A critical use-after-free bug was found in the Linux kernel’s SMB client (fs/smb/client). Under certain error conditions, it’s possible for a regular user to trigger a double-free of memory, opening the door to local privilege escalation. This vulnerability is CVE-2023-5345, and patching is as easy as upgrading to a Linux kernel version including commit e6e43b8aa7cd3c3af686cafc2e11819a886d705. Let's break down what happened, how it can be exploited, and why it matters.
The Background
The Linux Virtual Filesystem SMB client module (fs/smb/client) lets you mount Windows shares using SMB2/SMB3 protocols, a must-have for interoperability in mixed OS environments.
- CVE-2023-5345 affects: Linux kernel versions before the fix, which mishandle memory in smb3_fs_context_parse_param().
- Risk: Local low-privileged users can exploit this to execute code as root, due to kernel memory corruption.
- Patch: Upgrade to a kernel including commit e6e43b8aa7cd3c3af686cafc2e11819a886d705.
What is Use-After-Free?
A “use-after-free” bug happens when a program frees (deletes) a chunk of memory, but later tries to use it. In kernel code, this can lead to the most severe vulnerabilities: privilege escalation, code execution, system crashes.
Where’s the Problem?
In fs/smb/client/cifs_mount.c, the function smb3_fs_context_parse_param() processes mount options. If something goes wrong (like invalid parameters), the code frees the memory for ctx->password, but doesn't set it to NULL. Later on, the same pointer may be freed again—hence, double free!
Vulnerable Code Snippet (Pre-Patch)
if (ctx->password) {
kfree(ctx->password);
// ... but ctx->password is not set to NULL!
}
// ... further down, on error:
if (ctx->password)
kfree(ctx->password); // <-- Oh no, a second free!
Patched Code
if (ctx->password) {
kfree(ctx->password);
ctx->password = NULL; // <--- FIX: set to NULL after freeing
}
- See the patch commit diff.
Exploit Steps (Simplified)
1. Mount with bad parameters: The attacker runs mount -t cifs ... with crafted options, triggering the error path in smb3_fs_context_parse_param().
2. Induce Double-Free: The attacker’s password option triggers the freeing of ctx->password (not set to NULL), and the cleanup code tries to free it again.
3. Heap Manipulation: By carefully planning memory allocations, the attacker can make the kernel allocate their own data at the spot just freed, and then have it freed again. This can corrupt critical kernel structures.
4. Privilege Escalation: With precise heap spraying, it’s possible to overwrite function pointers or manipulate data structures, often leading to arbitrary code execution as root.
Minimal Example of Trigger (Concept)
# Example only: this may crash your kernel!
mount -t cifs //dummy/share /mnt -o username=guest,password=123456,seal=yes,hard=True
# The combination of bad params can trigger the error path
Caution: Do not try this on production systems. Double-free vulnerabilities can easily lead to system crashes or data loss.
Real-World Impact
This bug lets any user with mounting privileges potentially gain full control over the system. On many Linux systems, even unprivileged users can mount SMB shares, so the attack surface is large. Containers and sandboxes relying on kernel isolation may also be bypassed.
Defensive Actions
Patch Now:
Upgrade your kernel to a version including or newer than commit e6e43b8aa7cd3c3af686cafc2e11819a886d705.
For distributions, see their security advisories:
- Red Hat Bugzilla – CVE-2023-5345
- NVD Detail – CVE-2023-5345
References and Links
- Linux kernel commit e6e43b8 - The Patch
- NVD – CVE-2023-5345
- RedHat CVE-2023-5345 tracking
- MITRE CVE database
Final Words
Privilege escalation bugs like CVE-2023-5345 remind us that even a simple pointer not being reset to NULL in kernel code can open the door to attackers. Update your systems, and always follow best practices when writing low-level C code: after freeing memory, set your pointers to NULL!
Timeline
Published on: 10/03/2023 03:15:09 UTC
Last modified on: 10/24/2023 17:51:46 UTC