CVE-2024-46796 in Linux
Summary
by MITRE • 09/18/2024
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix double put of @cfile in smb2_set_path_size()
If smb2_compound_op() is called with a valid @cfile and returned -EINVAL, we need to call cifs_get_writable_path() before retrying it as the reference of @cfile was already dropped by previous call.
This fixes the following KASAN splat when running fstests generic/013 against Windows Server 2022:
CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176
CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs]
Call Trace: dump_stack_lvl+0x5d/0x80 ? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ? detach_if_pending+0xab/0x200 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ? __pfx_timer_delete+0x10/0x10 ? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ? __pfx___cancel_work+0x10/0x10 ? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]
? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]
? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]
? __pfx_cifs_oplock_break+0x10/0x10 [cifs]
? lock_is_held_type+0x85/0xf0 ? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ? find_held_lock+0x8a/0xa0 ? __pfx_process_one_work+0x10/0x10 ? lock_acquired+0x220/0x550 ? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ? __kthread_parkme+0xd1/0xf0 ? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ? kthread+0xda/0x1c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30
Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs]
cifs_atomic_open+0x467/0x770 [cifs]
lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30
Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs]
smb2_compound_op+0x911/0x3940 [cifs]
smb2_set_path_size+0x228/0x270 [cifs]
cifs_set_file_size+0x197/0x460 [cifs]
cifs_setattr+0xd9c/0x14b0 [cifs]
notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/21/2026
The vulnerability described in CVE-2024-46796 resides within the Linux kernel's CIFS (Common Internet File System) client implementation, specifically in the smb2_set_path_size() function. This flaw manifests as a double put operation on the cfile structure, leading to a use-after-free condition that can result in system instability or potential exploitation. The issue occurs when smb2_compound_op() is invoked with a valid cfile parameter but returns an -EINVAL error code, indicating an invalid argument scenario. In such cases, the function fails to properly manage the reference count of the cfile structure before retrying the operation, resulting in premature deallocation of resources. The vulnerability was identified through testing with fstests generic/013 against a Windows Server 2022 environment, where KASAN (Kernel Address Sanitizer) detected a slab-use-after-free error during the execution of kernel workqueue operations.
The technical root cause of this vulnerability stems from improper reference counting management within the CIFS client subsystem. When smb2_compound_op() encounters an -EINVAL error, it internally releases the reference to the cfile structure through a call to _cifsFileInfo_put(), which decrements the reference counter and potentially frees the memory. However, the subsequent retry logic in smb2_set_path_size() does not account for this release and attempts to access the already-freed memory structure. This mismanagement directly aligns with CWE-415: Double Free, where the same memory is freed twice, and CWE-416: Use After Free, where memory is accessed after it has been freed. The KASAN stack trace confirms that the use-after-free occurs in detach_if_pending(), a function that handles pending timers and oplock breaks, indicating that the freed cfile structure is later accessed during cleanup operations initiated by the kernel's workqueue subsystem.
The operational impact of this vulnerability extends beyond simple system instability, as it can potentially enable privilege escalation or denial-of-service conditions within environments heavily reliant on CIFS file sharing. Attackers could exploit this flaw to cause kernel memory corruption, leading to system crashes or, in more sophisticated scenarios, arbitrary code execution. The vulnerability affects systems running Linux kernels with CIFS support, particularly those using SMB2/3 protocols for file access, making it relevant to enterprise environments where Windows file servers are commonly accessed via Linux clients. The specific trigger involves operations that modify file sizes, such as truncation commands, which are frequently used in automated testing and file system operations. The issue is particularly concerning in high-availability environments where kernel crashes could lead to service disruption.
Mitigation strategies for CVE-2024-46796 primarily involve applying the kernel patch that corrects the reference counting logic in the smb2_set_path_size() function. The fix ensures that cifs_get_writable_path() is called before retrying smb2_compound_op() when an -EINVAL error occurs, thereby properly maintaining the reference count of the cfile structure. System administrators should prioritize updating to kernel versions that include this fix, typically those released after the vulnerability disclosure date. Additionally, monitoring for KASAN reports and kernel memory corruption events can help detect exploitation attempts. The mitigation approach aligns with ATT&CK technique T1059.001: Command and Scripting Interpreter, as the vulnerability could be exploited through file system operations that trigger the flawed code path, and T1499.004: Endpoint Denial of Service, as the use-after-free condition can cause system crashes. Organizations should also implement network segmentation and access controls to limit exposure, particularly in environments where CIFS shares are extensively used, and conduct regular vulnerability assessments to identify potential exploitation vectors.