Linux Kernel ksmbd Oplock Lease Break Acknowledgment Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's ksmbd component, specifically within the handling of oplock and lease break acknowledgments. This issue arises when the function ksmbd_iov_pin_rsp returns an error, leading to a potential use-after-free condition by accessing opinfo->state. Consequently, the functions opinfo_put and ksmbd_fd_put could be called twice, creating a risk of memory corruption.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, allowing for memory corruption and potentially arbitrary code execution.

Reproduction

The vulnerability can be reproduced by triggering an error response from the ksmbd_iov_pin_rsp function during the oplock or lease break acknowledgment process. This can be done by manipulating the conditions under which this function is called, causing it to return an error instead of successfully pinning the response. Once the error is returned, the vulnerability is activated by the subsequent access to opinfo->state, which can be exploited to create a use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit addressing this issue is available in the Linux kernel stable tree.