CVE-2024-50151: smb: client: fix OOBs when building SMB2_IOCTL request
First published: Thu Nov 07 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOBs when building SMB2_IOCTL request When using encryption, either enforced by the server or when using 'seal' mount option, the client will squash all compound request buffers down for encryption into a single iov in smb2_set_next_command(). SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the SMB2_IOCTL request in the first iov, and if the user passes an input buffer that is greater than 328 bytes, smb2_set_next_command() will end up writing off the end of @rqst->iov[0].iov_base as shown below: mount.cifs //srv/share /mnt -o ...,seal ln -s $(perl -e "print('a')for 1..1024") /mnt/link BUG: KASAN: slab-out-of-bounds in smb2_set_next_command.cold+0x1d6/0x24c [cifs] Write of size 4116 at addr ffff8881148fcab8 by task ln/859 CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] print_report+0x156/0x4d9 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] ? __virt_addr_valid+0x145/0x310 ? __phys_addr+0x46/0x90 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] kasan_report+0xda/0x110 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] kasan_check_range+0x10f/0x1f0 __asan_memcpy+0x3c/0x60 smb2_set_next_command.cold+0x1d6/0x24c [cifs] smb2_compound_op+0x238c/0x3840 [cifs] ? kasan_save_track+0x14/0x30 ? kasan_save_free_info+0x3b/0x70 ? vfs_symlink+0x1a1/0x2c0 ? do_symlinkat+0x108/0x1c0 ? __pfx_smb2_compound_op+0x10/0x10 [cifs] ? kmem_cache_free+0x118/0x3e0 ? cifs_get_writable_path+0xeb/0x1a0 [cifs] smb2_get_reparse_inode+0x423/0x540 [cifs] ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? __kmalloc_noprof+0x37c/0x480 ? smb2_create_reparse_symlink+0x257/0x490 [cifs] ? smb2_create_reparse_symlink+0x38f/0x490 [cifs] smb2_create_reparse_symlink+0x38f/0x490 [cifs] ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs] ? find_held_lock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs] cifs_symlink+0x24f/0x960 [cifs] ? __pfx_make_vfsuid+0x10/0x10 ? __pfx_cifs_symlink+0x10/0x10 [cifs] ? make_vfsgid+0x6b/0xc0 ? generic_permission+0x96/0x2d0 vfs_symlink+0x1a1/0x2c0 do_symlinkat+0x108/0x1c0 ? __pfx_do_symlinkat+0x10/0x10 ? strncpy_from_user+0xaa/0x160 __x64_sys_symlinkat+0xb9/0xf0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f08d75c13bb
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | >=5.0<5.4.285 | |
| Linux Kernel | >=5.5<5.10.229 | |
| Linux Kernel | >=5.11<5.15.170 | |
| Linux Kernel | >=5.16<6.1.115 | |
| Linux Kernel | >=6.2<6.6.59 | |
| Linux Kernel | >=6.7<6.11.6 | |
| Linux Kernel | =6.12-rc1 | |
| Linux Kernel | =6.12-rc2 | |
| Linux Kernel | =6.12-rc3 | |
| debian/linux | <=5.10.223-1<=5.10.226-1 | 6.1.123-1 6.1.128-1 6.12.12-1 6.12.15-1 |
| debian/linux-6.1 | 6.1.119-1~deb11u1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/6f0516ef1290da24b85461ed08a0938af7415e49
- https://git.kernel.org/stable/c/ed31aba8ce93472d9e16f5cff844ae7c94e9601d
- https://git.kernel.org/stable/c/e07d05b7f5ad9a503d9cab0afde2ab867bb65470
- https://git.kernel.org/stable/c/2ef632bfb888d1a14f81c1703817951e0bec5531
- https://git.kernel.org/stable/c/b209c3a0bc3ac172265c7fa8309e5d00654f2510
- https://git.kernel.org/stable/c/fe92ddc1c32d4474e605e3a31a4afcd0e7d765ec
- https://git.kernel.org/stable/c/1ab60323c5201bef25f2a3dc0ccc404d9aca77f1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50151
- https://nvd.nist.gov/vuln/detail/CVE-2024-50151
- https://launchpad.net/bugs/cve/CVE-2024-50151
- https://security-tracker.debian.org/tracker/CVE-2024-50151
- https://ubuntu.com/security/CVE-2024-50151
- https://git.kernel.org/linus/1ab60323c5201bef25f2a3dc0ccc404d9aca77f1
Frequently Asked Questions
What is the severity of CVE-2024-50151?
The severity of CVE-2024-50151 is determined by its potential impact on the integrity and availability of the Linux kernel when using SMB2_IOCTL requests.
How do I fix CVE-2024-50151?
To fix CVE-2024-50151, users should update their Linux kernel to a version that addresses this vulnerability.
What versions of the Linux kernel are affected by CVE-2024-50151?
CVE-2024-50151 affects multiple Linux kernel versions ranging from 5.0 to 6.12-rc3.
What is the main issue described in CVE-2024-50151?
CVE-2024-50151 addresses out-of-bounds errors that occur when building SMB2_IOCTL requests with encryption.
Is CVE-2024-50151 specific to a certain distribution of Linux?
CVE-2024-50151 is applicable across various distributions that utilize the affected versions of the Linux kernel.
- agent/title
- agent/type
- agent/first-publish-date
- agent/author
- agent/event
- agent/weakness
- agent/severity
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/usn-cve
- source/Ubuntu
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- collector/security-tracker-debian
- source/Debian
- agent/references
- agent/source
- agent/tags
- agent/description
- agent/softwarecombine
- vendor/linux
- canonical/linux kernel
- version/linux kernel/5.0
- version/linux kernel/5.5
- version/linux kernel/5.11
- version/linux kernel/5.16
- version/linux kernel/6.2
- version/linux kernel/6.7
- version/linux kernel/6.12-rc1
- version/linux kernel/6.12-rc2
- version/linux kernel/6.12-rc3
- package-manager/debian