Hello!
INC2885107 (Re: CVE-2023-52572: cifs: Fix UAF in cifs_demultiplex_thread()) has been updated.
Opened for: rfrohl@xxxxxxx
Followers: cve@xxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, gregkh@xxxxxxxxxxxxxxxxxxx, security@xxxxxxx
Hello Robert,
Thank you for reaching to Red Hat Product Security.
I have reviewed the flaws, CVE-2023-1192 has the correct patch used in the reference.
Also, CVE-2023-52572 is a duplicate of CVE-2023-1192, which we will soon request for the same.
I will also share some observation for CVE-2023-1192 while it us under investigation:
~~~
## TL;DR
After CIFS transfers response data to system call, there is still a local variable points to the memory region, and if system call frees it faster than CIFS uses it, CIFS will access a free memory region when calls function such as `smb2_is_status_io_timeout()` .
## Detail
When client uses CIFS, system calls about file operation will call cifs API to send samba request, and there is a CIFS kernel thread handler `cifs_demultiplex_thread()` which receives response from remote server and transfer those data to corresponding syscall request.
In the beginning, CIFS kernel thread will allocate memory chunk to `server->smallbuf` in function `allocate_buffers()` and assign the pointer to local variable `buf` . Then cifs kernel thread will get a `struct mid_q_entry` instance from `server->ops->find_mid()` , this struct is used to transfer data between kernel thread and system call. Then cifs kernel thread calls `standard_receive3()` to receive response from server, saving data into `server->smallbuf`, assigning `server->smallbuf` to `mid_q_entry` instance `mids[0]`, and marking this `mid_q_entry` has been received response finally.
~~~
Please let us know if there are any further queries on this please.
Regards,
Rohit
How can I track and update my request?
To respond, reply to this email. You may also create a new email and include the request number (INC2885107) in the subject.