Bug 2037386 (CVE-2022-0168) - CVE-2022-0168 kernel: smb2_ioctl_query_info NULL pointer dereference
Summary: CVE-2022-0168 kernel: smb2_ioctl_query_info NULL pointer dereference
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-0168
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat2037631 Red Hat2037632 Red Hat2037633 2067080 Red Hat2074302 Red Hat2074316 Red Hat2082963
Blocks: Embargoed2037388 Red Hat2038901
TreeView+ depends on / blocked
 
Reported: 2022-01-05 14:20 UTC by Marian Rehak
Modified: 2023-05-12 20:03 UTC (History)
50 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A denial of service (DOS) issue was found in the Linux kernel’s smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. This flaw allows a local, privileged (CAP_SYS_ADMIN) attacker to crash the system.
Clone Of:
Environment:
Last Closed: 2022-12-05 06:35:54 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7444 0 None None None 2022-11-08 09:09:24 UTC
Red Hat Product Errata RHSA-2022:7683 0 None None None 2022-11-08 10:08:39 UTC
Red Hat Product Errata RHSA-2022:7933 0 None None None 2022-11-15 09:44:22 UTC
Red Hat Product Errata RHSA-2022:8267 0 None None None 2022-11-15 10:46:52 UTC

Description Marian Rehak 2022-01-05 14:20:23 UTC 
In Function `smb2_ioctl_query_info`, it incorrectly verify the return from the `memdup_user` function. `qi.output_buffer_length` is grab from copy_from_user which is user control value. If qi.output_buffer_length is equal to zero, the `memdup_user` function returns `0x10` which is not a valid ptr but can pass the check. Later this evil `buffer` is pass to function `SMB2_set_info_init` if qi.flags is equal to `PASSTHRU_SET_INFO`. In function `SMB2_set_info_init`, there is a straight memcpy which `*data` is previous evil buffer and `*size` is 8.
Comment 6 Alex 2022-01-16 15:58:39 UTC 
The candidate patch is:

/* There is a patch also suggested by the researcher  (Billy Jheng Bing Jhong of STAR Labs)  */

diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index c5b1dea54ebc..3d656f7c907f 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1643,7 +1643,7 @@ smb2_ioctl_query_info(const unsigned int xid,
        if (copy_from_user(&qi, arg, sizeof(struct smb_query_info)))
                goto e_fault;

-       if (qi.output_buffer_length > 1024) {
+       if (qi.output_buffer_length > 1024 || qi.output_buffer_length == 0) {
                kfree(vars);
                return -EINVAL;
        }
Comment 7 Rohit Keshri 2022-03-23 09:08:09 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2067080]
Comment 8 Salvatore Bonaccorso 2022-04-11 07:26:45 UTC 
https://git.kernel.org/linus/d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 seem the related fix for this issue?
Comment 12 Justin M. Forbes 2022-05-18 14:29:09 UTC 
This was fixed for Fedora witht he 5.16.9 stable kernel update.
Comment 16 errata-xmlrpc 2022-11-08 09:09:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7444 https://access.redhat.com/errata/RHSA-2022:7444
Comment 17 errata-xmlrpc 2022-11-08 10:08:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7683 https://access.redhat.com/errata/RHSA-2022:7683
Comment 18 errata-xmlrpc 2022-11-15 09:44:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7933 https://access.redhat.com/errata/RHSA-2022:7933
Comment 19 errata-xmlrpc 2022-11-15 10:46:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8267 https://access.redhat.com/errata/RHSA-2022:8267
Comment 20 Product Security DevOps Team 2022-12-05 06:35:49 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0168
Note You need to log in before you can comment on or make changes to this bug.