1220665 – (CVE-2023-52480) VUL-0: CVE-2023-52480:kernel: ksmbd: fix race condition between session lookup and expire

Bug 1220665 (CVE-2023-52480) - VUL-0: CVE-2023-52480:kernel: ksmbd: fix race condition between session lookup and expire

Summary: VUL-0: CVE-2023-52480:kernel: ksmbd: fix race condition between session looku...

Status:	RESOLVED FIXED

Alias:	CVE-2023-52480

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Kernel Bugs
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/395797/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-02-29 11:52 UTC by SMASH SMASH
Modified:	2024-02-29 11:54 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-02-29 11:52:47 UTC

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix race condition between session lookup and expire

 Thread A                        +  Thread B
 ksmbd_session_lookup            |  smb2_sess_setup
   sess = xa_load                |
                                 |
                                 |    xa_erase(&conn->sessions, sess->id);
                                 |
                                 |    ksmbd_session_destroy(sess) --> kfree(sess)
                                 |
   // UAF!                       |
   sess->last_active = jiffies   |
                                 +

This patch add rwsem to fix race condition between ksmbd_session_lookup
and ksmbd_expire_session.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52480
https://www.cve.org/CVERecord?id=CVE-2023-52480
https://git.kernel.org/stable/c/18ced78b0ebccc2d16f426143dc56ab3aad666be
https://git.kernel.org/stable/c/53ff5cf89142b978b1a5ca8dc4d4425e6a09745f
https://git.kernel.org/stable/c/a2ca5fd3dbcc665e1169044fa0c9e3eba779202b
https://git.kernel.org/stable/c/c77fd3e25a51ac92b0f1b347a96eff6a0b4f066f

Comment 1 Thomas Leroy 2024-02-29 11:54:38 UTC

ksmbd only supported on stable, which already has the fix. Closing