{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-46796", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-09-11T15:12:18.279Z", "datePublished": "2024-09-18T07:12:51.038Z", "dateUpdated": "2025-05-04T09:34:31.707Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:34:31.707Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix double put of @cfile in smb2_set_path_size()\n\nIf smb2_compound_op() is called with a valid @cfile and returned\n-EINVAL, we need to call cifs_get_writable_path() before retrying it\nas the reference of @cfile was already dropped by previous call.\n\nThis fixes the following KASAN splat when running fstests generic/013\nagainst Windows Server 2022:\n\n CIFS: Attempting to mount //w22-fs0/scratch\n run fstests generic/013 at 2024-09-02 19:48:59\n ==================================================================\n BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200\n Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176\n\n CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40\n 04/01/2014\n Workqueue: cifsoplockd cifs_oplock_break [cifs]\n Call Trace:\n <TASK>\n dump_stack_lvl+0x5d/0x80\n ? detach_if_pending+0xab/0x200\n print_report+0x156/0x4d9\n ? detach_if_pending+0xab/0x200\n ? __virt_addr_valid+0x145/0x300\n ? __phys_addr+0x46/0x90\n ? detach_if_pending+0xab/0x200\n kasan_report+0xda/0x110\n ? detach_if_pending+0xab/0x200\n detach_if_pending+0xab/0x200\n timer_delete+0x96/0xe0\n ? __pfx_timer_delete+0x10/0x10\n ? rcu_is_watching+0x20/0x50\n try_to_grab_pending+0x46/0x3b0\n __cancel_work+0x89/0x1b0\n ? __pfx___cancel_work+0x10/0x10\n ? kasan_save_track+0x14/0x30\n cifs_close_deferred_file+0x110/0x2c0 [cifs]\n ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]\n ? __pfx_down_read+0x10/0x10\n cifs_oplock_break+0x4c1/0xa50 [cifs]\n ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]\n ? lock_is_held_type+0x85/0xf0\n ? mark_held_locks+0x1a/0x90\n process_one_work+0x4c6/0x9f0\n ? find_held_lock+0x8a/0xa0\n ? __pfx_process_one_work+0x10/0x10\n ? lock_acquired+0x220/0x550\n ? __list_add_valid_or_report+0x37/0x100\n worker_thread+0x2e4/0x570\n ? __kthread_parkme+0xd1/0xf0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x17f/0x1c0\n ? kthread+0xda/0x1c0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\n Allocated by task 1118:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n cifs_new_fileinfo+0xc8/0x9d0 [cifs]\n cifs_atomic_open+0x467/0x770 [cifs]\n lookup_open.isra.0+0x665/0x8b0\n path_openat+0x4c3/0x1380\n do_filp_open+0x167/0x270\n do_sys_openat2+0x129/0x160\n __x64_sys_creat+0xad/0xe0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Freed by task 83:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x70\n poison_slab_object+0xe9/0x160\n __kasan_slab_free+0x32/0x50\n kfree+0xf2/0x300\n process_one_work+0x4c6/0x9f0\n worker_thread+0x2e4/0x570\n kthread+0x17f/0x1c0\n ret_from_fork+0x31/0x60\n ret_from_fork_asm+0x1a/0x30\n\n Last potentially related work creation:\n kasan_save_stack+0x30/0x50\n __kasan_record_aux_stack+0xad/0xc0\n insert_work+0x29/0xe0\n __queue_work+0x5ea/0x760\n queue_work_on+0x6d/0x90\n _cifsFileInfo_put+0x3f6/0x770 [cifs]\n smb2_compound_op+0x911/0x3940 [cifs]\n smb2_set_path_size+0x228/0x270 [cifs]\n cifs_set_file_size+0x197/0x460 [cifs]\n cifs_setattr+0xd9c/0x14b0 [cifs]\n notify_change+0x4e3/0x740\n do_truncate+0xfa/0x180\n vfs_truncate+0x195/0x200\n __x64_sys_truncate+0x109/0x150\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/smb2inode.c"], "versions": [{"version": "1e60bc0e954389af82f1d9a85f13a63f6572350f", "lessThan": "5a72d1edb0843e4c927a4096f81e631031c25c28", "status": "affected", "versionType": "git"}, {"version": "71f15c90e785d1de4bcd65a279e7256684c25c0d", "lessThan": "762099898309218b4a7954f3d49e985dc4dfd638", "status": "affected", "versionType": "git"}, {"version": "71f15c90e785d1de4bcd65a279e7256684c25c0d", "lessThan": "f9c169b51b6ce20394594ef674d6b10efba31220", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/smb2inode.