CVE-2024-46796

一、漏洞信息
 漏洞编号：[CVE-2024-46796](https://nvd.nist.gov/vuln/detail/CVE-2024-46796)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：7.8 High
  Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with a valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022:  CIFS: Attempting to mount //w22-fs0/scratch  run fstests generic/013 at 2024-09-02 19:48:59  ==================================================================  BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200  Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176  CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40  04/01/2014  Workqueue: cifsoplockd cifs_oplock_break [cifs]  Call Trace:   <TASK>   dump_stack_lvl+0x5d/0x80   ? detach_if_pending+0xab/0x200   print_report+0x156/0x4d9   ? detach_if_pending+0xab/0x200   ? __virt_addr_valid+0x145/0x300   ? __phys_addr+0x46/0x90   ? detach_if_pending+0xab/0x200   kasan_report+0xda/0x110   ? detach_if_pending+0xab/0x200   detach_if_pending+0xab/0x200   timer_delete+0x96/0xe0   ? __pfx_timer_delete+0x10/0x10   ? rcu_is_watching+0x20/0x50   try_to_grab_pending+0x46/0x3b0   __cancel_work+0x89/0x1b0   ? __pfx___cancel_work+0x10/0x10   ? kasan_save_track+0x14/0x30   cifs_close_deferred_file+0x110/0x2c0 [cifs]   ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]   ? __pfx_down_read+0x10/0x10   cifs_oplock_break+0x4c1/0xa50 [cifs]   ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]   ? lock_is_held_type+0x85/0xf0   ? mark_held_locks+0x1a/0x90   process_one_work+0x4c6/0x9f0   ? find_held_lock+0x8a/0xa0   ? __pfx_process_one_work+0x10/0x10   ? lock_acquired+0x220/0x550   ? __list_add_valid_or_report+0x37/0x100   worker_thread+0x2e4/0x570   ? __kthread_parkme+0xd1/0xf0   ? __pfx_worker_thread+0x10/0x10   kthread+0x17f/0x1c0   ? kthread+0xda/0x1c0   ? __pfx_kthread+0x10/0x10   ret_from_fork+0x31/0x60   ? __pfx_kthread+0x10/0x10   ret_from_fork_asm+0x1a/0x30   </TASK>  Allocated by task 1118:   kasan_save_stack+0x30/0x50   kasan_save_track+0x14/0x30   __kasan_kmalloc+0xaa/0xb0   cifs_new_fileinfo+0xc8/0x9d0 [cifs]   cifs_atomic_open+0x467/0x770 [cifs]   lookup_open.isra.0+0x665/0x8b0   path_openat+0x4c3/0x1380   do_filp_open+0x167/0x270   do_sys_openat2+0x129/0x160   __x64_sys_creat+0xad/0xe0   do_syscall_64+0xbb/0x1d0   entry_SYSCALL_64_after_hwframe+0x77/0x7f  Freed by task 83:   kasan_save_stack+0x30/0x50   kasan_save_track+0x14/0x30   kasan_save_free_info+0x3b/0x70   poison_slab_object+0xe9/0x160   __kasan_slab_free+0x32/0x50   kfree+0xf2/0x300   process_one_work+0x4c6/0x9f0   worker_thread+0x2e4/0x570   kthread+0x17f/0x1c0   ret_from_fork+0x31/0x60   ret_from_fork_asm+0x1a/0x30  Last potentially related work creation:   kasan_save_stack+0x30/0x50   __kasan_record_aux_stack+0xad/0xc0   insert_work+0x29/0xe0   __queue_work+0x5ea/0x760   queue_work_on+0x6d/0x90   _cifsFileInfo_put+0x3f6/0x770 [cifs]   smb2_compound_op+0x911/0x3940 [cifs]   smb2_set_path_size+0x228/0x270 [cifs]   cifs_set_file_size+0x197/0x460 [cifs]   cifs_setattr+0xd9c/0x14b0 [cifs]   notify_change+0x4e3/0x740   do_truncate+0xfa/0x180   vfs_truncate+0x195/0x200   __x64_sys_truncate+0x109/0x150   do_syscall_64+0xbb/0x1d0   entry_SYSCALL_64_after_hwframe+0x77/0x7f
 漏洞公开时间：2024-09-18 16:15:06
 漏洞创建时间：2024-10-02 10:17:47
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-46796
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220 |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-46796 | https://bugzilla.suse.com/show_bug.cgi?id=1230832 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-46796.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1230832 |
| suse_bugzilla | https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28 | https://bugzilla.suse.com/show_bug.cgi?id=1230832 |
| suse_bugzilla | https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638 | https://bugzilla.suse.com/show_bug.cgi?id=1230832 |
| suse_bugzilla | https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220 | https://bugzilla.suse.com/show_bug.cgi?id=1230832 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-46796 | https://bugzilla.suse.com/show_bug.cgi?id=1230832 |
