Security tracker / CVE-2023-1192

CVE-2023-1192

use-after-free in smb2_is_status_io_timeout()

References

• Debian security tracker
• cve.org
• https://bugzilla.redhat.com/show_bug.cgi?id=2154178
• https://bugzilla.redhat.com/show_bug.cgi?id=2154178#c24
• https://lore.kernel.org/linux-cifs/ZZgFEX3QNWWj_VxA@eldamar.lan
• https://lore.kernel.org/linux-cifs/aca1c4e755e8c005b874c57a6210c4c6a34d2324.camel@debian.org/

Notes

 bwh> Introduced in 5.10 by commit 8e670f77c4a5 "Handle STATUS_IO_TIMEOUT
 bwh> gracefully".  I posted my analysis and an untested patch on RHBZ.
 carnil> Paulo Alcantara replied that this issue is supposed to be fixed
 carnil> with d527f51331ca ("cifs: Fix UAF in
 carnil> cifs_demultiplex_thread()") and that wile the commit mentions
 carnil> an UAF in >is_network_name_deleted() it should work as well for
 carnil> the smb2_is_status_io_timeout() case.
 carnil> But according to Ben this is another issue.

Bugs

Status

Branch	Status
upstream	released (6.6-rc3) [d527f51331cace562393a8038d870b3e9916686f]
6.18-upstream-stable
6.17-upstream-stable
6.12-upstream-stable
6.7-upstream-stable	N/A "Fixed before branching point"
6.6-upstream-stable	N/A "Fixed before branching point"
6.1-upstream-stable	released (6.1.56) [908b3b5e97d25e879de3d1f172a255665491c2c3]
5.10-upstream-stable	needed
4.19-upstream-stable	N/A "Vulnerable code not present"
sid	released (6.5.6-1)
6.12-trixie-security
6.1-bookworm-security	released (6.1.64-1)
5.10-bullseye-security	needed
4.19-buster-security	N/A "Vulnerable code not present"