{
  "threat_severity" : "Moderate",
  "public_date" : "2024-10-21T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: smb: client: fix UAF in async decryption",
    "id" : "2320586",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2320586"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsmb: client: fix UAF in async decryption\nDoing an async decryption (large read) crashes with a\nslab-use-after-free way down in the crypto API.\nReproducer:\n# mount.cifs -o ...,seal,esize=1 //srv/share /mnt\n# dd if=/mnt/largefile of=/dev/null\n...\n[  194.196391] ==================================================================\n[  194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110\n[  194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899\n[  194.197707]\n[  194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43\n[  194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014\n[  194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs]\n[  194.200032] Call Trace:\n[  194.200191]  <TASK>\n[  194.200327]  dump_stack_lvl+0x4e/0x70\n[  194.200558]  ? gf128mul_4k_lle+0xc1/0x110\n[  194.200809]  print_report+0x174/0x505\n[  194.201040]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[  194.201352]  ? srso_return_thunk+0x5/0x5f\n[  194.201604]  ? __virt_addr_valid+0xdf/0x1c0\n[  194.201868]  ? gf128mul_4k_lle+0xc1/0x110\n[  194.202128]  kasan_report+0xc8/0x150\n[  194.202361]  ? gf128mul_4k_lle+0xc1/0x110\n[  194.202616]  gf128mul_4k_lle+0xc1/0x110\n[  194.202863]  ghash_update+0x184/0x210\n[  194.203103]  shash_ahash_update+0x184/0x2a0\n[  194.203377]  ? __pfx_shash_ahash_update+0x10/0x10\n[  194.203651]  ? srso_return_thunk+0x5/0x5f\n[  194.203877]  ? crypto_gcm_init_common+0x1ba/0x340\n[  194.204142]  gcm_hash_assoc_remain_continue+0x10a/0x140\n[  194.204434]  crypt_message+0xec1/0x10a0 [cifs]\n[  194.206489]  ? __pfx_crypt_message+0x10/0x10 [cifs]\n[  194.208507]  ? srso_return_thunk+0x5/0x5f\n[  194.209205]  ? srso_return_thunk+0x5/0x5f\n[  194.209925]  ? srso_return_thunk+0x5/0x5f\n[  194.210443]  ? srso_return_thunk+0x5/0x5f\n[  194.211037]  decrypt_raw_data+0x15f/0x250 [cifs]\n[  194.212906]  ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]\n[  194.214670]  ? srso_return_thunk+0x5/0x5f\n[  194.215193]  smb2_decrypt_offload+0x12a/0x6c0 [cifs]\nThis is because TFM is being used in parallel.\nFix this by allocating a new AEAD TFM for async decryption, but keep\nthe existing one for synchronous READ cases (similar to what is done\nin smb3_calc_signature()).\nAlso remove the calls to aead_request_set_callback() and\ncrypto_wait_req() since it's always going to be a synchronous operation." ],
  "statement" : "This issue is considered to be a moderate impact flaw, as the exploitation for this will need an ADMIN (or ROOT) privilege (PR:H).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-50047\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50047\nhttps://lore.kernel.org/linux-cve-announce/2024102134-CVE-2024-50047-7a27@gregkh/T" ],
  "name" : "CVE-2024-50047",
  "csaw" : false
}