{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2023-52572",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2024-03-02T21:55:42.567Z",
        "datePublished": "2024-03-02T21:59:41.980Z",
        "dateUpdated": "2024-08-02T23:03:20.848Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2024-05-29T05:13:45.320Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix UAF in cifs_demultiplex_thread()\n\nThere is a UAF when xfstests on cifs:\n\n  BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160\n  Read of size 4 at addr ffff88810103fc08 by task cifsd/923\n\n  CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45\n  ...\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x34/0x44\n   print_report+0x171/0x472\n   kasan_report+0xad/0x130\n   kasan_check_range+0x145/0x1a0\n   smb2_is_network_name_deleted+0x27/0x160\n   cifs_demultiplex_thread.cold+0x172/0x5a4\n   kthread+0x165/0x1a0\n   ret_from_fork+0x1f/0x30\n   </TASK>\n\n  Allocated by task 923:\n   kasan_save_stack+0x1e/0x40\n   kasan_set_track+0x21/0x30\n   __kasan_slab_alloc+0x54/0x60\n   kmem_cache_alloc+0x147/0x320\n   mempool_alloc+0xe1/0x260\n   cifs_small_buf_get+0x24/0x60\n   allocate_buffers+0xa1/0x1c0\n   cifs_demultiplex_thread+0x199/0x10d0\n   kthread+0x165/0x1a0\n   ret_from_fork+0x1f/0x30\n\n  Freed by task 921:\n   kasan_save_stack+0x1e/0x40\n   kasan_set_track+0x21/0x30\n   kasan_save_free_info+0x2a/0x40\n   ____kasan_slab_free+0x143/0x1b0\n   kmem_cache_free+0xe3/0x4d0\n   cifs_small_buf_release+0x29/0x90\n   SMB2_negotiate+0x8b7/0x1c60\n   smb2_negotiate+0x51/0x70\n   cifs_negotiate_protocol+0xf0/0x160\n   cifs_get_smb_ses+0x5fa/0x13c0\n   mount_get_conns+0x7a/0x750\n   cifs_mount+0x103/0xd00\n   cifs_smb3_do_mount+0x1dd/0xcb0\n   smb3_get_tree+0x1d5/0x300\n   vfs_get_tree+0x41/0xf0\n   path_mount+0x9b3/0xdd0\n   __x64_sys_mount+0x190/0x1d0\n   do_syscall_64+0x35/0x80\n   entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe UAF is because:\n\n mount(pid: 921)               | cifsd(pid: 923)\n-------------------------------|-------------------------------\n                               | cifs_demultiplex_thread\nSMB2_negotiate                 |\n cifs_send_recv                |\n  compound_send_recv           |\n   smb_send_rqst               |\n    wait_for_response          |\n     wait_event_state      [1] |\n                               |  standard_receive3\n                               |   cifs_handle_standard\n                               |    handle_mid\n                               |     mid->resp_buf = buf;  [2]\n                               |     dequeue_mid           [3]\n     KILL the process      [4] |\n    resp_iov[i].iov_base = buf |\n free_rsp_buf              [5] |\n                               |   is_network_name_deleted [6]\n                               |   callback\n\n1. After send request to server, wait the response until\n    mid->mid_state != SUBMITTED;\n2. Receive response from server, and set it to mid;\n3. Set the mid state to RECEIVED;\n4. Kill the process, the mid state already RECEIVED, get 0;\n5. Handle and release the negotiate response;\n6. UAF.\n\nIt can be easily reproduce with add some delay in [3] - [6].\n\nOnly sync call has the problem since async call's callback is\nexecuted in cifsd process.\n\nAdd an extra state to mark the mid state to READY before wakeup the\nwaitter, then it can get the resp safely."
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "fs/smb/client/cifsglob.h",
                        "fs/smb/client/transport.c"
                    ],
                    "versions": [
                        {
                            "version": "ec637e3ffb6b",
                            "lessThan": "908b3b5e97d2",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "ec637e3ffb6b",
                            "lessThan": "76569e3819e0",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "ec637e3ffb6b",
                            "lessThan": "d527f51331ca",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "fs/smb/client/cifsglob.h",
                        "fs/smb/client/transport.c"
                    ],
                    "versions": [
                        {
                            "version": "2.6.16",
                            "status": "affected"
                        },
                        {
                            "version": "0",
                            "lessThan": "2.6.16",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.1.56",
                            "lessThanOrEqual": "6.1.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.5.6",
                            "lessThanOrEqual": "6.5.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.6",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/908b3b5e97d25e879de3d1f172a255665491c2c3"
                },
                {
                    "url": "https://git.kernel.org/stable/c/76569e3819e0bb59fc19b1b8688b017e627c268a"
                },
                {
                    "url": "https://git.kernel.org/stable/c/d527f51331cace562393a8038d870b3e9916686f"
                }
            ],
            "title": "cifs: Fix UAF in cifs_demultiplex_thread()",
            "x_generator": {
                "engine": "bippy-a5840b7849dd"
            }
        },
        "adp": [
            {
                "title": "CISA ADP Vulnrichment",
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "id": "CVE-2023-52572",
                                "role": "CISA Coordinator",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "version": "2.0.3",
                                "timestamp": "2024-03-04T14:36:02.875226Z"
                            }
                        }
                    }
                ],
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-06-04T17:23:18.290Z"
                }
            },
            {
                "providerMetadata": {
                    "orgId": "af854a3a-2127-422b-91ae-364da2661108",
                    "shortName": "CVE",
                    "dateUpdated": "2024-08-02T23:03:20.848Z"
                },
                "title": "CVE Program Container",
                "references": [
                    {
                        "url": "https://git.kernel.org/stable/c/908b3b5e97d25e879de3d1f172a255665491c2c3",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/76569e3819e0bb59fc19b1b8688b017e627c268a",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/d527f51331cace562393a8038d870b3e9916686f",
                        "tags": [
                            "x_transferred"
                        ]
                    }
                ]
            }
        ]
    }
}