Linux Kernel IPC Tree Connection Race Condition Vulnerability in CIFS

A use-after-free vulnerability has been addressed in the Linux kernel's CIFS (Common Internet File System) implementation. This issue arose from a potential race condition when connecting to IPC (Inter-Process Communication) trees. The vulnerability was caused by improper management of the TCP_Server_Info::hostname, which could be freed in a separate cifsd thread. This mismanagement led to the use-after-free error in the __tree_connect_dfs_target() function. The vulnerability affects Linux kernel versions 6.2 and later.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by initiating a tree connection to an IPC share while the CIFS client is actively processing other requests. This can be done by mounting a CIFS share with the 'noperm' option, which disables permission checks and allows for concurrent operations. Once the share is mounted, the IPC tree can be connected, triggering the race condition as the hostname is accessed and potentially freed by another thread.

Remediation

Users can upgrade to the latest stable version of the Linux kernel to address this vulnerability.