Bug 2265285 (CVE-2023-52434) - CVE-2023-52434 kernel: smb: client: fix potential OOBs in smb2_parse_contexts()
Summary: CVE-2023-52434 kernel: smb: client: fix potential OOBs in smb2_parse_contexts()
Keywords:
Status: NEW
Alias: CVE-2023-52434
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2265286
Blocks: 2265182
TreeView+ depends on / blocked
 
Reported: 2024-02-21 09:22 UTC by Avinash Hanwate
Modified: 2024-07-17 07:12 UTC (History)
49 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the smb client in the Linux kernel. A potential out-of-bounds error was seen in the smb2_parse_contexts() function. Validate offsets and lengths before dereferencing create contexts in smb2_parse_contexts().
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:2634 0 None None None 2024-05-01 01:22:28 UTC
Red Hat Product Errata RHBA-2024:2650 0 None None None 2024-05-02 00:15:17 UTC
Red Hat Product Errata RHBA-2024:2686 0 None None None 2024-05-02 22:50:25 UTC
Red Hat Product Errata RHSA-2024:2394 0 None None None 2024-04-30 10:15:36 UTC
Red Hat Product Errata RHSA-2024:2950 0 None None None 2024-05-22 09:13:26 UTC
Red Hat Product Errata RHSA-2024:3138 0 None None None 2024-05-22 09:52:49 UTC
Red Hat Product Errata RHSA-2024:4412 0 None None None 2024-07-09 09:20:39 UTC
Red Hat Product Errata RHSA-2024:4415 0 None None None 2024-07-09 09:21:04 UTC

Description Avinash Hanwate 2024-02-21 09:22:30 UTC
In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix potential OOBs in smb2_parse_contexts()

Validate offsets and lengths before dereferencing create contexts in smb2_parse_contexts().

This fixes following oops when accessing invalid create contexts from server:

  BUG: unable to handle page fault for address: ffff8881178d8cc3
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 4a01067 P4D 4a01067 PUD 0
  Oops: 0000 [#1] PREEMPT SMP NOPTI
  CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
  rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
  RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]
  Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00
  00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7
  7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00
  RSP: 0018:ffffc900007939e0 EFLAGS: 00010216
  RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90
  RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000
  RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000
  R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000
  R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22
  FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)
  knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0
  PKRU: 55555554
  Call Trace:
   <TASK>
   ? __die+0x23/0x70
   ? page_fault_oops+0x181/0x480
   ? search_module_extables+0x19/0x60
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? exc_page_fault+0x1b6/0x1c0
   ? asm_exc_page_fault+0x26/0x30
   ? smb2_parse_contexts+0xa0/0x3a0 [cifs]
   SMB2_open+0x38d/0x5f0 [cifs]
   ? smb2_is_path_accessible+0x138/0x260 [cifs]
   smb2_is_path_accessible+0x138/0x260 [cifs]
   cifs_is_path_remote+0x8d/0x230 [cifs]
   cifs_mount+0x7e/0x350 [cifs]
   cifs_smb3_do_mount+0x128/0x780 [cifs]
   smb3_get_tree+0xd9/0x290 [cifs]
   vfs_get_tree+0x2c/0x100
   ? capable+0x37/0x70
   path_mount+0x2d7/0xb80
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? _raw_spin_unlock_irqrestore+0x44/0x60
   __x64_sys_mount+0x11a/0x150
   do_syscall_64+0x47/0xf0
   entry_SYSCALL_64_after_hwframe+0x6f/0x77
  RIP: 0033:0x7f8737657b1e

https://git.kernel.org/stable/c/17a0f64cc02d4972e21c733d9f21d1c512963afa
https://git.kernel.org/stable/c/af1689a9b7701d9907dfc84d2a4b57c4bc907144

Comment 1 Avinash Hanwate 2024-02-21 09:25:53 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2265286]

Comment 3 Justin M. Forbes 2024-02-21 22:40:49 UTC
This was fixed for Fedora with the 6.6.8 stable kernel updates.

Comment 7 errata-xmlrpc 2024-04-30 10:15:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394

Comment 8 errata-xmlrpc 2024-05-22 09:13:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:2950

Comment 9 errata-xmlrpc 2024-05-22 09:52:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3138 https://access.redhat.com/errata/RHSA-2024:3138

Comment 10 Alex 2024-06-09 15:29:58 UTC
The result of automatic check (that is developed by Alexander Larkin) for this CVE-2023-52434 is: CHECK	Maybe valid. Check manually. with impact MODERATE (that is approximation based on flags OOB LOCK DANGER DISK INIT SERVERTOCLIENT  ; these flags parsed automatically based on patche data). Such automatic check happens only for Low/Moderates (and only when not from reporter, but parsing already existing CVE). Highs always checked manually (I check it myself and then we check it again in Remediation team). In rare cases some of the Moderates could be increased to High later.

Comment 12 errata-xmlrpc 2024-07-09 09:20:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:4412 https://access.redhat.com/errata/RHSA-2024:4412

Comment 13 errata-xmlrpc 2024-07-09 09:21:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:4415 https://access.redhat.com/errata/RHSA-2024:4415


Note You need to log in before you can comment on or make changes to this bug.