| suse_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2313144 | https://bugzilla.suse.com/show_bug.cgi?id=1230832 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-46796 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28 |  | nvd |
|  |  | https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638 |  | nvd |
|  |  | https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220 |  | nvd |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
                    In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with a valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022:  CIFS: Attempting to mount //w22-fs0/scratch  run fstests generic/013 at 2024-09-02 19:48:59  ==================================================================  BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200  Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176  CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40  04/01/2014  Workqueue: cifsoplockd cifs_oplock_break [cifs]  Call Trace:   &lt;TASK&gt;   dump_stack_lvl+0x5d/0x80   ? detach_if_pending+0xab/0x200   print_report+0x156/0x4d9   ? detach_if_pending+0xab/0x200   ? __virt_addr_valid+0x145/0x300   ? __phys_addr+0x46/0x90   ? detach_if_pending+0xab/0x200   kasan_report+0xda/0x110   ? detach_if_pending+0xab/0x200   detach_if_pending+0xab/0x200   timer_delete+0x96/0xe0   ? __pfx_timer_delete+0x10/0x10   ? rcu_is_watching+0x20/0x50   try_to_grab_pending+0x46/0x3b0   __cancel_work+0x89/0x1b0   ? __pfx___cancel_work+0x10/0x10   ? kasan_save_track+0x14/0x30   cifs_close_deferred_file+0x110/0x2c0 [cifs]   ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]   ? __pfx_down_read+0x10/0x10   cifs_oplock_break+0x4c1/0xa50 [cifs]   ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]   ? lock_is_held_type+0x85/0xf0   ? mark_held_locks+0x1a/0x90   process_one_work+0x4c6/0x9f0   ? find_held_lock+0x8a/0xa0   ? __pfx_process_one_work+0x10/0x10   ? lock_acquired+0x220/0x550   ? __list_add_valid_or_report+0x37/0x100   worker_thread+0x2e4/0x570   ? __kthread_parkme+0xd1/0xf0   ? __pfx_worker_thread+0x10/0x10   kthread+0x17f/0x1c0   ? kthread+0xda/0x1c0   ? __pfx_kthread+0x10/0x10   ret_from_fork+0x31/0x60   ? __pfx_kthread+0x10/0x10   ret_from_fork_asm+0x1a/0x30   &lt;/TASK&gt;  Allocated by task 1118:   kasan_save_stack+0x30/0x50   kasan_save_track+0x14/0x30   __kasan_kmalloc+0xaa/0xb0   cifs_new_fileinfo+0xc8/0x9d0 [cifs]   cifs_atomic_open+0x467/0x770 [cifs]   lookup_open.isra.0+0x665/0x8b0   path_openat+0x4c3/0x1380   do_filp_open+0x167/0x270   do_sys_openat2+0x129/0x160   __x64_sys_creat+0xad/0xe0   do_syscall_64+0xbb/0x1d0   entry_SYSCALL_64_after_hwframe+0x77/0x7f  Freed by task 83:   kasan_save_stack+0x30/0x50   kasan_save_track+0x14/0x30   kasan_save_free_info+0x3b/0x70   poison_slab_object+0xe9/0x160   __kasan_slab_free+0x32/0x50   kfree+0xf2/0x300   process_one_work+0x4c6/0x9f0   worker_thread+0x2e4/0x570   kthread+0x17f/0x1c0   ret_from_fork+0x31/0x60   ret_from_fork_asm+0x1a/0x30  Last potentially related work creation:   kasan_save_stack+0x30/0x50   __kasan_record_aux_stack+0xad/0xc0   insert_work+0x29/0xe0   __queue_work+0x5ea/0x760   queue_work_on+0x6d/0x90   _cifsFileInfo_put+0x3f6/0x770 [cifs]   smb2_compound_op+0x911/0x3940 [cifs]   smb2_set_path_size+0x228/0x270 [cifs]   cifs_set_file_size+0x197/0x460 [cifs]   cifs_setattr+0xd9c/0x14b0 [cifs]   notify_change+0x4e3/0x740   do_truncate+0xfa/0x180   vfs_truncate+0x195/0x200   __x64_sys_truncate+0x109/0x150   do_syscall_64+0xbb/0x1d0   entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.         
 openEuler评分：
  7.8
 Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-24.03-LTS(6.6.0):受影响
2.openEuler-20.03-LTS-SP4(4.19.90):不受影响
3.openEuler-22.03-LTS-SP1(5.10.0):不受影响
4.openEuler-22.03-LTS-SP3(5.10.0):不受影响
5.openEuler-22.03-LTS-SP4(5.10.0):不受影响
6.master(6.6.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master(6.6.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2024-2219

Hi openeuler-ci-bot, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: Kernel, and any of the maintainers.

@yangyingliang ,@jiaoff ,@guohaocs2c ,@hanjun-guo ,@woqidaideshi ,@newbeats ,@zhangyi089 ,@colyli ,@thundertown ,@htforge ,@chiqijun ,@lengchao ,@zhujianwei001 ,@kylin-mayukun ,@wangxiongfeng ,@wkfxxx ,@SuperSix173 ,@jentlestea ,@oskernel0719 ,@gasonchen 
**issue处理注意事项:** 
**1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;**
**2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;**
**3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openEuler评分, 受影响版本排查(受影响/不受影响), 修复是否涉及abi变化(是/否))不能省略,省略后cve-manager将无法正常解析填写内容.**
************************************************************************
影响性分析说明:

openEuler评分: (评分和向量)

受影响版本排查(受影响/不受影响): 
1.master(6.6.0):
2.openEuler-20.03-LTS-SP4(4.19.90):
3.openEuler-22.03-LTS-SP1(5.10.0):
4.openEuler-22.03-LTS-SP3(5.10.0):
5.openEuler-22.03-LTS-SP4(5.10.0):
6.openEuler-24.03-LTS(6.6.0):
7.openEuler-24.03-LTS-Next(6.6.0):

修复是否涉及abi变化(是/否)：
1.master(6.6.0):
2.openEuler-20.03-LTS-SP4(4.19.90):
3.openEuler-22.03-LTS-SP1(5.10.0):
4.openEuler-22.03-LTS-SP3(5.10.0):
5.openEuler-22.03-LTS-SP4(5.10.0):
6.openEuler-24.03-LTS(6.6.0):
7.openEuler-24.03-LTS-Next(6.6.0):

-----------------------------------------------------------------------
issue处理具体操作请参考: 
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

参考网址	关联pr	状态	补丁链接
https://nvd.nist.gov/vuln/detail/CVE-2024-46796	None	None	https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220 https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28 https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638
https://ubuntu.com/security/CVE-2024-46796	None	None	https://discourse.ubuntu.com/c/ubuntu-pro
https://www.opencve.io/cve/CVE-2024-46796	None	None	https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220 https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28 https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-46796
https://security-tracker.debian.org/tracker/CVE-2024-46796	None	None	https://git.kernel.org/linus/f9c169b51b6ce20394594ef674d6b10efba31220

说明：补丁链接仅供初步排查参考，实际可用性请人工再次确认，补丁下载验证可使用CVE补丁工具。
若补丁不准确，烦请在此issue下评论 '/report-patch 参考网址补丁链接1,补丁链接2' 反馈正确信息，便于我们不断优化工具，不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

CVE-2024-46796

影响性分析说明：
In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix double put of @cfile in smb2_set_path_size()

If smb2_compound_op() is called with a valid @cfile and returned
-EINVAL, we need to call cifs_get_writable_path() before retrying it
as the reference of @cfile was already dropped by previous call.

