Bug 2253611 (CVE-2023-6606)

Summary: CVE-2023-6606 kernel: Out-Of-Bounds Read vulnerability in smbCalcSize
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, dvlasenk, ezulian, gcovolo, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mstowell, nmurray, ptalbert, rogbas, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, tglozar, tyberry, vkumar, wcosta, williams, wmealing, xzhou, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2253612    
Bug Blocks: 2253609    

Description Rohit Keshri 2023-12-08 07:47:46 UTC 
An Out-Of-Bounds Read vulnerability in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This flaw could allow a local attacker to crash the system or leak internal kernel information.

Refer;
https://bugzilla.kernel.org/show_bug.cgi?id=218218

[1] Retrieve WordCount and add offset*2 to the data part of smb
[2] Retrieve a 16-byte value from the calculated pointer

```c
unsigned int
smbCalcSize(void *buf)
{
	struct smb_hdr *ptr = buf;
	return (sizeof(struct smb_hdr) + (2 * ptr->WordCount) +
		2 /* size of the bcc field */ + get_bcc(ptr));
}
...
static inline __u16
get_bcc(struct smb_hdr *hdr)
{
	__le16 *bc_ptr = (__le16 *)BCC(hdr);

	return get_unaligned_le16(bc_ptr);//[2]
}
...
static inline void *
BCC(struct smb_hdr *smb)
{
	return (void *)smb + sizeof(*smb) + 2 * smb->WordCount; //[1]
}
```


[2] cifs_demultiplex_thread → standard_receive3 → cifs_handle_standard → checkSMB → smbCalcSize

```c
int
checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server)
{
	struct smb_hdr *smb = (struct smb_hdr *)buf;
	__u32 rfclen = be32_to_cpu(smb->smb_buf_length);
	__u32 clc_len;  /* calculated length */
	cifs_dbg(FYI, "checkSMB Length: 0x%x, smb_buf_length: 0x%x\n",
		 total_read, rfclen);

	/* is this frame too small to even get to a BCC? */
	if (total_read < 2 + sizeof(struct smb_hdr)) {
...
	}

	/* otherwise, there is enough to get to the BCC */
	if (check_smb_hdr(smb))
		return -EIO;
	clc_len = smbCalcSize(smb);
Comment 1 Rohit Keshri 2023-12-08 08:24:24 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2253612]
Comment 6 Justin M. Forbes 2024-01-15 19:36:30 UTC 
This was fixed for Fedora with the 6.6.9 stable kernel  updates.
Comment 7 errata-xmlrpc 2024-02-07 16:21:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0725 https://access.redhat.com/errata/RHSA-2024:0725
Comment 8 errata-xmlrpc 2024-02-07 16:25:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0723 https://access.redhat.com/errata/RHSA-2024:0723
Comment 9 errata-xmlrpc 2024-02-20 12:28:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0881 https://access.redhat.com/errata/RHSA-2024:0881
Comment 10 errata-xmlrpc 2024-02-20 12:33:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0897 https://access.redhat.com/errata/RHSA-2024:0897
Comment 11 errata-xmlrpc 2024-03-06 12:37:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1188 https://access.redhat.com/errata/RHSA-2024:1188
Comment 13 errata-xmlrpc 2024-03-12 00:45:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1248 https://access.redhat.com/errata/RHSA-2024:1248
Comment 15 errata-xmlrpc 2024-03-19 17:27:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1404 https://access.redhat.com/errata/RHSA-2024:1404