Linux Kernel ksmbd Component Use-After-Free Vulnerability in Lease Management

A use-after-free vulnerability has been identified in the Linux kernel's ksmbd component, specifically within the function responsible for managing parent lease breaks. This issue arises because the operation information pointer, accessed through a read-copy-update (RCU) mechanism, is being dereferenced after the RCU read lock has been released. This creates a race condition, allowing concurrent write operations to free the memory before it is accessed, leading to a use-after-free scenario. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can commonly result in arbitrary code execution or memory corruption.

Reproduction

To reproduce this vulnerability, trigger a scenario where the 'smb_lazy_parent_lease_break_close' function is called while another thread concurrently modifies the lease information. This can be achieved by manipulating file operations in a way that causes a race condition between reading the lease data and releasing the lock, allowing the memory to be freed before it is accessed.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.