ACK: [SRU][F/J][PATCH 0/1] CVE-2023-52752

Kuba Pawlak kuba.pawlak at canonical.com
Thu Jun 27 15:18:25 UTC 2024 

On 26.06.2024 23:39, Yuxuan Luo wrote:
> [Impact]
> A potential use-after-free may occur in smb subsystem when the server is
> dumping debug information while the session is tearing down, this
> vulnerability leads to memory corruption and system crash.
> 
> [Backport]
> The fix relies on ses->ses_status and ses->ses_lock, which are both not
> introduced in the affected kernels and hard to backport.
> 
> The ses_lock is added in d7d7a66aacd6 (“cifs: avoid use of global locks
> for high contention data”) in order to increase granularity to improve
> performance, therefore, it is viable to stay with the old global lock
> GlobalMid_Lock.
> 
> For ses_status, dd3cd8709ed5 (“cifs: use new enum for ses_status”)
> specified SES_EXITING instead of CifsExiting under the session context,
> which means they can be used interchangably here.
> 
> According to the fix commit message, the spin lock is used to protect
> use-after-free scenario for ses->*, hence, place the spin_lock() pair
> around the if ((ses->serverDomain == NULL) || and else pair.
> 
> [Test]
> Tested using ksmbd-tools:
> ```
> cd /home/ubuntu
> mkdir -p /home/ubuntu/MyShare
> sudo ksmbd.addshare --add \
> 	--option "path = /home/ubunut/MyShare" \
> 	--option 'read only = no' \
> 	--option 'force user = ubuntu' \
> 	--option 'force group = ubuntu' \
> 	MyShare
> sudo ksmbd.adduser --add MyUser --password ubuntu
> sudo ksmbd.mountd
> sudo mount -o vers=3 -o pass=ubuntu -o user=MyUser //127.0.0.1/MyShare /mnt
> 
> echo 'hello smb' > ./MyShare/smb.txt
> res=`cat /mnt/smb.txt`
> if [ "$res" == "hello smb" ]; then
> 	echo "==== TEST SUCCESS ===="
> else
> 	echo "==== TEST FAILS: $res ===="
> fi
> ```
> 
> [Where things could go wrong]
> smb server might crash when dumping debug info.
> 
> Paulo Alcantara (1):
>    smb: client: fix use-after-free bug in cifs_debug_data_proc_show()
> 
>   fs/cifs/cifs_debug.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 

Acked-by: Kuba Pawlak <kuba.pawlak at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x216A9D7E3B63DCB4.asc
Type: application/pgp-keys
Size: 3139 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240627/62702fad/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240627/62702fad/attachment.sig>

More information about the kernel-team mailing list