This fixes the following KASAN splat when running fstests generic/013
against Windows Server 2022:

CIFS: Attempting to mount //w22-fs0/scratch
  run fstests generic/013 at 2024-09-02 19:48:59
  ==================================================================
  BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200
  Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176

CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40
  04/01/2014
  Workqueue: cifsoplockd cifs_oplock_break [cifs]
  Call Trace:
   &lt;TASK&gt;
   dump_stack_lvl+0x5d/0x80
   ? detach_if_pending+0xab/0x200
   print_report+0x156/0x4d9
   ? detach_if_pending+0xab/0x200
   ? __virt_addr_valid+0x145/0x300
   ? __phys_addr+0x46/0x90
   ? detach_if_pending+0xab/0x200
   kasan_report+0xda/0x110
   ? detach_if_pending+0xab/0x200
   detach_if_pending+0xab/0x200
   timer_delete+0x96/0xe0
   ? __pfx_timer_delete+0x10/0x10
   ? rcu_is_watching+0x20/0x50
   try_to_grab_pending+0x46/0x3b0
   __cancel_work+0x89/0x1b0
   ? __pfx___cancel_work+0x10/0x10
   ? kasan_save_track+0x14/0x30
   cifs_close_deferred_file+0x110/0x2c0 [cifs]
   ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]
   ? __pfx_down_read+0x10/0x10
   cifs_oplock_break+0x4c1/0xa50 [cifs]
   ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]
   ? lock_is_held_type+0x85/0xf0
   ? mark_held_locks+0x1a/0x90
   process_one_work+0x4c6/0x9f0
   ? find_held_lock+0x8a/0xa0
   ? __pfx_process_one_work+0x10/0x10
   ? lock_acquired+0x220/0x550
   ? __list_add_valid_or_report+0x37/0x100
   worker_thread+0x2e4/0x570
   ? __kthread_parkme+0xd1/0xf0
   ? __pfx_worker_thread+0x10/0x10
   kthread+0x17f/0x1c0
   ? kthread+0xda/0x1c0
   ? __pfx_kthread+0x10/0x10
   ret_from_fork+0x31/0x60
   ? __pfx_kthread+0x10/0x10
   ret_from_fork_asm+0x1a/0x30
   &lt;/TASK&gt;

Allocated by task 1118:
   kasan_save_stack+0x30/0x50
   kasan_save_track+0x14/0x30
   __kasan_kmalloc+0xaa/0xb0
   cifs_new_fileinfo+0xc8/0x9d0 [cifs]
   cifs_atomic_open+0x467/0x770 [cifs]
   lookup_open.isra.0+0x665/0x8b0
   path_openat+0x4c3/0x1380
   do_filp_open+0x167/0x270
   do_sys_openat2+0x129/0x160
   __x64_sys_creat+0xad/0xe0
   do_syscall_64+0xbb/0x1d0
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 83:
   kasan_save_stack+0x30/0x50
   kasan_save_track+0x14/0x30
   kasan_save_free_info+0x3b/0x70
   poison_slab_object+0xe9/0x160
   __kasan_slab_free+0x32/0x50
   kfree+0xf2/0x300
   process_one_work+0x4c6/0x9f0
   worker_thread+0x2e4/0x570
   kthread+0x17f/0x1c0
   ret_from_fork+0x31/0x60
   ret_from_fork_asm+0x1a/0x30

Last potentially related work creation:
   kasan_save_stack+0x30/0x50
   __kasan_record_aux_stack+0xad/0xc0
   insert_work+0x29/0xe0
   __queue_work+0x5ea/0x760
   queue_work_on+0x6d/0x90
   _cifsFileInfo_put+0x3f6/0x770 [cifs]
   smb2_compound_op+0x911/0x3940 [cifs]
   smb2_set_path_size+0x228/0x270 [cifs]
   cifs_set_file_size+0x197/0x460 [cifs]
   cifs_setattr+0xd9c/0x14b0 [cifs]
   notify_change+0x4e3/0x740
   do_truncate+0xfa/0x180
   vfs_truncate+0x195/0x200
   __x64_sys_truncate+0x109/0x150
   do_syscall_64+0xbb/0x1d0
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

