public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
* Re: Re: CVE-2023-52572: cifs: Fix UAF in cifs_demultiplex_thread()
@ 2024-03-05 18:30 Red Hat Product Security
  2024-03-06  9:16 ` Greg KH
  0 siblings, 1 reply; 5+ messages in thread
From: Red Hat Product Security @ 2024-03-05 18:30 UTC (permalink / raw)
  To: security, rfrohl, cve, gregkh, linux-kernel


[-- Attachment #1.1: Type: text/plain, Size: 2092 bytes --]

Hello!

INC2885107 (Re: CVE-2023-52572: cifs: Fix UAF in cifs_demultiplex_thread()) has been updated.

Opened for: rfrohl@suse.de
Followers: cve@kernel.org, linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org, security@suse.de

Rohit Keshri updated your request with the following comments:

Hello Robert,
 Thank you for reaching to Red Hat Product Security.
 I have reviewed the flaws, CVE-2023-1192 has the correct patch used in the reference.
 Also, CVE-2023-52572 is a duplicate of CVE-2023-1192, which we will soon request for the same.
 I will also share some observation for CVE-2023-1192 while it us under investigation:
~~~
## TL;DR
 After CIFS transfers response data to system call, there is still a local variable points to the memory region, and if system call frees it faster than CIFS uses it, CIFS will access a free memory region when calls function such as `smb2_is_status_io_timeout()` .
 ## Detail
 When client uses CIFS, system calls about file operation will call cifs API to send samba request, and there is a CIFS kernel thread handler `cifs_demultiplex_thread()` which receives response from remote server and transfer those data to corresponding syscall request.
 In the beginning, CIFS kernel thread will allocate memory chunk to `server->smallbuf` in function `allocate_buffers()` and assign the pointer to local variable `buf` . Then cifs kernel thread will get a `struct mid_q_entry` instance from `server->ops->find_mid()` , this struct is used to transfer data between kernel thread and system call. Then cifs kernel thread calls `standard_receive3()` to receive response from server, saving data into `server->smallbuf`, assigning `server->smallbuf` to `mid_q_entry` instance `mids[0]`, and marking this `mid_q_entry` has been received response finally.
~~~
 Please let us know if there are any further queries on this please.
 Regards,
Rohit

How can I track and update my request?

To respond, reply to this email. You may also create a new email and include the request number (INC2885107) in the subject.

Thank you,
Product Security

Ref:MSG86263708

[-- Attachment #1.2: Type: text/html, Size: 2977 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-03-06  9:53 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-05 18:30 Re: CVE-2023-52572: cifs: Fix UAF in cifs_demultiplex_thread() Red Hat Product Security
2024-03-06  9:16 ` Greg KH
2024-03-06  9:23   ` Robert Frohl
2024-03-06  9:45     ` Greg KH
2024-03-06  9:53       ` Robert Frohl

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox