7.1
CWE
125
EPSS
0.042%
Advisory Published
CVE Published
Updated

CVE-2023-6610: Kernel: oob access in smb2_dump_detail

First published: Fri Dec 08 2023(Updated: )

An Out-Of-Bounds Read vulnerability in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This flaw could allow a local attacker to crash the system or leak internal kernel information. Refer: <a href="https://bugzilla.kernel.org/show_bug.cgi?id=218219">https://bugzilla.kernel.org/show_bug.cgi?id=218219</a> 1] If CONFIG_CIFS_DEBUG2 is set, then cifs_demultiplex_thread calls dump_detail. ``` static int cifs_demultiplex_thread(void *p) { ... for (i = 0; i &lt; num_mids; i++) { if (mids[i] != NULL) { mids[i]-&gt;resp_buf_size = server-&gt;pdu_size; if (bufs[i] != NULL) { if (server-&gt;ops-&gt;is_network_name_deleted &amp;&amp; server-&gt;ops-&gt;is_network_name_deleted(bufs[i], server)) { cifs_server_dbg(FYI, "Share deleted. Reconnect needed"); } } if (!mids[i]-&gt;multiRsp || mids[i]-&gt;multiEnd) mids[i]-&gt;callback(mids[i]); release_mid(mids[i]); } else if (server-&gt;ops-&gt;is_oplock_break &amp;&amp; server-&gt;ops-&gt;is_oplock_break(bufs[i], server)) { smb2_add_credits_from_hdr(bufs[i], server); cifs_dbg(FYI, "Received oplock break\n"); } else { cifs_server_dbg(VFS, "No task to wake, unknown frame received! NumMids %d\n", atomic_read(&amp;mid_count)); cifs_dump_mem("Received Data is: ", bufs[i], HEADER_SIZE(server)); smb2_add_credits_from_hdr(bufs[i], server); #ifdef CONFIG_CIFS_DEBUG2 if (server-&gt;ops-&gt;dump_detail) server-&gt;ops-&gt;dump_detail(bufs[i], server);//[1] cifs_dump_mids(server); #endif /* CIFS_DEBUG2 */ } } ``` //[2]In smb2_dump_detail, calc_smb_size is called, which refers to smb2_calc_size. ``` static void smb2_dump_detail(void *buf, struct TCP_Server_Info *server) { #ifdef CONFIG_CIFS_DEBUG2 struct smb2_hdr *shdr = (struct smb2_hdr *)buf; cifs_server_dbg(VFS, "Cmd: %d Err: 0x%x Flags: 0x%x Mid: %llu Pid: %d\n", shdr-&gt;Command, shdr-&gt;Status, shdr-&gt;Flags, shdr-&gt;MessageId, shdr-&gt;Id.SyncId.ProcessId); cifs_server_dbg(VFS, "smb buf %p len %u\n", buf, server-&gt;ops-&gt;calc_smb_size(buf));//[2] #endif } ``` In has_smb2_data_area, it attempts to retrieve an element at the index le16_to_cpu(shdr-&gt;Command). If a value larger than the length of has_smb2_data_area is input, an OOB (Out-Of-Bounds) Read occurs." ``` unsigned int smb2_calc_size(void *buf) { struct smb2_pdu *pdu = buf; struct smb2_hdr *shdr = &amp;pdu-&gt;hdr; int offset; /* the offset from the beginning of SMB to data area */ int data_length; /* the length of the variable length data area */ /* Structure Size has already been checked to make sure it is 64 */ int len = le16_to_cpu(shdr-&gt;StructureSize); /* * StructureSize2, ie length of fixed parameter area has already * been checked to make sure it is the correct length. */ len += le16_to_cpu(pdu-&gt;StructureSize2); if (has_smb2_data_area[le16_to_cpu(shdr-&gt;Command)] == false)//[3] goto calc_size_exit; ```

Credit: secalert@redhat.com secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
IBM QRadar SIEM<=7.5 - 7.5.0 UP8 IF01
Linux Linux kernel
Redhat Enterprise Linux=8.0
Redhat Enterprise Linux=9.0
debian/linux<=5.10.223-1<=5.10.226-1
6.1.115-1
6.1.119-1
6.11.10-1
6.12.5-1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the vulnerability ID for this vulnerability?

    The vulnerability ID for this vulnerability is CVE-2023-6610.

  • What is the title of this vulnerability?

    The title of this vulnerability is 'Kernel: oob access in smb2_dump_detail'.

  • Where can I find more information about this vulnerability?

    You can find more information about this vulnerability at the following references: [Reference 1](https://access.redhat.com/security/cve/CVE-2023-6610), [Reference 2](https://bugzilla.kernel.org/show_bug.cgi?id=218219), [Reference 3](https://bugzilla.redhat.com/show_bug.cgi?id=2253614).

  • What is the severity of CVE-2023-6610?

    The severity of CVE-2023-6610 is high with a CVSS score of 7.1.

  • How can I fix the oob access vulnerability in smb2_dump_detail?

    To fix the oob access vulnerability in smb2_dump_detail, it is recommended to apply the latest security updates or patches provided by the Linux Kernel maintainers.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203