b/0x1240 [cifs]\nsmb2_query_info_compound+0x5c3/0x6d0 [cifs]\nsmb2_queryfs+0xc2/0x2c0 [cifs]\nsmb311_queryfs+0x210/0x220 [cifs]\ncifs_statfs+0x18c/0x4b0 [cifs]\nstatfs_by_dentry+0x9b/0xf0\nfd_statfs+0x4e/0xb0\n__do_sys_fstatfs+0x7f/0xe0\ndo_syscall_64+0x3f/0x90\nentry_SYSCALL_64_after_hwframe+0x6e/0xd8\nFreed by task 27534:\nkasan_save_stack+0x33/0x60\nkasan_set_track+0x25/0x30\nkasan_save_free_info+0x2b/0x50\n____kasan_slab_free+0x126/0x170\nslab_free_freelist_hook+0xd0/0x1e0\n__kmem_cache_free+0x9d/0x1b0\nopen_cached_dir+0xff5/0x1240 [cifs]\nsmb2_query_info_compound+0x5c3/0x6d0 [cifs]\nsmb2_queryfs+0xc2/0x2c0 [cifs]\nThis is a race between open_cached_dir() and cached_dir_lease_break()\nwhere the cache entry for the open directory handle receives a lease\nbreak while creating it. And before returning from open_cached_dir(),\nwe put the last reference of the new @cfid because of\n!@cfid->has_lease.\nBesides the UAF, while running xfstests a lot of missed lease breaks\nhave been noticed in tests that run several concurrent statfs(2) calls\non those cached fids\nCIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\nCIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\nCIFS: VFS: \\\\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108\nCIFS: VFS: Dump pending requests:\nCIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\nCIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\nCIFS: VFS: \\\\w22-root1.gandalf.test smb buf 000000005aa7316e len 108\n...\nTo fix both, in open_cached_dir() ensure that @cfid->has_lease is set\nright before sending out compounded request so that any potential\nlease break will be get processed by demultiplex thread while we're\nstill caching @cfid. And, if open failed for some reason, re-check\n@cfid->has_lease to decide whether or not put lease reference."], "name": "CVE-2023-52751", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52751\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52751\nhttps://lore.kernel.org/linux-cve-announce/2024052144-CVE-2023-52751-69df@gregkh/T"], "threat_severity": "Moderate"}

{}