Linux Kernel ksmbd Component Use-After-Free Vulnerability in Tree Connection Management

A use-after-free vulnerability has been identified in the ksmbd component of the Linux kernel, specifically within the tree connection management. This issue arises under high concurrency conditions, where a tree-connection object (tcon) is freed during a disconnect process. Simultaneously, another path may still hold a reference to the tcon and attempt to execute a put or write operation on it, leading to potential memory corruption.

Impact

Exploitation of this vulnerability can result in a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

To reproduce this vulnerability, create a scenario with high concurrency where multiple processes attempt to disconnect tree connections simultaneously. One process should initiate a disconnect, freeing the tree-connection object, while another process holds a reference to the same object and tries to perform a put or write operation on it. This can be achieved by manipulating the reference counting of the tree connection objects to create a race condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit addressing this issue is available in the Linux kernel stable tree.