Linux Kernel Use-After-Free Vulnerability in SMB2 Client Async Crypto Handling

A use-after-free vulnerability has been identified in the Linux kernel's SMB2 client, specifically in the asynchronous cryptographic operations. The issue arises when hardware crypto accelerators are used, leading to potential crashes. The vulnerability was introduced when the fix for CVE-2024-50047 removed asynchronous crypto handling from the 'crypt_message()' function, assuming all operations were synchronous. However, hardware crypto modules can perform asynchronous operations, causing 'crypt_message()' to free the request buffer while the encryption or decryption operation was still in progress. This premature memory deallocation creates a use-after-free condition, where the freed memory is accessed later, resulting in a kernel crash due to a NULL pointer dereference.

Impact

Exploitation of this vulnerability leads to kernel crashes caused by NULL pointer dereferences, disrupting system stability and potentially causing a denial of service.

Reproduction

The vulnerability can be reproduced by using the SMB2 client with hardware crypto accelerators enabled. The 'crypt_message()' function will asynchronously encrypt or decrypt data, returning -EINPROGRESS' while the operation is still ongoing. If the request buffer is freed at this point, it creates a use-after-free condition when the crypto driver later tries to access the now-freed memory, causing a crash.

Remediation

The vulnerability has been addressed by restoring the proper asynchronous crypto handling in the affected function. Users should ensure they are running a version of the Linux kernel that includes this fix.