Linux Kernel ksmbd Component Use-After-Free Vulnerability in Compound Requests

A use-after-free vulnerability has been identified in the ksmbd component of the Linux kernel. This issue arises when the smb2_get_ksmbd_tcon() function reuses a connection pointer in compound requests without properly validating the connection state. The initial lookup path verifies that the connection is active, but this check is skipped in the compound reuse path. As a result, if a previous command disconnects the tree and frees the associated share configuration, subsequent commands may inadvertently access the freed memory, leading to a use-after-free condition. This vulnerability has been reported by the Kernel Address Sanitizer (KASAN).

Impact

Exploitation of this vulnerability causes a slab-based use-after-free error, where freed memory is accessed, potentially leading to arbitrary code execution or memory corruption.

Reproduction

To reproduce this vulnerability, send a compound SMB2 request that includes a tree disconnect operation followed by a tree connect operation. The tree disconnect operation will set the connection state to disconnected and free the associated share configuration. When the tree connect operation is processed, it will attempt to access the freed share configuration, triggering the use-after-free vulnerability.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version of the stable kernel where this issue has been addressed.