Bug 2300394 (CVE-2024-41030)

Summary: CVE-2024-41030 kernel: ksmbd: discard write access to the directory open
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.1.100, kernel 6.6.41, kernel 6.9.10, kernel 6.10 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the ksmbd module in the Linux kernel. Incorrect write flags set when opening a directory can cause a linked list corruption and a call to the BUG function, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2301478    
Bug Blocks:    

Description OSIDB Bzimport 2024-07-29 15:31:12 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: discard write access to the directory open

may_open() does not allow a directory to be opened with the write access.
However, some writing flags set by client result in adding write access
on server, making ksmbd incompatible with FUSE file system. Simply, let's
discard the write access when opening a directory.

list_add corruption. next is NULL.
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:26!
pc : __list_add_valid+0x88/0xbc
lr : __list_add_valid+0x88/0xbc
Call trace:
__list_add_valid+0x88/0xbc
fuse_finish_open+0x11c/0x170
fuse_open_common+0x284/0x5e8
fuse_dir_open+0x14/0x24
do_dentry_open+0x2a4/0x4e0
dentry_open+0x50/0x80
smb2_open+0xbe4/0x15a4
handle_ksmbd_work+0x478/0x5ec
process_one_work+0x1b4/0x448
worker_thread+0x25c/0x430
kthread+0x104/0x1d4
ret_from_fork+0x10/0x20
Comment 1 Mauro Matteo Cascella 2024-07-30 08:31:33 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024072921-CVE-2024-41030-301a@gregkh/T
Comment 2 Mauro Matteo Cascella 2024-07-30 08:31:53 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2301478]