CVE-2024-46796 (GCVE-0-2024-46796)
Vulnerability from cvelistv5
Published
2024-09-18 07:12
Modified
2025-05-04 09:34
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double put of @cfile in smb2_set_path_size() If smb2_compound_op() is called with a valid @cfile and returned -EINVAL, we need to call cifs_get_writable_path() before retrying it as the reference of @cfile was already dropped by previous call. This fixes the following KASAN splat when running fstests generic/013 against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ? detach_if_pending+0xab/0x200 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ? __pfx_timer_delete+0x10/0x10 ? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ? __pfx___cancel_work+0x10/0x10 ? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ? __pfx_cifs_oplock_break+0x10/0x10 [cifs] ? lock_is_held_type+0x85/0xf0 ? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ? find_held_lock+0x8a/0xa0 ? __pfx_process_one_work+0x10/0x10 ? lock_acquired+0x220/0x550 ? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ? __kthread_parkme+0xd1/0xf0 ? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ? kthread+0xda/0x1c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
Impacted products
Vendor Product Version
Linux Linux Version: 1e60bc0e954389af82f1d9a85f13a63f6572350f
Version: 71f15c90e785d1de4bcd65a279e7256684c25c0d
Version: 71f15c90e785d1de4bcd65a279e7256684c25c0d
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-46796",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-29T14:22:40.903539Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-29T14:22:52.775Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5a72d1edb0843e4c927a4096f81e631031c25c28",
              "status": "affected",
              "version": "1e60bc0e954389af82f1d9a85f13a63f6572350f",
              "versionType": "git"
            },
            {
              "lessThan": "762099898309218b4a7954f3d49e985dc4dfd638",
              "status": "affected",
              "version": "71f15c90e785d1de4bcd65a279e7256684c25c0d",
              "versionType": "git"
            },
            {
              "lessThan": "f9c169b51b6ce20394594ef674d6b10efba31220",
              "status": "affected",
              "version": "71f15c90e785d1de4bcd65a279e7256684c25c0d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.51",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.51",
                  "versionStartIncluding": "6.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.10",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix double put of @cfile in smb2_set_path_size()\n\nIf smb2_compound_op() is called with a valid @cfile and returned\n-EINVAL, we need to call cifs_get_writable_path() before retrying it\nas the reference of @cfile was already dropped by previous call.\n\nThis fixes the following KASAN splat when running fstests generic/013\nagainst Windows Server 2022:\n\n  CIFS: Attempting to mount //w22-fs0/scratch\n  run fstests generic/013 at 2024-09-02 19:48:59\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200\n  Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176\n\n  CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40\n  04/01/2014\n  Workqueue: cifsoplockd cifs_oplock_break [cifs]\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x5d/0x80\n   ? detach_if_pending+0xab/0x200\n   print_report+0x156/0x4d9\n   ? detach_if_pending+0xab/0x200\n   ? __virt_addr_valid+0x145/0x300\n   ? __phys_addr+0x46/0x90\n   ? detach_if_pending+0xab/0x200\n   kasan_report+0xda/0x110\n   ? detach_if_pending+0xab/0x200\n   detach_if_pending+0xab/0x200\n   timer_delete+0x96/0xe0\n   ? __pfx_timer_delete+0x10/0x10\n   ? rcu_is_watching+0x20/0x50\n   try_to_grab_pending+0x46/0x3b0\n   __cancel_work+0x89/0x1b0\n   ? __pfx___cancel_work+0x10/0x10\n   ? kasan_save_track+0x14/0x30\n   cifs_close_deferred_file+0x110/0x2c0 [cifs]\n   ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]\n   ? __pfx_down_read+0x10/0x10\n   cifs_oplock_break+0x4c1/0xa50 [cifs]\n   ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]\n   ? lock_is_held_type+0x85/0xf0\n   ? mark_held_locks+0x1a/0x90\n   process_one_work+0x4c6/0x9f0\n   ? find_held_lock+0x8a/0xa0\n   ? __pfx_process_one_work+0x10/0x10\n   ? lock_acquired+0x220/0x550\n   ? __list_add_valid_or_report+0x37/0x100\n   worker_thread+0x2e4/0x570\n   ? __kthread_parkme+0xd1/0xf0\n   ? __pfx_worker_thread+0x10/0x10\n   kthread+0x17f/0x1c0\n   ? kthread+0xda/0x1c0\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x31/0x60\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   \u003c/TASK\u003e\n\n  Allocated by task 1118:\n   kasan_save_stack+0x30/0x50\n   kasan_save_track+0x14/0x30\n   __kasan_kmalloc+0xaa/0xb0\n   cifs_new_fileinfo+0xc8/0x9d0 [cifs]\n   cifs_atomic_open+0x467/0x770 [cifs]\n   lookup_open.isra.0+0x665/0x8b0\n   path_openat+0x4c3/0x1380\n   do_filp_open+0x167/0x270\n   do_sys_openat2+0x129/0x160\n   __x64_sys_creat+0xad/0xe0\n   do_syscall_64+0xbb/0x1d0\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n  Freed by task 83:\n   kasan_save_stack+0x30/0x50\n   kasan_save_track+0x14/0x30\n   kasan_save_free_info+0x3b/0x70\n   poison_slab_object+0xe9/0x160\n   __kasan_slab_free+0x32/0x50\n   kfree+0xf2/0x300\n   process_one_work+0x4c6/0x9f0\n   worker_thread+0x2e4/0x570\n   kthread+0x17f/0x1c0\n   ret_from_fork+0x31/0x60\n   ret_from_fork_asm+0x1a/0x30\n\n  Last potentially related work creation:\n   kasan_save_stack+0x30/0x50\n   __kasan_record_aux_stack+0xad/0xc0\n   insert_work+0x29/0xe0\n   __queue_work+0x5ea/0x760\n   queue_work_on+0x6d/0x90\n   _cifsFileInfo_put+0x3f6/0x770 [cifs]\n   smb2_compound_op+0x911/0x3940 [cifs]\n   smb2_set_path_size+0x228/0x270 [cifs]\n   cifs_set_file_size+0x197/0x460 [cifs]\n   cifs_setattr+0xd9c/0x14b0 [cifs]\n   notify_change+0x4e3/0x740\n   do_truncate+0xfa/0x180\n   vfs_truncate+0x195/0x200\n   __x64_sys_truncate+0x109/0x150\n   do_syscall_64+0xbb/0x1d0\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:34:31.707Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28"
        },
        {
          "url": "https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220"
        }
      ],
      "title": "smb: client: fix double put of @cfile in smb2_set_path_size()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-46796",
    "datePublished": "2024-09-18T07:12:51.038Z",
    "dateReserved": "2024-09-11T15:12:18.279Z",
    "dateUpdated": "2025-05-04T09:34:31.707Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-46796\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-09-18T08:15:06.340\",\"lastModified\":\"2024-09-20T18:20:35.837\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix double put of @cfile in smb2_set_path_size()\\n\\nIf smb2_compound_op() is called with a valid @cfile and returned\\n-EINVAL, we need to call cifs_get_writable_path() before retrying it\\nas the reference of @cfile was already dropped by previous call.\\n\\nThis fixes the following KASAN splat when running fstests generic/013\\nagainst Windows Server 2022:\\n\\n  CIFS: Attempting to mount //w22-fs0/scratch\\n  run fstests generic/013 at 2024-09-02 19:48:59\\n  ==================================================================\\n  BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200\\n  Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176\\n\\n  CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2\\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40\\n  04/01/2014\\n  Workqueue: cifsoplockd cifs_oplock_break [cifs]\\n  Call Trace:\\n   \u003cTASK\u003e\\n   dump_stack_lvl+0x5d/0x80\\n   ? detach_if_pending+0xab/0x200\\n   print_report+0x156/0x4d9\\n   ? detach_if_pending+0xab/0x200\\n   ? __virt_addr_valid+0x145/0x300\\n   ? __phys_addr+0x46/0x90\\n   ? detach_if_pending+0xab/0x200\\n   kasan_report+0xda/0x110\\n   ? detach_if_pending+0xab/0x200\\n   detach_if_pending+0xab/0x200\\n   timer_delete+0x96/0xe0\\n   ? __pfx_timer_delete+0x10/0x10\\n   ? rcu_is_watching+0x20/0x50\\n   try_to_grab_pending+0x46/0x3b0\\n   __cancel_work+0x89/0x1b0\\n   ? __pfx___cancel_work+0x10/0x10\\n   ? kasan_save_track+0x14/0x30\\n   cifs_close_deferred_file+0x110/0x2c0 [cifs]\\n   ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]\\n   ? __pfx_down_read+0x10/0x10\\n   cifs_oplock_break+0x4c1/0xa50 [cifs]\\n   ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]\\n   ? lock_is_held_type+0x85/0xf0\\n   ? mark_held_locks+0x1a/0x90\\n   process_one_work+0x4c6/0x9f0\\n   ? find_held_lock+0x8a/0xa0\\n   ? __pfx_process_one_work+0x10/0x10\\n   ? lock_acquired+0x220/0x550\\n   ? __list_add_valid_or_report+0x37/0x100\\n   worker_thread+0x2e4/0x570\\n   ? __kthread_parkme+0xd1/0xf0\\n   ? __pfx_worker_thread+0x10/0x10\\n   kthread+0x17f/0x1c0\\n   ? kthread+0xda/0x1c0\\n   ? __pfx_kthread+0x10/0x10\\n   ret_from_fork+0x31/0x60\\n   ? __pfx_kthread+0x10/0x10\\n   ret_from_fork_asm+0x1a/0x30\\n   \u003c/TASK\u003e\\n\\n  Allocated by task 1118:\\n   kasan_save_stack+0x30/0x50\\n   kasan_save_track+0x14/0x30\\n   __kasan_kmalloc+0xaa/0xb0\\n   cifs_new_fileinfo+0xc8/0x9d0 [cifs]\\n   cifs_atomic_open+0x467/0x770 [cifs]\\n   lookup_open.isra.0+0x665/0x8b0\\n   path_openat+0x4c3/0x1380\\n   do_filp_open+0x167/0x270\\n   do_sys_openat2+0x129/0x160\\n   __x64_sys_creat+0xad/0xe0\\n   do_syscall_64+0xbb/0x1d0\\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\n  Freed by task 83:\\n   kasan_save_stack+0x30/0x50\\n   kasan_save_track+0x14/0x30\\n   kasan_save_free_info+0x3b/0x70\\n   poison_slab_object+0xe9/0x160\\n   __kasan_slab_free+0x32/0x50\\n   kfree+0xf2/0x300\\n   process_one_work+0x4c6/0x9f0\\n   worker_thread+0x2e4/0x570\\n   kthread+0x17f/0x1c0\\n   ret_from_fork+0x31/0x60\\n   ret_from_fork_asm+0x1a/0x30\\n\\n  Last potentially related work creation:\\n   kasan_save_stack+0x30/0x50\\n   __kasan_record_aux_stack+0xad/0xc0\\n   insert_work+0x29/0xe0\\n   __queue_work+0x5ea/0x760\\n   queue_work_on+0x6d/0x90\\n   _cifsFileInfo_put+0x3f6/0x770 [cifs]\\n   smb2_compound_op+0x911/0x3940 [cifs]\\n   smb2_set_path_size+0x228/0x270 [cifs]\\n   cifs_set_file_size+0x197/0x460 [cifs]\\n   cifs_setattr+0xd9c/0x14b0 [cifs]\\n   notify_change+0x4e3/0x740\\n   do_truncate+0xfa/0x180\\n   vfs_truncate+0x195/0x200\\n   __x64_sys_truncate+0x109/0x150\\n   do_syscall_64+0xbb/0x1d0\\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: se corrige la doble colocaci\u00f3n de @cfile en smb2_set_path_size() Si se llama a smb2_compound_op() con un @cfile v\u00e1lido y se devuelve -EINVAL, debemos llamar a cifs_get_writable_path() antes de volver a intentarlo ya que la referencia de @cfile ya fue descartada por la llamada anterior. Esto corrige el siguiente error de KASAN al ejecutar fstests generic/013 contra Windows Server 2022: CIFS: Intentando montar //w22-fs0/scratch ejecutar fstests generic/013 a las 2024-09-02 19:48:59 ====================================================================== ERROR: KASAN: slab-use-after-free en detach_if_pending+0xab/0x200 Escritura de tama\u00f1o 8 en la direcci\u00f3n ffff88811f1a3730 por la tarea kworker/3:2/176 CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 No contaminado 6.11.0-rc6 #2 Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 01/04/2014 Cola de trabajo: cifsoplockd cifs_oplock_break [cifs] Seguimiento de llamadas:  dump_stack_lvl+0x5d/0x80 ? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ? detach_if_pending+0xab/0x200 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ? __pfx_timer_delete+0x10/0x10 ? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ? __pfx___cancel_work+0x10/0x10 ? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ? __pfx_cifs_oplock_break+0x10/0x10 [cifs] ? tipo_bloqueo_retenido+0x85/0xf0 ? marcar_bloqueos_retenidos+0x1a/0x90 proceso_una_obra+0x4c6/0x9f0 ? encontrar_bloqueo_retenido+0x8a/0xa0 ? __pfx_proceso_una_obra+0x10/0x10 ? bloqueo_adquirido+0x220/0x550 ? __lista_agregar_v\u00e1lido_o_informe+0x37/0x100 subproceso_trabajador+0x2e4/0x570 ? __pfx_kthread+0x10/0x10 ret_de_la_bifurcaci\u00f3n+0x31/0x60 ? Asignado por la tarea 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Liberado por la tarea 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 \u00daltima creaci\u00f3n de trabajo potencialmente relacionado: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notificar_cambio+0x4e3/0x740 hacer_truncar+0xfa/0x180 vfs_truncar+0x195/0x200 __x64_sys_truncar+0x109/0x150 hacer_syscall_64+0xbb/0x1d0 entrada_SYSCALL_64_despu\u00e9s_hwframe+0x77/0x7f\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.6.32\",\"versionEndExcluding\":\"6.6.51\",\"matchCriteriaId\":\"C4FD2594-8BAC-4DC6-B031-962920000AEC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.9\",\"versionEndExcluding\":\"6.10.10\",\"matchCriteriaId\":\"2CB7114B-59C6-4708-AE2C-B7C2D0BA0FA2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3CE743-2126-47A3-8B7C-822B502CF119\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0005AEF-856E-47EB-BFE4-90C46899394D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"39889A68-6D34-47A6-82FC-CD0BF23D6754\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B8383ABF-1457-401F-9B61-EE50F4C61F4F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"B77A9280-37E6-49AD-B559-5B23A3B1DC3D\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-46796\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-29T14:22:40.903539Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-29T14:22:42.667Z\"}}], \"cna\": {\"title\": \"smb: client: fix double put of @cfile in smb2_set_path_size()\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"1e60bc0e954389af82f1d9a85f13a63f6572350f\", \"lessThan\": \"5a72d1edb0843e4c927a4096f81e631031c25c28\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"71f15c90e785d1de4bcd65a279e7256684c25c0d\", \"lessThan\": \"762099898309218b4a7954f3d49e985dc4dfd638\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"71f15c90e785d1de4bcd65a279e7256684c25c0d\", \"lessThan\": \"f9c169b51b6ce20394594ef674d6b10efba31220\", \"versionType\": \"git\"}], \"programFiles\": [\"fs/smb/client/smb2inode.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.9\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.9\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.6.51\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.10.10\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.10.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"fs/smb/client/smb2inode.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28\"}, {\"url\": \"https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638\"}, {\"url\": \"https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix double put of @cfile in smb2_set_path_size()\\n\\nIf smb2_compound_op() is called with a valid @cfile and returned\\n-EINVAL, we need to call cifs_get_writable_path() before retrying it\\nas the reference of @cfile was already dropped by previous call.