ksmbd Channel List UAF

Vulnerability analysis

Summary: Use-after-free vulnerability in ksmbd SMB server channel management due to missing synchronization on xarray operations

Root Cause: The ksmbd_chann_list xarray in struct ksmbd_session lacks proper synchronization protection. Multiple threads can concurrently access the xarray through xa_load() in lookup_chann_list() and xa_erase() in ksmbd_chann_del(), creating a race condition where one thread can free a channel object while another thread is still using it.

Attack Mechanism: An attacker can trigger concurrent multi-channel SMB session operations to exploit the race condition between channel lookup and deletion. This can lead to use-after-free conditions where freed channel objects are accessed, potentially allowing arbitrary code execution or system crashes.

Attack Surface: Network-accessible through SMB protocol, requires ability to establish SMB multi-channel sessions. The vulnerability is in the ksmbd kernel SMB server implementation.

Fix Mechanism: The patch adds a new rw_semaphore 'chann_lock' to struct ksmbd_session and protects all xarray operations (xa_load, xa_store, xa_erase) with appropriate read/write locks. Read locks are used for lookups (lookup_chann_list) while write locks protect modifications (channel addition/deletion).