Bug 2037386 (CVE-2022-0168)
| Summary: | CVE-2022-0168 kernel: smb2_ioctl_query_info NULL pointer dereference | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acaringi, adscvr, airlied, alciregi, bdettelb, bhu, bskeggs, carnil, chwhite, crwood, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, juneau, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rkeshri, rvrbovsk, scweaver, security-response-team, steve.beattie, steved, vkumar, walters, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A denial of service (DOS) issue was found in the Linux kernel’s smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. This flaw allows a local, privileged (CAP_SYS_ADMIN) attacker to crash the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-12-05 06:35:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2037631, 2037632, 2037633, 2067080, 2074302, 2074316, 2082963 | ||
| Bug Blocks: | 2037388, 2038901 | ||
|
Description
Marian Rehak
2022-01-05 14:20:23 UTC
The candidate patch is:
/* There is a patch also suggested by the researcher (Billy Jheng Bing Jhong of STAR Labs) */
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index c5b1dea54ebc..3d656f7c907f 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1643,7 +1643,7 @@ smb2_ioctl_query_info(const unsigned int xid,
if (copy_from_user(&qi, arg, sizeof(struct smb_query_info)))
goto e_fault;
- if (qi.output_buffer_length > 1024) {
+ if (qi.output_buffer_length > 1024 || qi.output_buffer_length == 0) {
kfree(vars);
return -EINVAL;
}
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2067080] https://git.kernel.org/linus/d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 seem the related fix for this issue? This was fixed for Fedora witht he 5.16.9 stable kernel update. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7444 https://access.redhat.com/errata/RHSA-2022:7444 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7683 https://access.redhat.com/errata/RHSA-2022:7683 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:7933 https://access.redhat.com/errata/RHSA-2022:7933 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8267 https://access.redhat.com/errata/RHSA-2022:8267 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-0168 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0724 https://access.redhat.com/errata/RHSA-2024:0724 |