Paulo Alcantara

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: A buffer overflow issue has been identified in the Linux kernel when parsing NFS reparse points. The problem arises because the function `cifs strndup from utf16()` accesses the `DataBuffer` beyond its bounds due to not subtracting the `InodeType` size from the `ReparseDataLength`. To fix this, the code now correctly subtracts the `InodeType` size from the `ReparseDataLength` to prevent accessing memory beyond the buffer's end. Additionally, checks have been added to ensure that `InodeType` and major and minor `rdev` values are only accessed when the reparse buffer is sufficiently large, preventing invalid memory accesses. Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the buffer overflow issue when parsing NFS reparse points. As a temporary workaround, consider restricting access to the `cifs strndup from utf16()` function until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.52 **Description** The vulnerability is related to a use-after-free issue in the `smb2 set path size()` function. When `smb2 compound op()` is called with a valid `@cfile` and returns `-EINVAL`, the reference to `@cfile` is dropped, but the function may retry the operation without calling `cifs get writable path()` first. This can lead to a slab-use-after-free error, as seen in the KASAN splat when running `fstests` generic/013 against Windows Server 2022. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.52 or later. As a temporary workaround, consider disabling the `smb2 set path size()` function until a patch is available. However, this may have unintended consequences and should be carefully evaluated before implementation. Note: The provided information does not specify the exact vulnerable versions, but it mentions that the issue is fixed in Linux kernel version 6.6.52. Therefore, it is assumed that versions prior to 6.6.52 are vulnerable.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the `cifs signal cifsd for reconnect()` function in the Linux kernel's SMB client implementation, which is vulnerable to a use-after-free (UAF) condition. This occurs when the function attempts to access memory that has already been freed, potentially leading to a denial-of-service. The vulnerability can be exploited by skipping sessions that are being torn down, specifically those with a status of `SES EXITING`, to avoid the UAF condition. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential use-after-free (UAF) in the `smb2 is valid oplock break()` function. This function is part of the SMB client implementation in the Linux kernel. The vulnerability can be exploited to cause a denial of service. To avoid the UAF, sessions that are being torn down (with a status of `SES EXITING`) are skipped. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential use-after-free (UAF) vulnerability in the `smb2 is valid lease break()` function. This vulnerability can be exploited to cause a denial of service. The vulnerability is resolved by skipping sessions that are being torn down to avoid UAF. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential use-after-free (UAF) vulnerability in the `is valid oplock break()` function of the Linux kernel's SMB client implementation. This vulnerability may allow an attacker to cause a denial of service. The vulnerability is resolved by skipping sessions that are being torn down to avoid UAF. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential use-after-free (UAF) vulnerability in the `smb2 is network name deleted()` function in the Linux kernel's SMB client implementation. This vulnerability may allow an attacker to cause a denial of service. The vulnerability is resolved by skipping sessions that are being torn down to avoid UAF. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a potential use-after-free (UAF) in the `cifs debug files proc show()` function in the Linux kernel's SMB client subsystem. This could allow an attacker to cause a denial of service. The vulnerability is addressed by skipping sessions that are being torn down to avoid UAF. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential use-after-free (UAF) vulnerability in the `cifs stats proc write()` function of the Linux kernel's SMB client implementation. This vulnerability may allow an attacker to cause a denial of service. The vulnerability is resolved by skipping sessions that are being torn down to avoid UAF. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential use-after-free (UAF) vulnerability in the `cifs stats proc show()` function of the Linux kernel's SMB client implementation. This vulnerability may allow an attacker to cause a denial of service. The vulnerability is resolved by skipping sessions that are being torn down to avoid UAF. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential use-after-free (UAF) vulnerability in the `cifs dump full key()` function of the Linux kernel's SMB client implementation. This vulnerability may allow an attacker to cause a denial of service. The vulnerability is associated with the reuse of previously freed memory. To avoid the UAF, sessions that are being torn down (status == SES EXITING) are skipped. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.37 **Description** The issue is related to a Use-After-Free (UAF) bug in the `smb2 reconnect server()` function. This bug occurs when `smb2 reconnect server()` accesses a session that is already being torn down by another thread executing ` cifs put smb ses()`. The vulnerability can be exploited when the client has a connection to the server but no session, or when another thread sets `@ses->ses status` to something different than `SES EXITING`. To fix this, it is necessary to unconditionally set `@ses->ses status` to `SES EXITING` and prevent other threads from setting a new status while tearing it down. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.37 or later. As a temporary workaround, consider disabling the `smb2 reconnect server()` function until a patch is available. Restrict access to the vulnerable module `cifs` to minimize the risk of exploitation. Avoid using the `@ses->ipc` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.0-rc7 **Description** A use-after-free vulnerability was found in the Linux kernel's SMB client, specifically in the `smb2 query info compound` function. This vulnerability was triggered when running fstests generic/072 with KASAN enabled against Windows Server 2022 and mount options 'multichannel,max channels=2,vers=3.1.1,mfsymlinks,noperm'. The issue is a race between `open cached dir` and `cached dir lease break` where the cache entry for the open directory handle receives a lease break while creating it. Before returning from `open cached dir`, the last reference of the new `@cfid` is put because of `!@cfid->has lease`. Besides the use-after-free, missed lease breaks have been noticed in tests that run several concurrent `statfs(2)` calls on those cached fids. **Recommendations** To fix the issue, ensure that `@cfid->has lease` is set right before sending out the compounded request in `open cached dir` so that any potential lease break will be processed by the demultiplex thread while caching `@cfid`. If open failed for some reason, re-check `@cfid->has lease` to decide whether or not to put the lease reference. Note: The provided information does not specify the exact version that contains the fix for this vulnerability. Therefore, it is recommended to update to the latest version of the Linux kernel to ensure you have the latest security patches.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential deadlock when releasing mids in the smb client. All `release mid()` callers seem to hold a reference of `@mid`, so there is no need to call `kref put(&mid->refcount, release mid)` under `@server->mid lock` spinlock. If they don't, then an use-after-free bug would have occurred anyways. By getting rid of such spinlock, it also fixes a potential deadlock as shown in the scenario involving `cifs demultiplex thread()` and `cifs debug data proc show()`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free bug in the `cifs debug data proc show()` function. This bug can cause a general protection fault when reading from `/proc/fs/cifs/DebugData` while mounting and unmounting. The vulnerability may allow an attacker to impact the confidentiality, integrity, and availability of protected information. The bug is fixed by skipping SMB sessions that are being torn down in `cifs debug data proc show()` to avoid use-after-free in `@ses`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A problem was found in the Linux Kernel related to the function `sess free buffer()` of the file `fs/cifs/sess.c` in the CIFS Handler component. This issue leads to a double free condition. The exploitation of this issue may allow an attacker to cause a denial of service. **Recommendations** Apply a patch to fix this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been identified, specifically in the `smb2 ioctl query info()` function. When this function is called with certain parameters, such as `smb query info::flags=PASSTHRU FSCTL` and `smb query info::output buffer length=0`, it can return a null pointer, leading to a null pointer dereference later in the `smb2 ioctl query ioctl()` function. This issue can be triggered by passing an invalid `smb query info::flags` value. The vulnerability can cause a general protection fault and potentially allow for arbitrary code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a NULL dereference in the `cifs compose mount options()` function. The optional `@ref` parameter might contain a NULL `node name`, which could lead to a NULL dereference. This issue has been resolved by preventing the dereferencing of the `node name` in the `cifs compose mount options()` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.