Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-52741— cifs: Fix use-after-free in rdata->read_into_pages()

EPSS 0.02% · P4
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-52741

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
cifs: Fix use-after-free in rdata->read_into_pages()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: cifs: Fix use-after-free in rdata->read_into_pages() When the network status is unstable, use-after-free may occur when read data from the server. BUG: KASAN: use-after-free in readpages_fill_pages+0x14c/0x7e0 Call Trace: <TASK> dump_stack_lvl+0x38/0x4c print_report+0x16f/0x4a6 kasan_report+0xb7/0x130 readpages_fill_pages+0x14c/0x7e0 cifs_readv_receive+0x46d/0xa40 cifs_demultiplex_thread+0x121c/0x1490 kthread+0x16b/0x1a0 ret_from_fork+0x2c/0x50 </TASK> Allocated by task 2535: kasan_save_stack+0x22/0x50 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x82/0x90 cifs_readdata_direct_alloc+0x2c/0x110 cifs_readdata_alloc+0x2d/0x60 cifs_readahead+0x393/0xfe0 read_pages+0x12f/0x470 page_cache_ra_unbounded+0x1b1/0x240 filemap_get_pages+0x1c8/0x9a0 filemap_read+0x1c0/0x540 cifs_strict_readv+0x21b/0x240 vfs_read+0x395/0x4b0 ksys_read+0xb8/0x150 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 79: kasan_save_stack+0x22/0x50 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2e/0x50 __kasan_slab_free+0x10e/0x1a0 __kmem_cache_free+0x7a/0x1a0 cifs_readdata_release+0x49/0x60 process_one_work+0x46c/0x760 worker_thread+0x2a4/0x6f0 kthread+0x16b/0x1a0 ret_from_fork+0x2c/0x50 Last potentially related work creation: kasan_save_stack+0x22/0x50 __kasan_record_aux_stack+0x95/0xb0 insert_work+0x2b/0x130 __queue_work+0x1fe/0x660 queue_work_on+0x4b/0x60 smb2_readv_callback+0x396/0x800 cifs_abort_connection+0x474/0x6a0 cifs_reconnect+0x5cb/0xa50 cifs_readv_from_socket.cold+0x22/0x6c cifs_read_page_from_socket+0xc1/0x100 readpages_fill_pages.cold+0x2f/0x46 cifs_readv_receive+0x46d/0xa40 cifs_demultiplex_thread+0x121c/0x1490 kthread+0x16b/0x1a0 ret_from_fork+0x2c/0x50 The following function calls will cause UAF of the rdata pointer. readpages_fill_pages cifs_read_page_from_socket cifs_readv_from_socket cifs_reconnect __cifs_reconnect cifs_abort_connection mid->callback() --> smb2_readv_callback queue_work(&rdata->work) # if the worker completes first, # the rdata is freed cifs_readv_complete kref_put cifs_readdata_release kfree(rdata) return rdata->... # UAF in readpages_fill_pages() Similarly, this problem also occurs in the uncache_fill_pages(). Fix this by adjusts the order of condition judgment in the return statement.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于cifs模块存在释放后重用漏洞。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux b3160aebb49b5e07f6bc3b8c5bed6013ca9e422e ~ 2b693fe3f760c87fd9768e759f6297f743a1b3b0 -
LinuxLinux 3.17 -

II. Public POCs for CVE-2023-52741

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-52741

登录查看更多情报信息。

Same Patch Batch · Linux · 2024-05-21 · 361 CVEs total

CVE-2021-47432lib/generic-radix-tree.c: Don't overflow in peek()
CVE-2023-52760gfs2: Fix slab-use-after-free in gfs2_qd_dealloc
CVE-2023-52757smb: client: fix potential deadlock when releasing mids
CVE-2023-52755ksmbd: fix slab out of bounds write in smb_inherit_dacl()
CVE-2023-52754media: imon: fix access to invalid resource for the second interface
CVE-2023-52753drm/amd/display: Avoid NULL dereference of timing generator
CVE-2023-52752smb: client: fix use-after-free bug in cifs_debug_data_proc_show()
CVE-2023-52751smb: client: fix use-after-free in smb2_query_info_compound()
CVE-2023-52750arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer
CVE-2023-52749spi: Fix null dereference on suspend
CVE-2023-52748f2fs: avoid format-overflow warning
CVE-2022-48710drm/radeon: fix a possible null pointer dereference
CVE-2023-52742net: USB: Fix wrong-direction WARNING in plusb.c
CVE-2023-52737btrfs: lock the inode in shared mode before starting fiemap
CVE-2023-52738drm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini
CVE-2023-52740powerpc/64s/interrupt: Fix interrupt exit race with security mitigation switch
CVE-2023-52739Fix page corruption caused by racy check in __free_pages
CVE-2023-52743ice: Do not use WQ_MEM_RECLAIM flag for workqueue
CVE-2023-52746xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()
CVE-2023-52747IB/hfi1: Restore allocated resources on failed copyout

Showing top 20 of 361 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2023-52741

No comments yet

Leave a comment