Linux Kernel SMB Client Use-After-Free Vulnerability in Decryption with Multichannel

A use-after-free vulnerability has been identified in the Linux kernel's SMB client, specifically in the decryption process when using multichannel. This issue arises after certain commits that changed how cryptographic resources are allocated and reused across channels. The vulnerability can lead to a slab-use-after-free error, as demonstrated by a KASAN (Kernel Address Sanitizer) report when running a specific filesystem test against Windows Server 2022.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by running the Linux kernel with the CIFS (Common Internet File System) client enabled. When connected to a Windows Server 2022 share using SMB version 3.1.1, multichannel support, and the sealing feature, the KASAN-enabled kernel will produce a slab-use-after-free error. This indicates that the vulnerability has been successfully triggered by the simultaneous decryption operations occurring across multiple CIFS threads, one for each channel.