The Linux kernel CVE team has assigned CVE-2024-46796 to this issue.

openEuler评分:(评分和向量)
3.9
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP4:不受影响
2.openEuler-22.03-LTS-SP1:不受影响
3.openEuler-22.03-LTS-SP3:不受影响
4.openEuler-22.03-LTS-SP4:不受影响
5.master(6.1.0):不受影响
6.openEuler-24.03-LTS:不受影响
7.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP4:否
2.openEuler-22.03-LTS-SP1:否
3.openEuler-22.03-LTS-SP3:否
4.master(6.1.0):否
5.openEuler-24.03-LTS:否
6.openEuler-24.03-LTS-Next:否
7.openEuler-22.03-LTS-SP4:否

@ 经过 cve-manager 解析, 已分析的内容如下表所示:
| 状态  | 需分析 | 内容 |
|:--:|:--:|---------|
|已分析|1.影响性分析说明|In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with a valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022:  CIFS: Attempting to mount //w22-fs0/scratch  run fstests generic/013 at 2024-09-02 19:48:59  ==================================================================  BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200  Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176  CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40  04/01/2014  Workqueue: cifsoplockd cifs_oplock_break [cifs]  Call Trace:   &lt;TASK&gt;   dump_stack_lvl+0x5d/0x80   ? detach_if_pending+0xab/0x200   print_report+0x156/0x4d9   ? detach_if_pending+0xab/0x200   ? __virt_addr_valid+0x145/0x300   ? __phys_addr+0x46/0x90   ? detach_if_pending+0xab/0x200   kasan_report+0xda/0x110   ? detach_if_pending+0xab/0x200   detach_if_pending+0xab/0x200   timer_delete+0x96/0xe0   ? __pfx_timer_delete+0x10/0x10   ? rcu_is_watching+0x20/0x50   try_to_grab_pending+0x46/0x3b0   __cancel_work+0x89/0x1b0   ? __pfx___cancel_work+0x10/0x10   ? kasan_save_track+0x14/0x30   cifs_close_deferred_file+0x110/0x2c0 [cifs]   ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]   ? __pfx_down_read+0x10/0x10   cifs_oplock_break+0x4c1/0xa50 [cifs]   ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]   ? lock_is_held_type+0x85/0xf0   ? mark_held_locks+0x1a/0x90   process_one_work+0x4c6/0x9f0   ? find_held_lock+0x8a/0xa0   ? __pfx_process_one_work+0x10/0x10   ? lock_acquired+0x220/0x550   ? __list_add_valid_or_report+0x37/0x100   worker_thread+0x2e4/0x570   ? __kthread_parkme+0xd1/0xf0   ? __pfx_worker_thread+0x10/0x10   kthread+0x17f/0x1c0   ? kthread+0xda/0x1c0   ? __pfx_kthread+0x10/0x10   ret_from_fork+0x31/0x60   ? __pfx_kthread+0x10/0x10   ret_from_fork_asm+0x1a/0x30   &lt;/TASK&gt;  Allocated by task 1118:   kasan_save_stack+0x30/0x50   kasan_save_track+0x14/0x30   __kasan_kmalloc+0xaa/0xb0   cifs_new_fileinfo+0xc8/0x9d0 [cifs]   cifs_atomic_open+0x467/0x770 [cifs]   lookup_open.isra.0+0x665/0x8b0   path_openat+0x4c3/0x1380   do_filp_open+0x167/0x270   do_sys_openat2+0x129/0x160   __x64_sys_creat+0xad/0xe0   do_syscall_64+0xbb/0x1d0   entry_SYSCALL_64_after_hwframe+0x77/0x7f  Freed by task 83:   kasan_save_stack+0x30/0x50   kasan_save_track+0x14/0x30   kasan_save_free_info+0x3b/0x70   poison_slab_object+0xe9/0x160   __kasan_slab_free+0x32/0x50   kfree+0xf2/0x300   process_one_work+0x4c6/0x9f0   worker_thread+0x2e4/0x570   kthread+0x17f/0x1c0   ret_from_fork+0x31/0x60   ret_from_fork_asm+0x1a/0x30  Last potentially related work creation:   kasan_save_stack+0x30/0x50   __kasan_record_aux_stack+0xad/0xc0   insert_work+0x29/0xe0   __queue_work+0x5ea/0x760   queue_work_on+0x6d/0x90   _cifsFileInfo_put+0x3f6/0x770 [cifs]   smb2_compound_op+0x911/0x3940 [cifs]   smb2_set_path_size+0x228/0x270 [cifs]   cifs_set_file_size+0x197/0x460 [cifs]   cifs_setattr+0xd9c/0x14b0 [cifs]   notify_change+0x4e3/0x740   do_truncate+0xfa/0x180   vfs_truncate+0x195/0x200   __x64_sys_truncate+0x109/0x150   do_syscall_64+0xbb/0x1d0   entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.|
|已分析|2.openEulerScore|3.9|
|已分析|3.openEulerVector|AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L|
|已分析|4.受影响版本排查|openEuler-20.03-LTS-SP4:不受影响,openEuler-22.03-LTS-SP1:不受影响,openEuler-22.03-LTS-SP3:不受影响,openEuler-22.03-LTS-SP4:不受影响,master:不受影响,openEuler-24.03-LTS:不受影响,openEuler-24.03-LTS-Next:不受影响|
|已分析|5.修复是否涉及abi变化|openEuler-20.03-LTS-SP4:否,openEuler-22.03-LTS-SP1:否,openEuler-22.03-LTS-SP3:否,master:否,openEuler-24.03-LTS:否,openEuler-24.03-LTS-Next:否,openEuler-22.03-LTS-SP4:否|

