References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free by using call_rcu() for oplock_info

ksmbd currently frees oplock_info immediately using kfree(), even
though it is accessed under RCU read-side critical sections in places
like opinfo_get() and proc_show_files().

Since there is no RCU grace period delay between nullifying the pointer
and freeing the memory, a reader can still access oplock_info
structure after it has been freed. This can leads to a use-after-free
especially in opinfo_get() where atomic_inc_not_zero() is called on
already freed memory.

Fix this by switching to deferred freeing using call_rcu().

https://git.kernel.org/stable/c/08aa9f3c8cf4d0bee44df540dfe34e8d64069f2c

https://git.kernel.org/stable/c/1d6abf145615dbfe267ce3b0a271f95e3780e18e

https://git.kernel.org/stable/c/1dfd062caa165ec9d7ee0823087930f3ab8a6294

https://git.kernel.org/stable/c/302fef75512b2c8329a3f5efab1ae7ba2562387a

https://git.kernel.org/stable/c/ce8507ee82c888126d8e7565e27c016308d24cde