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.51", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10.10", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.32", "versionEndExcluding": "6.6.51"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.10.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.11"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28"}, {"url": "https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638"}, {"url": "https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220"}], "title": "smb: client: fix double put of @cfile in smb2_set_path_size()", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-29T14:22:40.903539Z", "id": "CVE-2024-46796", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-29T14:22:52.775Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-46796", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-29T14:22:40.903539Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-29T14:22:42.667Z"}}], "cna": {"title": "smb: client: fix double put of @cfile in smb2_set_path_size()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1e60bc0e954389af82f1d9a85f13a63f6572350f", "lessThan": "5a72d1edb0843e4c927a4096f81e631031c25c28", "versionType": "git"}, {"status": "affected", "version": "71f15c90e785d1de4bcd65a279e7256684c25c0d", "lessThan": "762099898309218b4a7954f3d49e985dc4dfd638", "versionType": "git"}, {"status": "affected", "version": "71f15c90e785d1de4bcd65a279e7256684c25c0d", "lessThan": "f9c169b51b6ce20394594ef674d6b10efba31220", "versionType": "git"}], "programFiles": ["fs/smb/client/smb2inode.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.9"}, {"status": "unaffected", "version": "0", "lessThan": "6.9", "versionType": "semver"}, {"status": "unaffected", "version": "6.6.51", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.10.10", "versionType": "semver", "lessThanOrEqual": "6.10.*"}, {"status": "unaffected", "version": "6.11", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/smb/client/smb2inode.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28"}, {"url": "https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638"}, {"url": "https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix double put of @cfile in smb2_set_path_size()\n\nIf smb2_compound_op() is called with a valid @cfile and returned\n-EINVAL, we need to call cifs_get_writable_path() before retrying it\nas the reference of @cfile was already dropped by previous call.\n\nThis fixes the following KASAN splat when running fstests generic/013\nagainst Windows Server 2022:\n\n CIFS: Attempting to mount //w22-fs0/scratch\n run fstests generic/013 at 2024-09-02 19:48:59\n ==================================================================\n BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200\n Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176\n\n CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40\n 04/01/2014\n Workqueue: cifsoplockd cifs_oplock_break [cifs]\n Call Trace:\n <TASK>\n dump_stack_lvl+0x5d/0x80\n ? detach_if_pending+0xab/0x200\n print_report+0x156/0x4d9\n ? detach_if_pending+0xab/0x200\n ? __virt_addr_valid+0x145/0x300\n ? __phys_addr+0x46/0x90\n ? detach_if_pending+0xab/0x200\n kasan_report+0xda/0x110\n ? detach_if_pending+0xab/0x200\n detach_if_pending+0xab/0x200\n timer_delete+0x96/0xe0\n ? __pfx_timer_delete+0x10/0x10\n ? rcu_is_watching+0x20/0x50\n try_to_grab_pending+0x46/0x3b0\n __cancel_work+0x89/0x1b0\n ? __pfx___cancel_work+0x10/0x10\n ? kasan_save_track+0x14/0x30\n cifs_close_deferred_file+0x110/0x2c0 [cifs]\n ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]\n ? __pfx_down_read+0x10/0x10\n cifs_oplock_break+0x4c1/0xa50 [cifs]\n ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]\n ? lock_is_held_type+0x85/0xf0\n ? mark_held_locks+0x1a/0x90\n process_one_work+0x4c6/0x9f0\n ? find_held_lock+0x8a/0xa0\n ? __pfx_process_one_work+0x10/0x10\n ? lock_acquired+0x220/0x550\n ? __list_add_valid_or_report+0x37/0x100\n worker_thread+0x2e4/0x570\n ? __kthread_parkme+0xd1/0xf0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x17f/0x1c0\n ? kthread+0xda/0x1c0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\n Allocated by task 