CVE-2023-6610: Kernel: oob access in smb2_dump_detail
First published: Fri Dec 08 2023(Updated: )
An Out-Of-Bounds Read vulnerability in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This flaw could allow a local attacker to crash the system or leak internal kernel information. Refer: <a href="https://bugzilla.kernel.org/show_bug.cgi?id=218219">https://bugzilla.kernel.org/show_bug.cgi?id=218219</a> 1] If CONFIG_CIFS_DEBUG2 is set, then cifs_demultiplex_thread calls dump_detail. ``` static int cifs_demultiplex_thread(void *p) { ... for (i = 0; i < num_mids; i++) { if (mids[i] != NULL) { mids[i]->resp_buf_size = server->pdu_size; if (bufs[i] != NULL) { if (server->ops->is_network_name_deleted && server->ops->is_network_name_deleted(bufs[i], server)) { cifs_server_dbg(FYI, "Share deleted. Reconnect needed"); } } if (!mids[i]->multiRsp || mids[i]->multiEnd) mids[i]->callback(mids[i]); release_mid(mids[i]); } else if (server->ops->is_oplock_break && server->ops->is_oplock_break(bufs[i], server)) { smb2_add_credits_from_hdr(bufs[i], server); cifs_dbg(FYI, "Received oplock break\n"); } else { cifs_server_dbg(VFS, "No task to wake, unknown frame received! NumMids %d\n", atomic_read(&mid_count)); cifs_dump_mem("Received Data is: ", bufs[i], HEADER_SIZE(server)); smb2_add_credits_from_hdr(bufs[i], server); #ifdef CONFIG_CIFS_DEBUG2 if (server->ops->dump_detail) server->ops->dump_detail(bufs[i], server);//[1] cifs_dump_mids(server); #endif /* CIFS_DEBUG2 */ } } ``` //[2]In smb2_dump_detail, calc_smb_size is called, which refers to smb2_calc_size. ``` static void smb2_dump_detail(void *buf, struct TCP_Server_Info *server) { #ifdef CONFIG_CIFS_DEBUG2 struct smb2_hdr *shdr = (struct smb2_hdr *)buf; cifs_server_dbg(VFS, "Cmd: %d Err: 0x%x Flags: 0x%x Mid: %llu Pid: %d\n", shdr->Command, shdr->Status, shdr->Flags, shdr->MessageId, shdr->Id.SyncId.ProcessId); cifs_server_dbg(VFS, "smb buf %p len %u\n", buf, server->ops->calc_smb_size(buf));//[2] #endif } ``` In has_smb2_data_area, it attempts to retrieve an element at the index le16_to_cpu(shdr->Command). If a value larger than the length of has_smb2_data_area is input, an OOB (Out-Of-Bounds) Read occurs." ``` unsigned int smb2_calc_size(void *buf) { struct smb2_pdu *pdu = buf; struct smb2_hdr *shdr = &pdu->hdr; int offset; /* the offset from the beginning of SMB to data area */ int data_length; /* the length of the variable length data area */ /* Structure Size has already been checked to make sure it is 64 */ int len = le16_to_cpu(shdr->StructureSize); /* * StructureSize2, ie length of fixed parameter area has already * been checked to make sure it is the correct length. */ len += le16_to_cpu(pdu->StructureSize2); if (has_smb2_data_area[le16_to_cpu(shdr->Command)] == false)//[3] goto calc_size_exit; ```
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Linux kernel | ||
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 | |
| ubuntu/linux | <6.5.0-27.28 | 6.5.0-27.28 |
| ubuntu/linux | <6.7~ | 6.7~ |
| ubuntu/linux-aws | <6.5.0-1017.17 | 6.5.0-1017.17 |
| ubuntu/linux-aws | <6.7~ | 6.7~ |
