Bug 2155945 (CVE-2022-47941, ZDI-22-1687, ZDI-CAN-17815)

Summary: CVE-2022-47941 kernel: handling of SMB2_NEGOTIATE command doesn't properly release memory which could result in DoS
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, bdettelb, bhu, chwhite, crwood, ddepaula, debarbos, dfreiber, dhoward, dvlasenk, ezulian, fhrbata, hkrzesin, jarod, jburrell, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, qzhao, rogbas, rvrbovsk, scweaver, tyberry, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.0-rc1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-24 15:10:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2155950    
Bug Blocks: 2155936    

Description Michael Kaplan 2022-12-23 01:46:44 UTC 
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of SMB2_NEGOTIATE commands. The issue results from the lack of memory release after its effective lifetime. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.

References: 

https://www.zerodayinitiative.com/advisories/ZDI-22-1687/
Comment 1 Michael Kaplan 2022-12-23 02:02:22 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2155950]
Comment 4 Sandipan Roy 2022-12-23 10:47:05 UTC 
There was no shipped kernel version that was seen affected by this problem. These files are not built in our source code.
Comment 5 Product Security DevOps Team 2022-12-24 15:09:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-47941