1118:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n cifs_new_fileinfo+0xc8/0x9d0 [cifs]\n cifs_atomic_open+0x467/0x770 [cifs]\n lookup_open.isra.0+0x665/0x8b0\n path_openat+0x4c3/0x1380\n do_filp_open+0x167/0x270\n do_sys_openat2+0x129/0x160\n __x64_sys_creat+0xad/0xe0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Freed by task 83:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x70\n poison_slab_object+0xe9/0x160\n __kasan_slab_free+0x32/0x50\n kfree+0xf2/0x300\n process_one_work+0x4c6/0x9f0\n worker_thread+0x2e4/0x570\n kthread+0x17f/0x1c0\n ret_from_fork+0x31/0x60\n ret_from_fork_asm+0x1a/0x30\n\n Last potentially related work creation:\n kasan_save_stack+0x30/0x50\n __kasan_record_aux_stack+0xad/0xc0\n insert_work+0x29/0xe0\n __queue_work+0x5ea/0x760\n queue_work_on+0x6d/0x90\n _cifsFileInfo_put+0x3f6/0x770 [cifs]\n smb2_compound_op+0x911/0x3940 [cifs]\n smb2_set_path_size+0x228/0x270 [cifs]\n cifs_set_file_size+0x197/0x460 [cifs]\n cifs_setattr+0xd9c/0x14b0 [cifs]\n notify_change+0x4e3/0x740\n do_truncate+0xfa/0x180\n vfs_truncate+0x195/0x200\n __x64_sys_truncate+0x109/0x150\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.51", "versionStartIncluding": "6.6.32"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.10.10", "versionStartIncluding": "6.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.11", "versionStartIncluding": "6.9"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:34:31.707Z"}}}, "cveMetadata": {"cveId": "CVE-2024-46796", "state": "PUBLISHED", "dateUpdated": "2025-05-04T09:34:31.707Z", "dateReserved": "2024-09-11T15:12:18.279Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-09-18T07:12:51.038Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4FD2594-8BAC-4DC6-B031-962920000AEC", "versionEndExcluding": "6.6.51", "versionStartIncluding": "6.6.32", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CB7114B-59C6-4708-AE2C-B7C2D0BA0FA2", "versionEndExcluding": "6.10.10", "versionStartIncluding": "6.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*", "matchCriteriaId": "8B3CE743-2126-47A3-8B7C-822B502CF119", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*", "matchCriteriaId": "4DEB27E7-30AA-45CC-8934-B89263EF3551", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*", "matchCriteriaId": "E0005AEF-856E-47EB-BFE4-90C46899394D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*", "matchCriteriaId": "39889A68-6D34-47A6-82FC-CD0BF23D6754", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*", "matchCriteriaId": "B8383ABF-1457-401F-9B61-EE50F4C61F4F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*", "matchCriteriaId": "B77A9280-37E6-49AD-B559-5B23A3B1DC3D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix double put of @cfile in smb2_set_path_size()\n\nIf smb2_compound_op() is called with a valid @cfile and returned\n-EINVAL, we need to call cifs_get_writable_path() before retrying it\nas the reference of @cfile was already dropped by previous call.\n\nThis fixes the following KASAN splat when running fstests generic/013\nagainst Windows Server 2022:\n\n CIFS: Attempting to mount //w22-fs0/scratch\n run fstests generic/013 at 2024-09-02 19:48:59\n ==================================================================\n BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200\n Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176\n\n CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40\n 04/01/2014\n Workqueue: cifsoplockd cifs_oplock_break [cifs]\n Call Trace:\n <TASK>\n dump_stack_lvl+0x5d/0x80\n ? detach_if_pending+0xab/0x200\n print_report+0x156/0x4d9\n ? detach_if_pending+0xab/0x200\n ? __virt_addr_valid+0x145/0x300\n ? __phys_addr+0x46/0x90\n ? detach_if_pending+0xab/0x200\n kasan_report+0xda/0x110\n ? detach_if_pending+0xab/0x200\n detach_if_pending+0xab/0x200\n timer_delete+0x96/0xe0\n ? __pfx_timer_delete+0x10/0x10\n ? rcu_is_watching+0x20/0x50\n try_to_grab_pending+0x46/0x3b0\n __cancel_work+0x89/0x1b0\n ? __pfx___cancel_work+0x10/0x10\n ? kasan_save_track+0x14/0x30\n cifs_close_deferred_file+0x110/0x2c0 [cifs]\n ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]\n ? __pfx_down_read+0x10/0x10\n cifs_oplock_break+0x4c1/0xa50 [cifs]\n ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]\n ? lock_is_held_type+0x85/0xf0\n ? mark_held_locks+0x1a/0x90\n process_one_work+0x4c6/0x9f0\n ? find_held_lock+0x8a/0xa0\n ? __pfx_process_one_work+0x10/0x10\n ? lock_acquired+0x220/0x550\n ? __list_add_valid_or_report+0x37/0x100\n worker_thread+0x2e4/0x570\n ? __kthread_parkme+0xd1/0xf0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x17f/0x1c0\n ? kthread+0xda/0x1c0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\n Allocated by task 1118:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n cifs_new_fileinfo+0xc8/0x9d0 [cifs]\n cifs_atomic_open+0x467/0x770 [cifs]\n lookup_open.isra.0+0x665/0x8b0\n path_openat+0x4c3/0x1380\n do_filp_open+0x167/0x270\n do_sys_openat2+0x129/0x160\n __x64_sys_creat+0xad/0xe0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Freed by task 83:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x70\n poison_slab_object+0xe9/0x160\n __kasan_slab_free+0x32/0x50\n kfree+0xf2/0x300\n process_one_work+0x4c6/0x9f0\n worker_thread+0x2e4/0x570\n kthread+0x17f/0x1c0\n ret_from_fork+0x31/0x60\n ret_from_fork_asm+0x1a/0x30\n\n Last potentially related work creation:\n kasan_save_stack+0x30/0x50\n __kasan_record_aux_stack+0xad/0xc0\n insert_work+0x29/0xe0\n __queue_work+0x5ea/0x760\n queue_work_on+0x6d/0x90\n _cifsFileInfo_put+0x3f6/0x770 [cifs]\n smb2_compound_op+0x911/0x3940 [cifs]\n smb2_set_path_size+0x228/0x270 [cifs]\n cifs_set_file_size+0x197/0x460 [cifs]\n cifs_setattr+0xd9c/0x14b0 [cifs]\n notify_change+0x4e3/0x740\n do_truncate+0xfa/0x180\n vfs_truncate+0x195/0x200\n __x64_sys_truncate+0x109/0x150\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: se corrige la doble colocaci\u00f3n de @cfile en smb2_set_path_size() Si se llama a smb2_compound_op() con un @cfile v\u00e1lido y se devuelve -EINVAL, debemos llamar a cifs_get_writable_path() antes de volver a intentarlo ya que la referencia de @cfile ya fue descartada por la llamada anterior. Esto corrige el siguiente error de KASAN al ejecutar fstests generic/013 contra Windows Server 2022: CIFS: Intentando montar //w22-fs0/scratch ejecutar fstests generic/013 a las 2024-09-02 19:48:59 ====================================================================== ERROR: KASAN: slab-use-after-free en detach_if_pending+0xab/0x200 Escritura de tama\u00f1o 8 en la direcci\u00f3n ffff88811f1a3730 por la tarea kworker/3:2/176 CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 No contaminado 6.11.0-rc6 #2 Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 01/04/2014 Cola de trabajo: cifsoplockd cifs_oplock_break [cifs] Seguimiento de llamadas: dump_stack_lvl+0x5d/0x80 ? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ? detach_if_pending+0xab/0x200 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ? __pfx_timer_delete+0x10/0x10 ? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ? __pfx___cancel_work+0x10/0x10 ? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ? __pfx_cifs_oplock_break+0x10/0x10 [cifs] ? tipo_bloqueo_retenido+0x85/0xf0 ? marcar_bloqueos_retenidos+0x1a/0x90 proceso_una_obra+0x4c6/0x9f0 ? encontrar_bloqueo_retenido+0x8a/0xa0 ? __pfx_proceso_una_obra+0x10/0x10 ? bloqueo_adquirido+0x220/0x550 ? __lista_agregar_v\u00e1lido_o_informe+0x37/0x100 subproceso_trabajador+0x2e4/0x570 ? __pfx_kthread+0x10/0x10 ret_de_la_bifurcaci\u00f3n+0x31/0x60 ? Asignado por la tarea 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Liberado por la tarea 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 \u00daltima creaci\u00f3n de trabajo potencialmente relacionado: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notificar_cambio+0x4e3/0x740 hacer_truncar+0xfa/0x180 vfs_truncar+0x195/0x200 __x64_sys_truncar+0x109/0x150 hacer_syscall_64+0xbb/0x1d0 entrada_SYSCALL_64_despu\u00e9s_hwframe+0x77/0x7f"}], "id": "CVE-2024-46796", "lastModified": "2024-09-20T18:20:35.