First published: Fri Dec 08 2023(Updated: )
An Out-Of-Bounds Read vulnerability in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This flaw could allow a local attacker to crash the system or leak internal kernel information. Refer; <a href="https://bugzilla.kernel.org/show_bug.cgi?id=218218">https://bugzilla.kernel.org/show_bug.cgi?id=218218</a> [1] Retrieve WordCount and add offset*2 to the data part of smb [2] Retrieve a 16-byte value from the calculated pointer ```c unsigned int smbCalcSize(void *buf) { struct smb_hdr *ptr = buf; return (sizeof(struct smb_hdr) + (2 * ptr->WordCount) + 2 /* size of the bcc field */ + get_bcc(ptr)); } ... static inline __u16 get_bcc(struct smb_hdr *hdr) { __le16 *bc_ptr = (__le16 *)BCC(hdr); return get_unaligned_le16(bc_ptr);//[2] } ... static inline void * BCC(struct smb_hdr *smb) { return (void *)smb + sizeof(*smb) + 2 * smb->WordCount; //[1] } ``` [2] cifs_demultiplex_thread → standard_receive3 → cifs_handle_standard → checkSMB → smbCalcSize ```c int checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server) { struct smb_hdr *smb = (struct smb_hdr *)buf; __u32 rfclen = be32_to_cpu(smb->smb_buf_length); __u32 clc_len; /* calculated length */ cifs_dbg(FYI, "checkSMB Length: 0x%x, smb_buf_length: 0x%x\n", total_read, rfclen); /* is this frame too small to even get to a BCC? */ if (total_read < 2 + sizeof(struct smb_hdr)) { ... } /* otherwise, there is enough to get to the BCC */ if (check_smb_hdr(smb)) return -EIO; clc_len = smbCalcSize(smb);
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
IBM QRadar SIEM | <=7.5 - 7.5.0 UP8 IF01 | |
Linux Linux kernel | >=6.4.1<6.7 | |
Linux Linux kernel | =6.4 | |
Linux Linux kernel | =6.4-rc4 | |
Linux Linux kernel | =6.4-rc5 | |
Linux Linux kernel | =6.4-rc6 | |
Linux Linux kernel | =6.4-rc7 | |
Linux Linux kernel | =6.7-rc1 | |
Linux Linux kernel | =6.7-rc2 | |
Linux Linux kernel | =6.7-rc3 | |
Linux Linux kernel | =6.7-rc4 | |
Linux Linux kernel | =6.7-rc5 | |
Linux Linux kernel | =6.7-rc6 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux | =9.0 | |
Redhat Enterprise Linux Eus | =9.2 | |
Redhat Enterprise Linux Eus | =9.4 | |
Redhat Enterprise Linux Server Aus | =9.2 | |
Redhat Enterprise Linux Server Aus | =9.4 | |
Redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions | =9.2 | |
Redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions | =9.2_ppc64le | |
debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.119-1 6.11.10-1 6.12.5-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this kernel vulnerability is CVE-2023-6606.
The title of this vulnerability is 'Kernel: out-of-bounds read vulnerability in smbcalcsize'.
The severity of CVE-2023-6606 is high, with a CVSS score of 7.1.
You can find more information about this vulnerability at the following references: [Red Hat Security Advisory](https://access.redhat.com/security/cve/CVE-2023-6606), [Kernel Bugzilla](https://bugzilla.kernel.org/show_bug.cgi?id=218218), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2253611).
This vulnerability can allow a local attacker to crash the system or leak internal kernel information.