Bug 2155944 (CVE-2022-47940, ZDI-22-1691, ZDI-CAN-17817)

Summary: CVE-2022-47940 kernel: smb2_write() fails to validate user supplied data which can result in out-of-bounds read
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: acaringi, bdettelb, bhu, chwhite, crwood, ddepaula, debarbos, dfreiber, dhoward, dvlasenk, ezulian, fhrbata, hkrzesin, jarod, jburrell, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, qzhao, rogbas, rvrbovsk, saroy, scweaver, tyberry, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: kernel 6.0-rc1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-24 14:39:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2155949    
Bug Blocks: 2155936    

Description Michael Kaplan 2022-12-23 01:29:03 UTC
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Linux Kernel. Authentication is required to exploit this vulnerability.

The specific flaw exists within the handling of SMB2_WRITE commands. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel.



Comment 1 Michael Kaplan 2022-12-23 02:02:17 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2155949]

Comment 4 Sandipan Roy 2022-12-23 05:35:06 UTC
There was no shipped kernel version that was seen affected by this problem. These files are not built in our source code.

Comment 8 Product Security DevOps Team 2022-12-24 14:39:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):