CVE-2024-50151

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOBs when building SMB2_IOCTL request When using encryption, either enforced by the server or when using 'seal' mount option, the client will squash all compound request buffers down for encryption into a single iov in smb2_set_next_command(). SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the SMB2_IOCTL request in the first iov, and if the user passes an input buffer that is greater than 328 bytes, smb2_set_next_command() will end up writing off the end of @rqst->iov[0].iov_base as shown below: mount.cifs //srv/share /mnt -o ...,seal ln -s $(perl -e "print('a')for 1..1024") /mnt/link BUG: KASAN: slab-out-of-bounds in smb2_set_next_command.cold+0x1d6/0x24c [cifs] Write of size 4116 at addr ffff8881148fcab8 by task ln/859 CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] print_report+0x156/0x4d9 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] ? __virt_addr_valid+0x145/0x310 ? __phys_addr+0x46/0x90 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] kasan_report+0xda/0x110 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] kasan_check_range+0x10f/0x1f0 __asan_memcpy+0x3c/0x60 smb2_set_next_command.cold+0x1d6/0x24c [cifs] smb2_compound_op+0x238c/0x3840 [cifs] ? kasan_save_track+0x14/0x30 ? kasan_save_free_info+0x3b/0x70 ? vfs_symlink+0x1a1/0x2c0 ? do_symlinkat+0x108/0x1c0 ? __pfx_smb2_compound_op+0x10/0x10 [cifs] ? kmem_cache_free+0x118/0x3e0 ? cifs_get_writable_path+0xeb/0x1a0 [cifs] smb2_get_reparse_inode+0x423/0x540 [cifs] ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? __kmalloc_noprof+0x37c/0x480 ? smb2_create_reparse_symlink+0x257/0x490 [cifs] ? smb2_create_reparse_symlink+0x38f/0x490 [cifs] smb2_create_reparse_symlink+0x38f/0x490 [cifs] ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs] ? find_held_lock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs] cifs_symlink+0x24f/0x960 [cifs] ? __pfx_make_vfsuid+0x10/0x10 ? __pfx_cifs_symlink+0x10/0x10 [cifs] ? make_vfsgid+0x6b/0xc0 ? generic_permission+0x96/0x2d0 vfs_symlink+0x1a1/0x2c0 do_symlinkat+0x108/0x1c0 ? __pfx_do_symlinkat+0x10/0x10 ? strncpy_from_user+0xaa/0x160 __x64_sys_symlinkat+0xb9/0xf0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f08d75c13bb

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/1ab60323c5201bef25f2a3dc0ccc404d9aca77f1	Patch
https://git.kernel.org/stable/c/2ef632bfb888d1a14f81c1703817951e0bec5531	Patch
https://git.kernel.org/stable/c/6f0516ef1290da24b85461ed08a0938af7415e49	Patch
https://git.kernel.org/stable/c/b209c3a0bc3ac172265c7fa8309e5d00654f2510	Patch
https://git.kernel.org/stable/c/e07d05b7f5ad9a503d9cab0afde2ab867bb65470	Patch
https://git.kernel.org/stable/c/ed31aba8ce93472d9e16f5cff844ae7c94e9601d	Patch
https://git.kernel.org/stable/c/fe92ddc1c32d4474e605e3a31a4afcd0e7d765ec	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.12:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.12:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.12:rc3::::::

