CVE-2023-52572

In the Linux kernel, the following vulnerability has been resolved:

cifs: Fix UAF in cifsdemultiplexthread()

There is a UAF when xfstests on cifs:

BUG: KASAN: use-after-free in smb2isnetworknamedeleted+0x27/0x160 Read of size 4 at addr ffff88810103fc08 by task cifsd/923

CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45 ... Call Trace: <TASK> dumpstacklvl+0x34/0x44 printreport+0x171/0x472 kasanreport+0xad/0x130 kasancheckrange+0x145/0x1a0 smb2isnetworknamedeleted+0x27/0x160 cifsdemultiplexthread.cold+0x172/0x5a4 kthread+0x165/0x1a0 retfromfork+0x1f/0x30 </TASK>

Allocated by task 923: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 _kasanslaballoc+0x54/0x60 kmemcachealloc+0x147/0x320 mempoolalloc+0xe1/0x260 cifssmallbufget+0x24/0x60 allocatebuffers+0xa1/0x1c0 cifsdemultiplexthread+0x199/0x10d0 kthread+0x165/0x1a0 retfromfork+0x1f/0x30

Freed by task 921: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 kasansavefreeinfo+0x2a/0x40 __kasanslabfree+0x143/0x1b0 kmemcachefree+0xe3/0x4d0 cifssmallbufrelease+0x29/0x90 SMB2negotiate+0x8b7/0x1c60 smb2negotiate+0x51/0x70 cifsnegotiateprotocol+0xf0/0x160 cifsgetsmbses+0x5fa/0x13c0 mountgetconns+0x7a/0x750 cifsmount+0x103/0xd00 cifssmb3domount+0x1dd/0xcb0 smb3gettree+0x1d5/0x300 vfsgettree+0x41/0xf0 pathmount+0x9b3/0xdd0 _x64sysmount+0x190/0x1d0 dosyscall64+0x35/0x80 entrySYSCALL64after_hwframe+0x46/0xb0

The UAF is because:

mount(pid: 921) | cifsd(pid: 923) -------------------------------|------------------------------- | cifsdemultiplexthread SMB2negotiate | cifssendrecv | compoundsendrecv | smbsendrqst | waitforresponse | waiteventstate [1] | | standardreceive3 | cifshandlestandard | handlemid | mid->respbuf = buf; [2] | dequeuemid [3] KILL the process [4] | respiov[i].iovbase = buf | freerspbuf [5] | | isnetworknamedeleted [6] | callback

1. After send request to server, wait the response until mid->mid_state != SUBMITTED;
2. Receive response from server, and set it to mid;
3. Set the mid state to RECEIVED;
4. Kill the process, the mid state already RECEIVED, get 0;
5. Handle and release the negotiate response;
6. UAF.

It can be easily reproduce with add some delay in [3] - [6].

Only sync call has the problem since async call's callback is executed in cifsd process.

Add an extra state to mark the mid state to READY before wakeup the waitter, then it can get the resp safely.