Wind River Support Network

HomeDefectsLIN1022-17947
Fixed

LIN1022-17947 : Security Advisory - linux - CVE-2023-53427

Created: Sep 19, 2025    Updated: Sep 22, 2025
Resolved Date: Sep 22, 2025
Found In Version: 10.22.33.1
Fix Version: 10.22.33.8
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:  cifs: Fix warning and UAF when destroy the MR list  If the MR allocate failed, the MR recovery work not initialized and list not cleared. Then will be warning and UAF when release the MR:    WARNING: CPU: 4 PID: 824 at kernel/workqueue.c:3066 __flush_work.isra.0+0xf7/0x110   CPU: 4 PID: 824 Comm: mount.cifs Not tainted 6.1.0-rc5+ #82   RIP: 0010:__flush_work.isra.0+0xf7/0x110   Call Trace:    <TASK>    __cancel_work_timer+0x2ba/0x2e0    smbd_destroy+0x4e1/0x990    _smbd_get_connection+0x1cbd/0x2110    smbd_get_connection+0x21/0x40    cifs_get_tcp_session+0x8ef/0xda0    mount_get_conns+0x60/0x750    cifs_mount+0x103/0xd00    cifs_smb3_do_mount+0x1dd/0xcb0    smb3_get_tree+0x1d5/0x300    vfs_get_tree+0x41/0xf0    path_mount+0x9b3/0xdd0    __x64_sys_mount+0x190/0x1d0    do_syscall_64+0x35/0x80    entry_SYSCALL_64_after_hwframe+0x46/0xb0    BUG: KASAN: use-after-free in smbd_destroy+0x4fc/0x990   Read of size 8 at addr ffff88810b156a08 by task mount.cifs/824   CPU: 4 PID: 824 Comm: mount.cifs Tainted: G        W          6.1.0-rc5+ #82   Call Trace:    dump_stack_lvl+0x34/0x44    print_report+0x171/0x472    kasan_report+0xad/0x130    smbd_destroy+0x4fc/0x990    _smbd_get_connection+0x1cbd/0x2110    smbd_get_connection+0x21/0x40    cifs_get_tcp_session+0x8ef/0xda0    mount_get_conns+0x60/0x750    cifs_mount+0x103/0xd00    cifs_smb3_do_mount+0x1dd/0xcb0    smb3_get_tree+0x1d5/0x300    vfs_get_tree+0x41/0xf0    path_mount+0x9b3/0xdd0    __x64_sys_mount+0x190/0x1d0    do_syscall_64+0x35/0x80    entry_SYSCALL_64_after_hwframe+0x46/0xb0    Allocated by task 824:    kasan_save_stack+0x1e/0x40    kasan_set_track+0x21/0x30    __kasan_kmalloc+0x7a/0x90    _smbd_get_connection+0x1b6f/0x2110    smbd_get_connection+0x21/0x40    cifs_get_tcp_session+0x8ef/0xda0    mount_get_conns+0x60/0x750    cifs_mount+0x103/0xd00    cifs_smb3_do_mount+0x1dd/0xcb0    smb3_get_tree+0x1d5/0x300    vfs_get_tree+0x41/0xf0    path_mount+0x9b3/0xdd0    __x64_sys_mount+0x190/0x1d0    do_syscall_64+0x35/0x80    entry_SYSCALL_64_after_hwframe+0x46/0xb0    Freed by task 824:    kasan_save_stack+0x1e/0x40    kasan_set_track+0x21/0x30    kasan_save_free_info+0x2a/0x40    ____kasan_slab_free+0x143/0x1b0    __kmem_cache_free+0xc8/0x330    _smbd_get_connection+0x1c6a/0x2110    smbd_get_connection+0x21/0x40    cifs_get_tcp_session+0x8ef/0xda0    mount_get_conns+0x60/0x750    cifs_mount+0x103/0xd00    cifs_smb3_do_mount+0x1dd/0xcb0    smb3_get_tree+0x1d5/0x300    vfs_get_tree+0x41/0xf0    path_mount+0x9b3/0xdd0    __x64_sys_mount+0x190/0x1d0    do_syscall_64+0x35/0x80    entry_SYSCALL_64_after_hwframe+0x46/0xb0  Let's initialize the MR recovery work before MR allocate to prevent the warning, remove the MRs from the list to prevent the UAF.

CVEs

Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube