Linux Kernel CIFS Memory and Information Leak Vulnerability in SMB3 Reconfiguration

A vulnerability in the Linux kernel's CIFS (Common Internet File System) implementation has been addressed. The issue arose in the 'smb3_reconfigure()' function, where a failure in 'smb3_sync_session_ctx_passwords()' led to an immediate return without freeing the newly allocated password buffers. This oversight created both a memory leak and a potential information leak. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability could lead to a memory leak and an information leak, where sensitive data such as passwords could be exposed.

Reproduction

The vulnerability can be reproduced by triggering a failure in the 'smb3_sync_session_ctx_passwords()' function during the execution of 'smb3_reconfigure()'. This failure will cause the function to return without properly freeing the allocated password buffers, resulting in a memory and information leak.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.