Linux Kernel ksmbd Component Use-After-Free Vulnerability in Durable V2 Replay of Active File Handles

A use-after-free vulnerability has been identified in the Linux kernel's ksmbd component, specifically during the durable V2 replay of active file handles. This issue arises because the function parse_durable_handle_context() unconditionally assigns the current connection to dh_info->fp->conn when processing a DURABLE_REQ_V2 context with SMB2_FLAGS_REPLAY_OPERATION. The function ksmbd_lookup_fd_cguid() fails to filter by fp->conn, resulting in the retrieval of file handles that are already connected. This unchecked overwrite of the connection pointer leads to a use-after-free condition when the overwritten connection is freed, allowing __ksmbd_close_fd() to dereference a stale pointer, as reported by the Kernel Address Sanitizer (KASAN).

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where a freed memory region is accessed, potentially causing memory corruption or allowing an attacker to execute arbitrary code.

Reproduction

To reproduce this vulnerability, first, ensure that the Linux kernel version is one where this issue is present, specifically in the ksmbd component. Then, initiate a durable V2 request with the SMB2_FLAGS_REPLAY_OPERATION flag. The parse_durable_handle_context() function will assign the current connection to the file handle's connection pointer. If the ksmbd_lookup_fd_cguid() function is called without filtering by the connection pointer, it will return active file handles. The vulnerability is triggered when the connection is freed, and the __ksmbd_close_fd() function attempts to lock and access the now-freed connection pointer, causing a use-after-free error.

Remediation

The vulnerability has been fixed by modifying the parse_durable_handle_context() function to remove the unconditional assignment of the connection pointer. The updated logic now rejects replay requests when the pointer is already set, aligning with the behavior of the ksmbd_lookup_durable_fd() function. Users should upgrade to the patched version of the Linux kernel where this fix is applied.