Linux Kernel ksmbd IPC Use-After-Free Vulnerability in ipc_msg_send_request

A use-after-free vulnerability has been identified in the Linux kernel's ksmbd component, specifically within the ipc_msg_send_request function. This vulnerability arises because the function handles generic netlink replies using an ipc_msg_table_entry stored on the stack. The netlink handler updates the response entry under a lock, but ipc_msg_send_request previously validated and freed the response without the same lock, creating a race condition. Under high concurrency, this allows the handler to write data into a response that has already been freed, leading to a memory corruption issue. The vulnerability has been reported by KASAN as a slab-use-after-free error.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where memory that has been freed is still accessed, leading to potential memory corruption and undefined behavior.

Reproduction

To reproduce this vulnerability, trigger high concurrency scenarios where the ipc_msg_send_request function is called while the generic netlink handler is simultaneously updating the response entry. This can be done by sending multiple netlink messages in quick succession, creating a race condition that the vulnerability exploits.

Remediation

The vulnerability has been fixed by updating the ipc_msg_send_request function to properly manage the response entry under the ipc_msg_table_lock, ensuring that it is validated and freed correctly. Users should apply the latest patches available in the Linux kernel stable tree to address this issue.