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-09-18T08:15:06.340", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: smb: client: fix double put of @cfile in smb2_set_path_size()", "id": "2313144", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313144"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nsmb: client: fix double put of @cfile in smb2_set_path_size()\nIf smb2_compound_op() is called with a valid @cfile and returned\n-EINVAL, we need to call cifs_get_writable_path() before retrying it\nas the reference of @cfile was already dropped by previous call.\nThis fixes the following KASAN splat when running fstests generic/013\nagainst Windows Server 2022:\nCIFS: Attempting to mount //w22-fs0/scratch\nrun fstests generic/013 at 2024-09-02 19:48:59\n==================================================================\nBUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200\nWrite of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176\nCPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40\n04/01/2014\nWorkqueue: cifsoplockd cifs_oplock_break [cifs]\nCall Trace:\n<TASK>\ndump_stack_lvl+0x5d/0x80\n? detach_if_pending+0xab/0x200\nprint_report+0x156/0x4d9\n? detach_if_pending+0xab/0x200\n? __virt_addr_valid+0x145/0x300\n? __phys_addr+0x46/0x90\n? detach_if_pending+0xab/0x200\nkasan_report+0xda/0x110\n? detach_if_pending+0xab/0x200\ndetach_if_pending+0xab/0x200\ntimer_delete+0x96/0xe0\n? __pfx_timer_delete+0x10/0x10\n? rcu_is_watching+0x20/0x50\ntry_to_grab_pending+0x46/0x3b0\n__cancel_work+0x89/0x1b0\n? __pfx___cancel_work+0x10/0x10\n? kasan_save_track+0x14/0x30\ncifs_close_deferred_file+0x110/0x2c0 [cifs]\n? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]\n? __pfx_down_read+0x10/0x10\ncifs_oplock_break+0x4c1/0xa50 [cifs]\n? __pfx_cifs_oplock_break+0x10/0x10 [cifs]\n? lock_is_held_type+0x85/0xf0\n? mark_held_locks+0x1a/0x90\nprocess_one_work+0x4c6/0x9f0\n? find_held_lock+0x8a/0xa0\n? __pfx_process_one_work+0x10/0x10\n? lock_acquired+0x220/0x550\n? __list_add_valid_or_report+0x37/0x100\nworker_thread+0x2e4/0x570\n? __kthread_parkme+0xd1/0xf0\n? __pfx_worker_thread+0x10/0x10\nkthread+0x17f/0x1c0\n? kthread+0xda/0x1c0\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x31/0x60\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1a/0x30\n</TASK>\nAllocated by task 1118:\nkasan_save_stack+0x30/0x50\nkasan_save_track+0x14/0x30\n__kasan_kmalloc+0xaa/0xb0\ncifs_new_fileinfo+0xc8/0x9d0 [cifs]\ncifs_atomic_open+0x467/0x770 [cifs]\nlookup_open.isra.0+0x665/0x8b0\npath_openat+0x4c3/0x1380\ndo_filp_open+0x167/0x270\ndo_sys_openat2+0x129/0x160\n__x64_sys_creat+0xad/0xe0\ndo_syscall_64+0xbb/0x1d0\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nFreed by task 83:\nkasan_save_stack+0x30/0x50\nkasan_save_track+0x14/0x30\nkasan_save_free_info+0x3b/0x70\npoison_slab_object+0xe9/0x160\n__kasan_slab_free+0x32/0x50\nkfree+0xf2/0x300\nprocess_one_work+0x4c6/0x9f0\nworker_thread+0x2e4/0x570\nkthread+0x17f/0x1c0\nret_from_fork+0x31/0x60\nret_from_fork_asm+0x1a/0x30\nLast potentially related work creation:\nkasan_save_stack+0x30/0x50\n__kasan_record_aux_stack+0xad/0xc0\ninsert_work+0x29/0xe0\n__queue_work+0x5ea/0x760\nqueue_work_on+0x6d/0x90\n_cifsFileInfo_put+0x3f6/0x770 [cifs]\nsmb2_compound_op+0x911/0x3940 [cifs]\nsmb2_set_path_size+0x228/0x270 [cifs]\ncifs_set_file_size+0x197/0x460 [cifs]\ncifs_setattr+0xd9c/0x14b0 [cifs]\nnotify_change+0x4e3/0x740\ndo_truncate+0xfa/0x180\nvfs_truncate+0x195/0x200\n__x64_sys_truncate+0x109/0x150\ndo_syscall_64+0xbb/0x1d0\nentry_SYSCALL_64_after_hwframe+0x77/0x7f"], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent module cifs from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."}, "name": "CVE-2024-46796", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-09-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-46796\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-46796\nhttps://lore.kernel.org/linux-cve-announce/2024091855-CVE-2024-46796-41c4@gregkh/T"], "statement": "The bug could happen for the existing connection with fail for the SMB client. Means that impossible to crack server with this, but instead incorrect data from server can lead to the crash of client. The security impact is limited.", "threat_severity": "Moderate"}

{}