CVE-2023-52751

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.0-rc7

Description A use-after-free vulnerability was found in the Linux kernel's SMB client, specifically in the smb2 query info compound function. This vulnerability was triggered when running fstests generic/072 with KASAN enabled against Windows Server 2022 and mount options 'multichannel,max channels=2,vers=3.1.1,mfsymlinks,noperm'. The issue is a race between open cached dir and cached dir lease break where the cache entry for the open directory handle receives a lease break while creating it. Before returning from open cached dir, the last reference of the new @cfid is put because of !@cfid->has lease. Besides the use-after-free, missed lease breaks have been noticed in tests that run several concurrent statfs(2) calls on those cached fids.

Recommendations To fix the issue, ensure that @cfid->has lease is set right before sending out the compounded request in open cached dir so that any potential lease break will be processed by the demultiplex thread while caching @cfid. If open failed for some reason, re-check @cfid->has lease to decide whether or not to put the lease reference.

Note: The provided information does not specify the exact version that contains the fix for this vulnerability. Therefore, it is recommended to update to the latest version of the Linux kernel to ensure you have the latest security patches.