Linux Kernel CIFS Subsystem Use-After-Free Vulnerability in MR List Management

A use-after-free vulnerability has been identified in the Linux kernel's CIFS (Common Internet File System) implementation, specifically within the SMB Direct (SMB3) protocol handling. This vulnerability arises when the allocation of Memory Registrations (MRs) fails, leading to a situation where the MR recovery process is not properly initialized and the MR list is not cleared. Consequently, when the system attempts to release the MRs, it triggers a use-after-free condition, which can be exploited to access freed memory, potentially leading to arbitrary code execution or other malicious outcomes. The issue is exacerbated by a warning generated during the MR release process, indicating a problem that could be exploited.

Impact

Exploitation of this vulnerability causes a use-after-free condition in the CIFS subsystem, specifically within the SMB Direct protocol handling. This can lead to memory corruption, allowing an attacker to manipulate program execution, potentially causing arbitrary code execution or creating a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, mount a CIFS share using the SMB3 protocol with RDMA (Remote Direct Memory Access) enabled. During the mounting process, the CIFS subsystem attempts to allocate Memory Registrations (MRs) for RDMA communication. If this allocation fails, the MR recovery work is not properly initialized, and the MR list remains uncleared. When the system subsequently tries to release the MRs, it generates a warning about the uncleared list and the recovery work, while also triggering the use-after-free condition. This can be observed in the kernel logs, where the warning and the details of the use-after-free condition are reported.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.