We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-53179

smb: client: fix use-after-free of signing key



Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free of signing key Customers have reported use-after-free in @ses->auth_key.response with SMB2.1 + sign mounts which occurs due to following race: task A task B cifs_mount() dfs_mount_share() get_session() cifs_mount_get_session() cifs_send_recv() cifs_get_smb_ses() compound_send_recv() cifs_setup_session() smb2_setup_request() kfree_sensitive() smb2_calc_signature() crypto_shash_setkey() *UAF* Fix this by ensuring that we have a valid @ses->auth_key.response by checking whether @ses->ses_status is SES_GOOD or SES_EXITING with @ses->ses_lock held. After commit 24a9799aa8ef ("smb: client: fix UAF in smb2_reconnect_server()"), we made sure to call ->logoff() only when @ses was known to be good (e.g. valid ->auth_key.response), so it's safe to access signing key when @ses->ses_status == SES_EXITING.

Reserved 2024-11-19 | Published 2024-12-27 | Updated 2025-01-20 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 39619c65ab4bbb3e78c818f537687653e112764d
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 0e2b654a3848bf9da3b0d54c1ccf3f1b8c635591
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 343d7fe6df9e247671440a932b6a73af4fa86d95
affected

Default status
affected

6.6.70
unaffected

6.12.2
unaffected

6.13
unaffected

References

git.kernel.org/...c/39619c65ab4bbb3e78c818f537687653e112764d

git.kernel.org/...c/0e2b654a3848bf9da3b0d54c1ccf3f1b8c635591

git.kernel.org/...c/343d7fe6df9e247671440a932b6a73af4fa86d95

cve.org (CVE-2024-53179)

nvd.nist.gov (CVE-2024-53179)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-53179

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.