CVE-2023-6606: Kernel: out-of-bounds read vulnerability in smbcalcsize

First published: Fri Dec 08 2023(Updated: )

An Out-Of-Bounds Read vulnerability in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This flaw could allow a local attacker to crash the system or leak internal kernel information. Refer; <a href="https://bugzilla.kernel.org/show_bug.cgi?id=218218">https://bugzilla.kernel.org/show_bug.cgi?id=218218</a> [1] Retrieve WordCount and add offset*2 to the data part of smb [2] Retrieve a 16-byte value from the calculated pointer ```c unsigned int smbCalcSize(void *buf) { struct smb_hdr *ptr = buf; return (sizeof(struct smb_hdr) + (2 * ptr-&gt;WordCount) + 2 /* size of the bcc field */ + get_bcc(ptr)); } ... static inline __u16 get_bcc(struct smb_hdr *hdr) { __le16 *bc_ptr = (__le16 *)BCC(hdr); return get_unaligned_le16(bc_ptr);//[2] } ... static inline void * BCC(struct smb_hdr *smb) { return (void *)smb + sizeof(*smb) + 2 * smb-&gt;WordCount; //[1] } ``` [2] cifs_demultiplex_thread → standard_receive3 → cifs_handle_standard → checkSMB → smbCalcSize ```c int checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server) { struct smb_hdr *smb = (struct smb_hdr *)buf; __u32 rfclen = be32_to_cpu(smb-&gt;smb_buf_length); __u32 clc_len; /* calculated length */ cifs_dbg(FYI, "checkSMB Length: 0x%x, smb_buf_length: 0x%x\n", total_read, rfclen); /* is this frame too small to even get to a BCC? */ if (total_read &lt; 2 + sizeof(struct smb_hdr)) { ... } /* otherwise, there is enough to get to the BCC */ if (check_smb_hdr(smb)) return -EIO; clc_len = smbCalcSize(smb);

Credit: secalert@redhat.com secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/type
• agent/weakness
• agent/title
• collector/epss-latest
• source/FIRST
• agent/epss
• agent/remedy
• agent/first-publish-date
• agent/author
• agent/severity
• collector/launchpad-cve
• source/Launchpad
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2023-6606
• collector/ibm-support
• source/IBM
• agent/software-canonical-lookup
• collector/mitre-cve
• source/MITRE
• agent/last-modified-date
• collector/nvd-cve
• source/NVD
• agent/references
• agent/tags
• collector/usn-cve
• source/Ubuntu
• agent/description
• agent/event
• collector/security-tracker-debian
• source/Debian
• agent/softwarecombine
• collector/nvd-api
• vendor/ibm
• canonical/ibm qradar siem
• version/ibm qradar siem/7.5 - 7.5.0 up8 if01
• vendor/linux
• canonical/linux linux kernel
• vendor/redhat
• canonical/redhat enterprise linux
• version/redhat enterprise linux/8.0
• version/redhat enterprise linux/9.0
• package-manager/debian
• version/linux linux kernel/6.4.1
• version/linux linux kernel/6.4
• version/linux linux kernel/6.4-rc4
• version/linux linux kernel/6.4-rc5
• version/linux linux kernel/6.4-rc6
• version/linux linux kernel/6.4-rc7
• version/linux linux kernel/6.7-rc1
• version/linux linux kernel/6.7-rc2
• version/linux linux kernel/6.7-rc3
• version/linux linux kernel/6.7-rc4
• version/linux linux kernel/6.7-rc5
• version/linux linux kernel/6.7-rc6
• canonical/redhat enterprise linux eus
• version/redhat enterprise linux eus/9.2
• version/redhat enterprise linux eus/9.4
• canonical/redhat enterprise linux server aus
• version/redhat enterprise linux server aus/9.2
• version/redhat enterprise linux server aus/9.4
• canonical/redhat enterprise linux server for power little endian update services for sap solutions
• version/redhat enterprise linux server for power little endian update services for sap solutions/9.2
• version/redhat enterprise linux server for power little endian update services for sap solutions/9.2_ppc64le