An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is an out-of-bounds read and OOPS for SMB2_WRITE, when there is a large length in the zero DataOffset case.
, looks like this CVE-2022-47943 could be duplicate of the CVE-2022-47940:
ZDI-22-1687 - CVE-2022-47941
ZDI-22-1688 - CVE-2022-47942
ZDI-22-1689 - CVE-2022-47938
ZDI-22-1690 - CVE-2022-47939
ZDI-22-1691 - CVE-2022-47940
Mitre assigned also from the stable patch, but was not in ZDI set - CVE-2022-47943
, so need to compare ac60778b87e45576d7bfdbd6f53df902654e6f09 (CVE-2022-47943)
with 158a66b245739e15858de42c0ba60fcf3de9b8e6 (CVE-2022-47940)
These two patches looks a little bit different, but both for the fs/ksmbd/smb2pdu.c and fs/ksmbd/smb2misc.c and fixing req->DataOffset problem in function smb2_write_pipe (or for function smb2_get_data_area_len in "case SMB2_WRITE:" for the second patch).
Very likely CVE-2022-47943 and CVE-2022-47940 duplicates or two different ways of fixing same problem, but I still keep it separate CVEs, because I didn't analyse yet which patch is correct and if only one problem for both patches.
Need to update this CVE page later when some conclusion if these are same CVEs or not.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):