Linux Kernel CIFS Component Use-After-Free Vulnerability in SMB2 Reconnect Function

A use-after-free vulnerability has been identified in the CIFS (Common Internet File System) component of the Linux kernel. This issue arises in the SMB2 (Server Message Block version 2) reconnect server function, where the session state is not properly managed. The vulnerability is present in the Linux kernel stable tree. The problem occurs because the function incorrectly collects sessions that are in the process of exiting, leading to a potential use-after-free scenario. The exiting session remains in the server's session list until it has completed its cleanup processes, such as freeing IPC resources and logging off, creating a window for exploitation.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, initiate a CIFS session and then trigger a logoff process while the session is still being referenced in the SMB2 reconnect server function. This can be done by manipulating the session state to exit while simultaneously invoking the reconnect process, causing the session to be improperly handled and leading to a use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit addressing this issue is available in the Linux kernel stable tree.