CVE-2023-52741
- Source
- https://cve.org/CVERecord?id=CVE-2023-52741
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52741.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-52741
- Downstream
- Related
- Published
- 2024-05-21T15:23:03.867Z
- Modified
- 2026-03-14T12:16:51.719387Z
- Summary
- cifs: Fix use-after-free in rdata->read_into_pages()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix use-after-free in rdata->readintopages()
When the network status is unstable, use-after-free may occur when read data from the server.
BUG: KASAN: use-after-free in readpagesfillpages+0x14c/0x7e0
Call Trace: <TASK> dumpstacklvl+0x38/0x4c printreport+0x16f/0x4a6 kasanreport+0xb7/0x130 readpagesfillpages+0x14c/0x7e0 cifsreadvreceive+0x46d/0xa40 cifsdemultiplexthread+0x121c/0x1490 kthread+0x16b/0x1a0 retfromfork+0x2c/0x50 </TASK>
Allocated by task 2535: kasansavestack+0x22/0x50 kasansettrack+0x25/0x30 __kasankmalloc+0x82/0x90 cifsreaddatadirectalloc+0x2c/0x110 cifsreaddataalloc+0x2d/0x60 cifsreadahead+0x393/0xfe0 readpages+0x12f/0x470 pagecacheraunbounded+0x1b1/0x240 filemapgetpages+0x1c8/0x9a0 filemapread+0x1c0/0x540 cifsstrictreadv+0x21b/0x240 vfsread+0x395/0x4b0 ksysread+0xb8/0x150 dosyscall64+0x3f/0x90 entrySYSCALL64afterhwframe+0x72/0xdc
Freed by task 79: kasansavestack+0x22/0x50 kasansettrack+0x25/0x30 kasansavefree_info+0x2e/0x50 __kasanslabfree+0x10e/0x1a0 _kmemcachefree+0x7a/0x1a0 cifsreaddatarelease+0x49/0x60 processonework+0x46c/0x760 workerthread+0x2a4/0x6f0 kthread+0x16b/0x1a0 retfromfork+0x2c/0x50
Last potentially related work creation: kasansavestack+0x22/0x50 __kasanrecordauxstack+0x95/0xb0 insertwork+0x2b/0x130 _queuework+0x1fe/0x660 queueworkon+0x4b/0x60 smb2readvcallback+0x396/0x800 cifsabortconnection+0x474/0x6a0 cifsreconnect+0x5cb/0xa50 cifsreadvfromsocket.cold+0x22/0x6c cifsreadpagefromsocket+0xc1/0x100 readpagesfillpages.cold+0x2f/0x46 cifsreadvreceive+0x46d/0xa40 cifsdemultiplexthread+0x121c/0x1490 kthread+0x16b/0x1a0 retfromfork+0x2c/0x50
The following function calls will cause UAF of the rdata pointer.
readpagesfillpages cifsreadpagefromsocket cifsreadvfromsocket cifsreconnect _cifsreconnect cifsabortconnection mid->callback() --> smb2readvcallback queuework(&rdata->work) # if the worker completes first, # the rdata is freed cifsreadvcomplete krefput cifsreaddatarelease kfree(rdata) return rdata->... # UAF in readpagesfillpages()
Similarly, this problem also occurs in the uncachefillpages().
Fix this by adjusts the order of condition judgment in the return statement.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52741.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/2b693fe3f760c87fd9768e759f6297f743a1b3b0
- https://git.kernel.org/stable/c/3684a2f6affa1ca52a5d4a12f04d0652efdee65e
- https://git.kernel.org/stable/c/aa5465aeca3c66fecdf7efcf554aed79b4c4b211
- https://git.kernel.org/stable/c/d1fba1e096ffc7ec11df863a97c50203c47315b9
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52741.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-52741
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedb3160aebb49b5e07f6bc3b8c5bed6013ca9e422eFixed2b693fe3f760c87fd9768e759f6297f743a1b3b0Fixedd1fba1e096ffc7ec11df863a97c50203c47315b9Fixed3684a2f6affa1ca52a5d4a12f04d0652efdee65eFixedaa5465aeca3c66fecdf7efcf554aed79b4c4b211