\\n\\nThis fixes the following KASAN splat when running fstests generic/013\\nagainst Windows Server 2022:\\n\\n  CIFS: Attempting to mount //w22-fs0/scratch\\n  run fstests generic/013 at 2024-09-02 19:48:59\\n  ==================================================================\\n  BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200\\n  Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176\\n\\n  CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2\\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40\\n  04/01/2014\\n  Workqueue: cifsoplockd cifs_oplock_break [cifs]\\n  Call Trace:\\n   \u003cTASK\u003e\\n   dump_stack_lvl+0x5d/0x80\\n   ? detach_if_pending+0xab/0x200\\n   print_report+0x156/0x4d9\\n   ? detach_if_pending+0xab/0x200\\n   ? __virt_addr_valid+0x145/0x300\\n   ? __phys_addr+0x46/0x90\\n   ? detach_if_pending+0xab/0x200\\n   kasan_report+0xda/0x110\\n   ? detach_if_pending+0xab/0x200\\n   detach_if_pending+0xab/0x200\\n   timer_delete+0x96/0xe0\\n   ? __pfx_timer_delete+0x10/0x10\\n   ? rcu_is_watching+0x20/0x50\\n   try_to_grab_pending+0x46/0x3b0\\n   __cancel_work+0x89/0x1b0\\n   ? __pfx___cancel_work+0x10/0x10\\n   ? kasan_save_track+0x14/0x30\\n   cifs_close_deferred_file+0x110/0x2c0 [cifs]\\n   ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]\\n   ? __pfx_down_read+0x10/0x10\\n   cifs_oplock_break+0x4c1/0xa50 [cifs]\\n   ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]\\n   ? lock_is_held_type+0x85/0xf0\\n   ? mark_held_locks+0x1a/0x90\\n   process_one_work+0x4c6/0x9f0\\n   ? find_held_lock+0x8a/0xa0\\n   ? __pfx_process_one_work+0x10/0x10\\n   ? lock_acquired+0x220/0x550\\n   ? __list_add_valid_or_report+0x37/0x100\\n   worker_thread+0x2e4/0x570\\n   ? __kthread_parkme+0xd1/0xf0\\n   ? __pfx_worker_thread+0x10/0x10\\n   kthread+0x17f/0x1c0\\n   ? kthread+0xda/0x1c0\\n   ? __pfx_kthread+0x10/0x10\\n   ret_from_fork+0x31/0x60\\n   ? __pfx_kthread+0x10/0x10\\n   ret_from_fork_asm+0x1a/0x30\\n   \u003c/TASK\u003e\\n\\n  Allocated by task 1118:\\n   kasan_save_stack+0x30/0x50\\n   kasan_save_track+0x14/0x30\\n   __kasan_kmalloc+0xaa/0xb0\\n   cifs_new_fileinfo+0xc8/0x9d0 [cifs]\\n   cifs_atomic_open+0x467/0x770 [cifs]\\n   lookup_open.isra.0+0x665/0x8b0\\n   path_openat+0x4c3/0x1380\\n   do_filp_open+0x167/0x270\\n   do_sys_openat2+0x129/0x160\\n   __x64_sys_creat+0xad/0xe0\\n   do_syscall_64+0xbb/0x1d0\\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\n  Freed by task 83:\\n   kasan_save_stack+0x30/0x50\\n   kasan_save_track+0x14/0x30\\n   kasan_save_free_info+0x3b/0x70\\n   poison_slab_object+0xe9/0x160\\n   __kasan_slab_free+0x32/0x50\\n   kfree+0xf2/0x300\\n   process_one_work+0x4c6/0x9f0\\n   worker_thread+0x2e4/0x570\\n   kthread+0x17f/0x1c0\\n   ret_from_fork+0x31/0x60\\n   ret_from_fork_asm+0x1a/0x30\\n\\n  Last potentially related work creation:\\n   kasan_save_stack+0x30/0x50\\n   __kasan_record_aux_stack+0xad/0xc0\\n   insert_work+0x29/0xe0\\n   __queue_work+0x5ea/0x760\\n   queue_work_on+0x6d/0x90\\n   _cifsFileInfo_put+0x3f6/0x770 [cifs]\\n   smb2_compound_op+0x911/0x3940 [cifs]\\n   smb2_set_path_size+0x228/0x270 [cifs]\\n   cifs_set_file_size+0x197/0x460 [cifs]\\n   cifs_setattr+0xd9c/0x14b0 [cifs]\\n   notify_change+0x4e3/0x740\\n   do_truncate+0xfa/0x180\\n   vfs_truncate+0x195/0x200\\n   __x64_sys_truncate+0x109/0x150\\n   do_syscall_64+0xbb/0x1d0\\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.51\", \"versionStartIncluding\": \"6.6.32\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.10.10\", \"versionStartIncluding\": \"6.9\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.11\", \"versionStartIncluding\": \"6.9\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T09:34:31.707Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-46796\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T09:34:31.707Z\", \"dateReserved\": \"2024-09-11T15:12:18.279Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-09-18T07:12:51.038Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.