Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ubuntucveUbuntu.comUB:CVE-2023-52572
HistoryMar 02, 2024 - 12:00 a.m.

CVE-2023-52572

2024-03-0200:00:00
ubuntu.com
ubuntu.com
5
linux kernel
uaf vulnerability
cifs_demultiplex_thread
smb2_negotiate

0.0004 Low

EPSS

Percentile

15.7%

JSON

In the Linux kernel, the following vulnerability has been resolved: cifs:
Fix UAF in cifs_demultiplex_thread() There is a UAF when xfstests on cifs:
BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160 Read
of size 4 at addr ffff88810103fc08 by task cifsd/923 CPU: 1 PID: 923 Comm:
cifsd Not tainted 6.1.0-rc4+ #45 … Call Trace: <TASK>
dump_stack_lvl+0x34/0x44 print_report+0x171/0x472 kasan_report+0xad/0x130
kasan_check_range+0x145/0x1a0 smb2_is_network_name_deleted+0x27/0x160
cifs_demultiplex_thread.cold+0x172/0x5a4 kthread+0x165/0x1a0
ret_from_fork+0x1f/0x30 </TASK> Allocated by task 923:
kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30
__kasan_slab_alloc+0x54/0x60 kmem_cache_alloc+0x147/0x320
mempool_alloc+0xe1/0x260 cifs_small_buf_get+0x24/0x60
allocate_buffers+0xa1/0x1c0 cifs_demultiplex_thread+0x199/0x10d0
kthread+0x165/0x1a0 ret_from_fork+0x1f/0x30 Freed by task 921:
kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30
kasan_save_free_info+0x2a/0x40 ____kasan_slab_free+0x143/0x1b0
kmem_cache_free+0xe3/0x4d0 cifs_small_buf_release+0x29/0x90
SMB2_negotiate+0x8b7/0x1c60 smb2_negotiate+0x51/0x70
cifs_negotiate_protocol+0xf0/0x160 cifs_get_smb_ses+0x5fa/0x13c0
mount_get_conns+0x7a/0x750 cifs_mount+0x103/0xd00
cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300
vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0
do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The UAF is

because: mount(pid: 921) cifsd(pid: 923)
cifs_demultiplex_thread SMB2_negotiate cifs_send_recv
compound_send_recv smb_send_rqst
[1]
mid->resp_buf = buf; [2] dequeue_mid [3] KILL the process [4]
resp_iov[i].iov_base = buf free_rsp_buf [5]
[6] callback 1. After send request to server, wait the response until
mid->mid_state != SUBMITTED; 2. Receive response from server, and set it to
mid; 3. Set the mid state to RECEIVED; 4. Kill the process, the mid state
already RECEIVED, get 0; 5. Handle and release the negotiate response; 6.
UAF. It can be easily reproduce with add some delay in [3] - [6]. Only sync
call has the problem since async call’s callback is executed in cifsd
process. Add an extra state to mark the mid state to READY before wakeup
the waitter, then it can get the resp safely.

Related

cve 1
nvd 1
vulnrichment 1
cvelist 1
prion 1
debiancve 1
redhatcve 1
nessus 7
openvas 2
cve
cve
CVE-2023-52572
2024-03-02 22:15:49
nvd
nvd
CVE-2023-52572
2024-03-02 22:15:49
vulnrichment
vulnrichment
CVE-2023-52572 cifs: Fix UAF in cifs_demultiplex_thread()
2024-03-02 21:59:41
cvelist
cvelist
CVE-2023-52572 cifs: Fix UAF in cifs_demultiplex_thread()
2024-03-02 21:59:41
prion
prion
Spoofing
2024-03-02 22:15:00
debiancve
debiancve
CVE-2023-52572
2024-03-02 22:15:49
redhatcve
redhatcve
CVE-2023-52572
2024-03-04 17:58:33
nessus
nessus
EulerOS 2.0 SP12 : kernel (EulerOS-SA-2024-1873)
2024-06-28 00:00:00
EulerOS 2.0 SP12 : kernel (EulerOS-SA-2024-1859)
2024-06-28 00:00:00
SUSE SLES15 Security Update : kernel (SUSE-SU-2024:1454-1)
2024-04-29 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2024-1837)
2024-06-25 00:00:00
Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2024-1816)
2024-06-25 00:00:00

0.0004 Low

EPSS

Percentile

15.7%

JSON
Related for UB:CVE-2023-52572
cve1nvd1vulnrichment1cvelist1prion1debiancve1redhatcve1nessus7openvas2