| ubuntu/linux-aws-5.15 | <6.7~ | 6.7~ |
| ubuntu/linux-aws-5.4 | <6.7~ | 6.7~ |
| ubuntu/linux-aws-6.5 | <6.5.0-1017.17~22.04.2 | 6.5.0-1017.17~22.04.2 |
| ubuntu/linux-aws-6.5 | <6.7~ | 6.7~ |
| ubuntu/linux-aws-hwe | <6.7~ | 6.7~ |
| ubuntu/linux-azure | <6.5.0-1018.19 | 6.5.0-1018.19 |
| ubuntu/linux-azure | <6.7~ | 6.7~ |
| ubuntu/linux-azure-4.15 | <6.7~ | 6.7~ |
| ubuntu/linux-azure-5.15 | <6.7~ | 6.7~ |
| ubuntu/linux-azure-5.4 | <6.7~ | 6.7~ |
| ubuntu/linux-azure-6.5 | <6.5.0-1018.19~22.04.2 | 6.5.0-1018.19~22.04.2 |
| ubuntu/linux-azure-6.5 | <6.7~ | 6.7~ |
| ubuntu/linux-azure-fde | <6.7~ | 6.7~ |
| ubuntu/linux-azure-fde-5.15 | <6.7~ | 6.7~ |
| ubuntu/linux-bluefield | <6.7~ | 6.7~ |
| ubuntu/linux-fips | <6.7~ | 6.7~ |
| ubuntu/linux-gcp | <6.5.0-1017.17 | 6.5.0-1017.17 |
| ubuntu/linux-gcp | <6.7~ | 6.7~ |
| ubuntu/linux-gcp-4.15 | <6.7~ | 6.7~ |
| ubuntu/linux-gcp-5.15 | <6.7~ | 6.7~ |
| ubuntu/linux-gcp-5.4 | <6.7~ | 6.7~ |
| ubuntu/linux-gcp-6.5 | <6.5.0-1017.17~22.04.1 | 6.5.0-1017.17~22.04.1 |
| ubuntu/linux-gcp-6.5 | <6.7~ | 6.7~ |
| ubuntu/linux-gke | <6.7~ | 6.7~ |
| ubuntu/linux-gkeop | <6.7~ | 6.7~ |
| ubuntu/linux-gkeop-5.15 | <6.7~ | 6.7~ |
| ubuntu/linux-hwe | <6.7~ | 6.7~ |
| ubuntu/linux-hwe-5.15 | <6.7~ | 6.7~ |
| ubuntu/linux-hwe-5.4 | <6.7~ | 6.7~ |
| ubuntu/linux-hwe-6.5 | <6.5.0-27.28~22.04.1 | 6.5.0-27.28~22.04.1 |
| ubuntu/linux-hwe-6.5 | <6.7~ | 6.7~ |
| ubuntu/linux-ibm | <6.7~ | 6.7~ |
| ubuntu/linux-ibm-5.15 | <6.7~ | 6.7~ |
| ubuntu/linux-ibm-5.4 | <6.7~ | 6.7~ |
| ubuntu/linux-intel-iotg | <6.7~ | 6.7~ |
| ubuntu/linux-intel-iotg-5.15 | <6.7~ | 6.7~ |
| ubuntu/linux-iot | <6.7~ | 6.7~ |
| ubuntu/linux-kvm | <6.7~ | 6.7~ |
| ubuntu/linux-laptop | <6.5.0-1013.16 | 6.5.0-1013.16 |
| ubuntu/linux-laptop | <6.7~ | 6.7~ |
| ubuntu/linux-lowlatency | <6.5.0-27.28.1 | 6.5.0-27.28.1 |
| ubuntu/linux-lowlatency | <6.7~ | 6.7~ |
| ubuntu/linux-lowlatency-hwe-5.15 | <6.7~ | 6.7~ |
| ubuntu/linux-lowlatency-hwe-6.5 | <6.5.0-27.28.1~22.04.1 | 6.5.0-27.28.1~22.04.1 |
| ubuntu/linux-lowlatency-hwe-6.5 | <6.7~ | 6.7~ |
| ubuntu/linux-lts-xenial | <6.7~ | 6.7~ |
| ubuntu/linux-nvidia | <6.7~ | 6.7~ |
| ubuntu/linux-oem-6.1 | <6.1.0-1035.35 | 6.1.0-1035.35 |
| ubuntu/linux-oem-6.1 | <6.7~ | 6.7~ |
| ubuntu/linux-oem-6.5 | <6.5.0-1019.20 | 6.5.0-1019.20 |
| ubuntu/linux-oem-6.5 | <6.7~ | 6.7~ |
| ubuntu/linux-oracle | <6.5.0-1020.20 | 6.5.0-1020.20 |
| ubuntu/linux-oracle | <6.7~ | 6.7~ |
| ubuntu/linux-oracle-5.15 | <6.7~ | 6.7~ |
| ubuntu/linux-oracle-5.4 | <6.7~ | 6.7~ |
| ubuntu/linux-oracle-6.5 | <6.5.0-1020.20~22.04.1 | 6.5.0-1020.20~22.04.1 |
| ubuntu/linux-oracle-6.5 | <6.7~ | 6.7~ |
| ubuntu/linux-raspi | <6.5.0-1014.17 | 6.5.0-1014.17 |
| ubuntu/linux-raspi | <6.7~ | 6.7~ |
| ubuntu/linux-raspi-5.4 | <6.7~ | 6.7~ |
| ubuntu/linux-riscv | <6.5.0-27.28.1 | 6.5.0-27.28.1 |
| ubuntu/linux-riscv | <6.7~ | 6.7~ |
| ubuntu/linux-riscv-5.15 | <6.7~ | 6.7~ |
| ubuntu/linux-riscv-6.5 | <6.5.0-27.28.1~22.04.1 | 6.5.0-27.28.1~22.04.1 |
| ubuntu/linux-riscv-6.5 | <6.7~ | 6.7~ |
| ubuntu/linux-starfive | <6.5.0-1011.12 | 6.5.0-1011.12 |