**请确认分析内容的准确性, 确认无误后, 您可以进行后续步骤, 否则您可以继续分析.**

CVE-2024-46796

影响性分析说明：
In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix double put of @cfile in smb2_set_path_size()

If smb2_compound_op() is called with a valid @cfile and returned
-EINVAL, we need to call cifs_get_writable_path() before retrying it
as the reference of @cfile was already dropped by previous call.

This fixes the following KASAN splat when running fstests generic/013
against Windows Server 2022:

CIFS: Attempting to mount //w22-fs0/scratch
  run fstests generic/013 at 2024-09-02 19:48:59
  ==================================================================
  BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200
  Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176

CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40
  04/01/2014
  Workqueue: cifsoplockd cifs_oplock_break [cifs]
  Call Trace:
   <TASK>
   dump_stack_lvl+0x5d/0x80
   ? detach_if_pending+0xab/0x200
   print_report+0x156/0x4d9
   ? detach_if_pending+0xab/0x200
   ? __virt_addr_valid+0x145/0x300
   ? __phys_addr+0x46/0x90
   ? detach_if_pending+0xab/0x200
   kasan_report+0xda/0x110
   ? detach_if_pending+0xab/0x200
   detach_if_pending+0xab/0x200
   timer_delete+0x96/0xe0
   ? __pfx_timer_delete+0x10/0x10
   ? rcu_is_watching+0x20/0x50
   try_to_grab_pending+0x46/0x3b0
   __cancel_work+0x89/0x1b0
   ? __pfx___cancel_work+0x10/0x10
   ? kasan_save_track+0x14/0x30
   cifs_close_deferred_file+0x110/0x2c0 [cifs]
   ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]
   ? __pfx_down_read+0x10/0x10
   cifs_oplock_break+0x4c1/0xa50 [cifs]
   ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]
   ? lock_is_held_type+0x85/0xf0
   ? mark_held_locks+0x1a/0x90
   process_one_work+0x4c6/0x9f0
   ? find_held_lock+0x8a/0xa0
   ? __pfx_process_one_work+0x10/0x10
   ? lock_acquired+0x220/0x550
   ? __list_add_valid_or_report+0x37/0x100
   worker_thread+0x2e4/0x570
   ? __kthread_parkme+0xd1/0xf0
   ? __pfx_worker_thread+0x10/0x10
   kthread+0x17f/0x1c0
   ? kthread+0xda/0x1c0
   ? __pfx_kthread+0x10/0x10
   ret_from_fork+0x31/0x60
   ? __pfx_kthread+0x10/0x10
   ret_from_fork_asm+0x1a/0x30
   </TASK>

Allocated by task 1118:
   kasan_save_stack+0x30/0x50
   kasan_save_track+0x14/0x30
   __kasan_kmalloc+0xaa/0xb0
   cifs_new_fileinfo+0xc8/0x9d0 [cifs]
   cifs_atomic_open+0x467/0x770 [cifs]
   lookup_open.isra.0+0x665/0x8b0
   path_openat+0x4c3/0x1380
   do_filp_open+0x167/0x270
   do_sys_openat2+0x129/0x160
   __x64_sys_creat+0xad/0xe0
   do_syscall_64+0xbb/0x1d0
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 83:
   kasan_save_stack+0x30/0x50
   kasan_save_track+0x14/0x30
   kasan_save_free_info+0x3b/0x70
   poison_slab_object+0xe9/0x160
   __kasan_slab_free+0x32/0x50
   kfree+0xf2/0x300
   process_one_work+0x4c6/0x9f0
   worker_thread+0x2e4/0x570
   kthread+0x17f/0x1c0
   ret_from_fork+0x31/0x60
   ret_from_fork_asm+0x1a/0x30

Last potentially related work creation:
   kasan_save_stack+0x30/0x50
   __kasan_record_aux_stack+0xad/0xc0
   insert_work+0x29/0xe0
   __queue_work+0x5ea/0x760
   queue_work_on+0x6d/0x90
   _cifsFileInfo_put+0x3f6/0x770 [cifs]
   smb2_compound_op+0x911/0x3940 [cifs]
   smb2_set_path_size+0x228/0x270 [cifs]
   cifs_set_file_size+0x197/0x460 [cifs]
   cifs_setattr+0xd9c/0x14b0 [cifs]
   notify_change+0x4e3/0x740
   do_truncate+0xfa/0x180
   vfs_truncate+0x195/0x200
   __x64_sys_truncate+0x109/0x150
   do_syscall_64+0xbb/0x1d0
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

openEuler评分:(评分和向量)
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP4:不受影响
2.openEuler-22.03-LTS-SP1:不受影响
3.openEuler-22.03-LTS-SP3:不受影响
4.openEuler-22.03-LTS-SP4:不受影响
5.master(6.1.0):不受影响
6.openEuler-24.03-LTS:受影响
7.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP4:否
2.openEuler-22.03-LTS-SP1:否
3.openEuler-22.03-LTS-SP3:否
4.master(6.1.0):否
5.openEuler-24.03-LTS:否
6.openEuler-24.03-LTS-Next:否
7.openEuler-22.03-LTS-SP4:否