History

22 Nov 2024, 17:30

Type	Values Removed	Values Added
CWE		CWE-787
First Time		Linux linux Kernel Linux
CPE		cpe:2.3:o:linux:linux_kernel:6.12:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.12:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.12:rc2:::::: cpe:2.3:o:linux:linux_kernel::::::::
References	~~() https://git.kernel.org/stable/c/1ab60323c5201bef25f2a3dc0ccc404d9aca77f1 -~~	() https://git.kernel.org/stable/c/1ab60323c5201bef25f2a3dc0ccc404d9aca77f1 - Patch
References	~~() https://git.kernel.org/stable/c/2ef632bfb888d1a14f81c1703817951e0bec5531 -~~	() https://git.kernel.org/stable/c/2ef632bfb888d1a14f81c1703817951e0bec5531 - Patch
References	~~() https://git.kernel.org/stable/c/6f0516ef1290da24b85461ed08a0938af7415e49 -~~	() https://git.kernel.org/stable/c/6f0516ef1290da24b85461ed08a0938af7415e49 - Patch
References	~~() https://git.kernel.org/stable/c/b209c3a0bc3ac172265c7fa8309e5d00654f2510 -~~	() https://git.kernel.org/stable/c/b209c3a0bc3ac172265c7fa8309e5d00654f2510 - Patch
References	~~() https://git.kernel.org/stable/c/e07d05b7f5ad9a503d9cab0afde2ab867bb65470 -~~	() https://git.kernel.org/stable/c/e07d05b7f5ad9a503d9cab0afde2ab867bb65470 - Patch
References	~~() https://git.kernel.org/stable/c/ed31aba8ce93472d9e16f5cff844ae7c94e9601d -~~	() https://git.kernel.org/stable/c/ed31aba8ce93472d9e16f5cff844ae7c94e9601d - Patch
References	~~() https://git.kernel.org/stable/c/fe92ddc1c32d4474e605e3a31a4afcd0e7d765ec -~~	() https://git.kernel.org/stable/c/fe92ddc1c32d4474e605e3a31a4afcd0e7d765ec - Patch
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8

08 Nov 2024, 16:15

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corregir OOB al crear una solicitud SMB2_IOCTL Al usar cifrado, ya sea aplicado por el servidor o al usar la opción de montaje 'seal', el cliente comprimirá todos los buffers de solicitud compuestos para el cifrado en un solo iov en smb2_set_next_command(). SMB2_ioctl_init() asigna un pequeño búfer (448 bytes) para contener la solicitud SMB2_IOCTL en el primer iov, y si el usuario pasa un búfer de entrada que es mayor a 328 bytes, smb2_set_next_command() terminará escribiendo el final de @rqst->iov[0].iov_base como se muestra a continuación: mount.cifs //srv/share /mnt -o ...,seal ln -s $(perl -e "print('a')for 1..1024") /mnt/link ERROR: KASAN: slab-out-of-bounds en smb2_set_next_command.cold+0x1d6/0x24c [cifs] Escritura de tamaño 4116 en la dirección ffff8881148fcab8 por tarea ln/859 CPU: 1 UID: 0 PID: 859 Comm: ln No contaminado 6.12.0-rc3 #1 Nombre del hardware: PC estándar QEMU (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 01/04/2014 Seguimiento de llamadas: dump_stack_lvl+0x5d/0x80 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] print_report+0x156/0x4d9 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] ? __virt_addr_valid+0x145/0x310 ? __phys_addr+0x46/0x90 ? vfs_symlink+0x1a1/0x2c0 ? __pfx_smb2_compound_op+0x10/0x10 [cifs] ? kmem_cache_free+0x118/0x3e0 ? cifs_get_writable_path+0xeb/0x1a0 [cifs] ? smb2_get_reparse_inode+0x423/0x540 [cifs] ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? __kmalloc_noprof+0x37c/0x480 ? smb2_create_reparse_symlink+0x257/0x490 [cifs] ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs] ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs] ? __buscar_bloqueo_mantenido+0x8a/0xa0 ? __hlock_class+0x32/0xb0 ? __ruta_de_compilación_desde_dentry_prefijo_opcional+0x19d/0x2e0 [cifs] ? __pfx_make_vfsuid+0x10/0x10 ? __pfx_cifs_symlink+0x10/0x10 [cifs] ? make_vfsgid+0x6b/0xc0 ? permiso_genérico+0x96/0x2d0 vfs_symlink+0x1a1/0x2c0 do_symlinkat+0x108/0x1c0 ? __pfx_do_symlinkat+0x10/0x10 ? strncpy_from_user+0xaa/0x160 __x64_sys_symlinkat+0xb9/0xf0 do_syscall_64+0xbb/0x1d0 entrada_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f08d75c13bb
References		() https://git.kernel.org/stable/c/6f0516ef1290da24b85461ed08a0938af7415e49 - () https://git.kernel.org/stable/c/ed31aba8ce93472d9e16f5cff844ae7c94e9601d -

07 Nov 2024, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-07 10:15

Updated : 2024-11-22 17:30

NVD link : CVE-2024-50151

Mitre link : CVE-2024-50151

CVE.ORG link : CVE-2024-50151

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-787

Out-of-bounds Write

7.8 /10