CVE-2023-54162

Vulnerability

Description

In the Linux kernel's ksmbd (SMB/CIFS file server), the smb a memory leak vulnerability exists in the smb2_lock() function. The issue arises because the dynamically allocated argv buffer is not freed when setup_async_work()` fails or when the current process is woken up before the work completes. This missing deallocation can lead to a gradual depletion of kernel memory over time.

Exploitation

An attacker with the ability to send crafted SMB2 lock requests to a ksmbd server can trigger this code path. No special privileges beyond network access to the SMB service are required. By repeatedly sending lock requests that cause setup_async_work() to fail or that wake the process prematurely, the attacker can cause the kernel to leak memory each time.

Impact

Repeated exploitation can exhaust system memory, potentially leading to denial of service (DoS) for the ksmbd server and other kernel services. The vulnerability does not directly allow code execution or privilege escalation, but memory exhaustion can degrade system stability and availability.

Mitigation

The fix has been applied to the Linux kernel stable tree in commits [1], [2], [3], and [4]. Users should update their kernel to a version containing the patch. No workaround is available other than applying the update.