An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is an out-of-bounds read and OOPS for SMB2_WRITE, when there is a large length in the zero DataOffset case. References: http://www.openwall.com/lists/oss-security/2022/12/23/10 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ac60778b87e45576d7bfdbd6f53df902654e6f09
Reading comment https://www.openwall.com/lists/oss-security/2022/12/23/10 , looks like this CVE-2022-47943 could be duplicate of the CVE-2022-47940: " ZDI-22-1687 - CVE-2022-47941 aa7253c2393f6dcd6a1468b0792f6da76edad917 ZDI-22-1688 - CVE-2022-47942 8f0541186e9ad1b62accc9519cc2b7a7240272a7 ZDI-22-1689 - CVE-2022-47938 824d4f64c20093275f72fc8101394d75ff6a249e ZDI-22-1690 - CVE-2022-47939 a54c509c32adba9d136f2b9d6a075e8cae1b6d27 ZDI-22-1691 - CVE-2022-47940 158a66b245739e15858de42c0ba60fcf3de9b8e6 Mitre assigned also from the stable patch, but was not in ZDI set - CVE-2022-47943 ac60778b87e45576d7bfdbd6f53df902654e6f09 " , so need to compare ac60778b87e45576d7bfdbd6f53df902654e6f09 (CVE-2022-47943) https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ac60778b87e45576d7bfdbd6f53df902654e6f09 with 158a66b245739e15858de42c0ba60fcf3de9b8e6 (CVE-2022-47940) https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=158a66b245739e15858de42c0ba60fcf3de9b8e6 These two patches looks a little bit different, but both for the fs/ksmbd/smb2pdu.c and fs/ksmbd/smb2misc.c and fixing req->DataOffset problem in function smb2_write_pipe (or for function smb2_get_data_area_len in "case SMB2_WRITE:" for the second patch). Very likely CVE-2022-47943 and CVE-2022-47940 duplicates or two different ways of fixing same problem, but I still keep it separate CVEs, because I didn't analyse yet which patch is correct and if only one problem for both patches. Need to update this CVE page later when some conclusion if these are same CVEs or not.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-47943