Bug 2037386 (CVE-2022-0168)
Summary: | CVE-2022-0168 kernel: smb2_ioctl_query_info NULL pointer dereference | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | acaringi, adscvr, airlied, alciregi, bdettelb, bhu, bskeggs, carnil, chwhite, crwood, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, juneau, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rkeshri, rvrbovsk, scweaver, security-response-team, steve.beattie, steved, vkumar, walters, williams |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A denial of service (DOS) issue was found in the Linux kernel’s smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. This flaw allows a local, privileged (CAP_SYS_ADMIN) attacker to crash the system.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-12-05 06:35:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2037631, 2037632, 2037633, 2067080, 2074302, 2074316, 2082963 | ||
Bug Blocks: | 2037388, 2038901 |
Description
Marian Rehak
2022-01-05 14:20:23 UTC
The candidate patch is: /* There is a patch also suggested by the researcher (Billy Jheng Bing Jhong of STAR Labs) */ diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index c5b1dea54ebc..3d656f7c907f 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -1643,7 +1643,7 @@ smb2_ioctl_query_info(const unsigned int xid, if (copy_from_user(&qi, arg, sizeof(struct smb_query_info))) goto e_fault; - if (qi.output_buffer_length > 1024) { + if (qi.output_buffer_length > 1024 || qi.output_buffer_length == 0) { kfree(vars); return -EINVAL; } Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2067080] https://git.kernel.org/linus/d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 seem the related fix for this issue? This was fixed for Fedora witht he 5.16.9 stable kernel update. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7444 https://access.redhat.com/errata/RHSA-2022:7444 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7683 https://access.redhat.com/errata/RHSA-2022:7683 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:7933 https://access.redhat.com/errata/RHSA-2022:7933 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8267 https://access.redhat.com/errata/RHSA-2022:8267 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-0168 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0724 https://access.redhat.com/errata/RHSA-2024:0724 |