Linux Kernel CIFS Client Use-After-Free Vulnerability in SMB2 Query Info Compound

A use-after-free vulnerability has been identified in the Linux kernel's CIFS client, specifically within the SMB2 query info compound function. This issue arises when the function retries a command, potentially leading to the reuse of a previously freed connection identifier (cfid). If the cfid is not properly reset before the retry, it can result in a dangling pointer being accessed, causing a use-after-free condition. The vulnerability has been addressed by ensuring that the cfid is reinitialized to NULL before the replay of the command. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where a freed memory resource is accessed, potentially allowing for arbitrary code execution or causing a system crash.

Reproduction

To reproduce this vulnerability, initiate a process that requires the SMB2 query info compound function to be called. During the first attempt, the function will allocate a connection identifier (cfid). If the function is then retried without properly resetting the cfid, the previously allocated identifier may be freed, leading to a use-after-free scenario. This can be observed by monitoring the reference count of the cfid, which may underflow, indicating that a freed resource is being improperly accessed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.