| ubuntu/linux-starfive | <6.7~ | 6.7~ |
| ubuntu/linux-starfive-6.5 | <6.5.0-1011.12~22.04.1 | 6.5.0-1011.12~22.04.1 |
| ubuntu/linux-starfive-6.5 | <6.7~ | 6.7~ |
| ubuntu/linux-xilinx-zynqmp | <6.7~ | 6.7~ |
| debian/linux | <=4.19.249-2<=4.19.304-1<=5.10.209-2<=5.10.205-2 | 6.1.76-1 6.1.85-1 6.6.15-2 6.7.12-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2024:0723
- https://access.redhat.com/errata/RHSA-2024:0724
- https://access.redhat.com/errata/RHSA-2024:0725
- https://access.redhat.com/errata/RHSA-2024:0881
- https://access.redhat.com/errata/RHSA-2024:0897
- https://access.redhat.com/errata/RHSA-2024:1248
- https://access.redhat.com/security/cve/CVE-2023-6610
- https://bugzilla.kernel.org/show_bug.cgi?id=218219
- https://bugzilla.redhat.com/show_bug.cgi?id=2253614
- https://access.redhat.com/errata/RHSA-2024:1404
- https://exchange.xforce.ibmcloud.com/vulnerabilities/273676
- https://www.ibm.com/support/pages/node/7144861 (Advisory)
- https://git.kernel.org/linus/567320c46a60a3c39b69aa1df802d753817a3f86
- https://security-tracker.debian.org/tracker/CVE-2023-6610
- https://launchpad.net/bugs/cve/CVE-2023-6610
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2254059
- https://ubuntu.com/security/notices/USN-6688-1
- https://ubuntu.com/security/notices/USN-6724-1
- https://www.cve.org/CVERecord?id=CVE-2023-6610
- https://ubuntu.com/security/notices/USN-6724-2
- https://nvd.nist.gov/vuln/detail/CVE-2023-6610
- https://git.kernel.org/linus/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
- https://ubuntu.com/security/CVE-2023-6610
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2023-6610.
What is the title of this vulnerability?
The title of this vulnerability is 'Kernel: oob access in smb2_dump_detail'.
Where can I find more information about this vulnerability?
You can find more information about this vulnerability at the following references: [Reference 1](https://access.redhat.com/security/cve/CVE-2023-6610), [Reference 2](https://bugzilla.kernel.org/show_bug.cgi?id=218219), [Reference 3](https://bugzilla.redhat.com/show_bug.cgi?id=2253614).
What is the severity of CVE-2023-6610?
The severity of CVE-2023-6610 is high with a CVSS score of 7.1.
How can I fix the oob access vulnerability in smb2_dump_detail?
To fix the oob access vulnerability in smb2_dump_detail, it is recommended to apply the latest security updates or patches provided by the Linux Kernel maintainers.
- agent/type
- agent/weakness
- agent/title
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/remedy
- agent/author
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/ibm-support
- source/IBM
- agent/severity
- agent/description
- collector/nvd-cve
- collector/launchpad-cve
- source/Launchpad
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-6610
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/softwarecombine
- agent/tags
- collector/security-tracker-debian
- source/Debian
- vendor/linux
- canonical/linux linux kernel
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/9.0
- package-manager/ubuntu
- package-manager/debian