CVE-2023-52751

In the Linux kernel, the following vulnerability has been resolved: smb:
client: fix use-after-free in smb2_query_info_compound() The following UAF
was triggered when running fstests generic/072 with KASAN enabled against
Windows Server 2022 and mount options
‘multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm’ BUG: KASAN:
slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs] Read of
size 8 at addr ffff888014941048 by task xfs_io/27534 CPU: 0 PID: 27534
Comm: xfs_io Not tainted 6.6.0-rc7 #1 Hardware name: QEMU Standard PC (Q35

• ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
  Call Trace: dump_stack_lvl+0x4a/0x80 print_report+0xcf/0x650 ?
  srso_alias_return_thunk+0x5/0x7f ? srso_alias_return_thunk+0x5/0x7f ?
  __phys_addr+0x46/0x90 kasan_report+0xda/0x110 ?
  smb2_query_info_compound+0x423/0x6d0 [cifs] ?
  smb2_query_info_compound+0x423/0x6d0 [cifs]
  smb2_query_info_compound+0x423/0x6d0 [cifs] ?
  __pfx_smb2_query_info_compound+0x10/0x10 [cifs] ?
  srso_alias_return_thunk+0x5/0x7f ? __stack_depot_save+0x39/0x480 ?
  kasan_save_stack+0x33/0x60 ? kasan_set_track+0x25/0x30 ?
  ____kasan_slab_free+0x126/0x170 smb2_queryfs+0xc2/0x2c0 [cifs] ?
  __pfx_smb2_queryfs+0x10/0x10 [cifs] ? __pfx___lock_acquire+0x10/0x10
  smb311_queryfs+0x210/0x220 [cifs] ? __pfx_smb311_queryfs+0x10/0x10 [cifs] ?
  srso_alias_return_thunk+0x5/0x7f ? __lock_acquire+0x480/0x26c0 ?
  lock_release+0x1ed/0x640 ? srso_alias_return_thunk+0x5/0x7f ?
  do_raw_spin_unlock+0x9b/0x100 cifs_statfs+0x18c/0x4b0 [cifs]
  statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 __do_sys_fstatfs+0x7f/0xe0 ?
  __pfx___do_sys_fstatfs+0x10/0x10 ? srso_alias_return_thunk+0x5/0x7f ?
  lockdep_hardirqs_on_prepare+0x136/0x200 ? srso_alias_return_thunk+0x5/0x7f
  do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated
  by task 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30
  __kasan_kmalloc+0x8f/0xa0 open_cached_dir+0x71b/0x1240 [cifs]
  smb2_query_info_compound+0x5c3/0x6d0 [cifs] smb2_queryfs+0xc2/0x2c0 [cifs]
  smb311_queryfs+0x210/0x220 [cifs] cifs_statfs+0x18c/0x4b0 [cifs]
  statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 __do_sys_fstatfs+0x7f/0xe0
  do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by
  task 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30
  kasan_save_free_info+0x2b/0x50 ____kasan_slab_free+0x126/0x170
  slab_free_freelist_hook+0xd0/0x1e0 __kmem_cache_free+0x9d/0x1b0
  open_cached_dir+0xff5/0x1240 [cifs] smb2_query_info_compound+0x5c3/0x6d0
  [cifs] smb2_queryfs+0xc2/0x2c0 [cifs] This is a race between
  open_cached_dir() and cached_dir_lease_break() where the cache entry for
  the open directory handle receives a lease break while creating it. And
  before returning from open_cached_dir(), we put the last reference of the
  new @cfid because of !@cfid->has_lease. Besides the UAF, while running
  xfstests a lot of missed lease breaks have been noticed in tests that run
  several concurrent statfs(2) calls on those cached fids CIFS: VFS:
  \w22-root1.gandalf.test No task to wake, unknown frame… CIFS: VFS:
  \w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1… CIFS: VFS:
  \w22-root1.gandalf.test smb buf 00000000715bfe83 len 108 CIFS: VFS: Dump
  pending requests: CIFS: VFS: \w22-root1.gandalf.test No task to wake,
  unknown frame… CIFS: VFS: \w22-root1.gandalf.test Cmd: 18 Err: 0x0
  Flags: 0x1… CIFS: VFS: \w22-root1.gandalf.test smb buf 000000005aa7316e
  len 108 … To fix both, in open_cached_dir() ensure that @cfid->has_lease
  is set right before sending out compounded request so that any potential
  lease break will be get processed by demultiplex thread while we’re still
  caching @cfid. And, if open failed for some reason, re-check
  @cfid->has_lease to decide whether or not put lease reference.