===========================================================

@ 经过 cve-manager 解析, 已分析的内容如下表所示:
| 状态  | 需分析 | 内容 |
|:--:|:--:|---------|
|已分析|1.影响性分析说明|In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with a valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022:  CIFS: Attempting to mount //w22-fs0/scratch  run fstests generic/013 at 2024-09-02 19:48:59  ==================================================================  BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200  Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176  CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40  04/01/2014  Workqueue: cifsoplockd cifs_oplock_break [cifs]  Call Trace:   <TASK>   dump_stack_lvl+0x5d/0x80   ? detach_if_pending+0xab/0x200   print_report+0x156/0x4d9   ? detach_if_pending+0xab/0x200   ? __virt_addr_valid+0x145/0x300   ? __phys_addr+0x46/0x90   ? detach_if_pending+0xab/0x200   kasan_report+0xda/0x110   ? detach_if_pending+0xab/0x200   detach_if_pending+0xab/0x200   timer_delete+0x96/0xe0   ? __pfx_timer_delete+0x10/0x10   ? rcu_is_watching+0x20/0x50   try_to_grab_pending+0x46/0x3b0   __cancel_work+0x89/0x1b0   ? __pfx___cancel_work+0x10/0x10   ? kasan_save_track+0x14/0x30   cifs_close_deferred_file+0x110/0x2c0 [cifs]   ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]   ? __pfx_down_read+0x10/0x10   cifs_oplock_break+0x4c1/0xa50 [cifs]   ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]   ? lock_is_held_type+0x85/0xf0   ? mark_held_locks+0x1a/0x90   process_one_work+0x4c6/0x9f0   ? find_held_lock+0x8a/0xa0   ? __pfx_process_one_work+0x10/0x10   ? lock_acquired+0x220/0x550   ? __list_add_valid_or_report+0x37/0x100   worker_thread+0x2e4/0x570   ? __kthread_parkme+0xd1/0xf0   ? __pfx_worker_thread+0x10/0x10   kthread+0x17f/0x1c0   ? kthread+0xda/0x1c0   ? __pfx_kthread+0x10/0x10   ret_from_fork+0x31/0x60   ? __pfx_kthread+0x10/0x10   ret_from_fork_asm+0x1a/0x30   </TASK>  Allocated by task 1118:   kasan_save_stack+0x30/0x50   kasan_save_track+0x14/0x30   __kasan_kmalloc+0xaa/0xb0   cifs_new_fileinfo+0xc8/0x9d0 [cifs]   cifs_atomic_open+0x467/0x770 [cifs]   lookup_open.isra.0+0x665/0x8b0   path_openat+0x4c3/0x1380   do_filp_open+0x167/0x270   do_sys_openat2+0x129/0x160   __x64_sys_creat+0xad/0xe0   do_syscall_64+0xbb/0x1d0   entry_SYSCALL_64_after_hwframe+0x77/0x7f  Freed by task 83:   kasan_save_stack+0x30/0x50   kasan_save_track+0x14/0x30   kasan_save_free_info+0x3b/0x70   poison_slab_object+0xe9/0x160   __kasan_slab_free+0x32/0x50   kfree+0xf2/0x300   process_one_work+0x4c6/0x9f0   worker_thread+0x2e4/0x570   kthread+0x17f/0x1c0   ret_from_fork+0x31/0x60   ret_from_fork_asm+0x1a/0x30  Last potentially related work creation:   kasan_save_stack+0x30/0x50   __kasan_record_aux_stack+0xad/0xc0   insert_work+0x29/0xe0   __queue_work+0x5ea/0x760   queue_work_on+0x6d/0x90   _cifsFileInfo_put+0x3f6/0x770 [cifs]   smb2_compound_op+0x911/0x3940 [cifs]   smb2_set_path_size+0x228/0x270 [cifs]   cifs_set_file_size+0x197/0x460 [cifs]   cifs_setattr+0xd9c/0x14b0 [cifs]   notify_change+0x4e3/0x740   do_truncate+0xfa/0x180   vfs_truncate+0x195/0x200   __x64_sys_truncate+0x109/0x150   do_syscall_64+0xbb/0x1d0   entry_SYSCALL_64_after_hwframe+0x77/0x7f|
|已分析|2.openEulerScore|7.8|
|已分析|3.openEulerVector|AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H|
|已分析|4.受影响版本排查|openEuler-24.03-LTS:受影响,openEuler-20.03-LTS-SP4:不受影响,openEuler-22.03-LTS-SP1:不受影响,openEuler-22.03-LTS-SP3:不受影响,openEuler-22.03-LTS-SP4:不受影响,master:不受影响,openEuler-24.03-LTS-Next:不受影响|
|已分析|5.修复是否涉及abi变化|openEuler-20.03-LTS-SP4:否,openEuler-22.03-LTS-SP1:否,openEuler-22.03-LTS-SP3:否,master:否,openEuler-24.03-LTS:否,openEuler-24.03-LTS-Next:否,openEuler-22.03-LTS-SP4:否|