Introduction
Concurrent SMB2 operations on Linux file servers can result in memory corruption and information leaks, especially in environments using multichannel connections. CVE-2023-32256 highlights a race condition in the Linux kernel's ksmbd module that can be triggered remotely, impacting the stability and confidentiality of affected systems.
ksmbd is a kernel-space SMB server implementation introduced in recent Linux kernels to provide high-performance file sharing. Its adoption is growing in enterprise and NAS environments as an alternative to user-space Samba. The Linux kernel is the backbone of countless server and embedded systems worldwide, making vulnerabilities in its networking components highly significant for the global technology ecosystem.
Technical Information
CVE-2023-32256 is a race condition vulnerability in the Linux kernel's ksmbd module. The flaw is present when handling concurrent SMB2 CLOSE and LOGOFF requests over multichannel connections. The vulnerability arises from improper synchronization of session objects, leading to a use-after-free (UAF) scenario.
Root Cause:
- When a LOGOFF request is processed, the ksmbd server may free the session object (
sess->user
) even if other requests (such as CLOSE) on different channels are still referencing it. - This lack of synchronization and reference management allows a window where freed memory is accessed, resulting in memory corruption or information disclosure.
- The vulnerability specifically affects SMB2 multichannel configurations, where multiple connections can share the same session object.
Vulnerable Code Context: The official patch commit message describes the issue:
When smb client send concurrent smb2 close and logoff request with multichannel connection, It can cause racy issue. logoff request free tcon and can cause UAF issues in smb2 close.
Vulnerability Flow:
- Multiple SMB2 channels are established to the same session.
- A LOGOFF request is sent on one channel, freeing the session object.
- Simultaneously, a CLOSE request is processed on another channel, referencing the now-freed session object.
- This results in a use-after-free, potentially leaking memory or causing a crash.
The patch introduces synchronization to ensure all outstanding requests complete before the session is expired and freed.
Patch Information
In the Linux kernel's ksmbd
module, a race condition was identified when handling concurrent SMB2 CLOSE
and LOGOFF
requests over multichannel connections. This issue could lead to use-after-free (UAF) vulnerabilities, potentially causing system crashes or other unintended behaviors.
To address this, the patch introduces synchronization mechanisms to ensure that when a LOGOFF
request is received, the server waits for all ongoing requests across all channels to complete before expiring the session. This prevents the premature freeing of resources that might still be in use by other requests.
The key changes include:
-
Waiting for All Requests to Complete: Before processing a
LOGOFF
request, the server now waits for all pending requests on all channels associated with the session to finish. -
Ensuring Proper Session Expiration: Only after confirming that no active requests are using the session does the server proceed to expire and free the session resources.
These modifications enhance the stability and security of the ksmbd
module by eliminating the race condition that could lead to UAF scenarios.
For a detailed view of the code changes, refer to the commit:
commit abcc506a9a71976a8b4c9bf3ee6efd13229c1e19 Author: Namjae Jeon <[email protected]> Date: Fri Jul 28 14:35:00 2023 +0900 ksmbd: fix racy issue from smb2 close and logoff with multichannel When smb client send concurrent smb2 close and logoff request with multichannel connection, It can cause racy issue. logoff request free tcon and can cause UAF issues in smb2 close. When receiving logoff request with multichannel, ksmbd should wait until all remaning requests complete as well as ones in the current connection, and then make session expired. Cc: [email protected] Reported-by: [email protected] # ZDI-CAN-20796 ZDI-CAN-20595 Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]>
See: Patch commit abcc506a9a71976a8b4c9bf3ee6efd13229c1e19
Affected Systems and Versions
- Linux kernel with ksmbd enabled
- Affects versions prior to 6.3.2 (patch introduced in 6.3.2 and mainline 6.4-rc1)
- Specific vulnerable versions include 4.19.90, 4.19.140, 4.19.194, 5.10.0, 6.1.0, 6.1.5, 6.1.6, 6.1.8, 6.1.14, 6.1.19
- Only systems with ksmbd (kernel-space SMB server) enabled and configured are vulnerable
Vendor Security History
The Linux kernel project has seen several ksmbd vulnerabilities in 2023, including:
- CVE-2023-32254: Memory corruption in ksmbd
- CVE-2023-32258: Use-after-free in ksmbd
- CVE-2023-32250: Out-of-bounds write in ksmbd
The kernel community typically responds rapidly, with patches released and backported to stable versions soon after disclosure. ksmbd is a newer component and has been the focus of increased security research.