{ "threat_severity" : "Moderate", "public_date" : "2024-11-07T00:00:00Z", "bugzilla" : { "description" : "kernel: smb: client: fix OOBs when building SMB2_IOCTL request", "id" : "2324324", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2324324" }, "cvss3" : { "cvss3_base_score" : "7.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-787", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsmb: client: fix OOBs when building SMB2_IOCTL request\nWhen using encryption, either enforced by the server or when using\n'seal' mount option, the client will squash all compound request buffers\ndown for encryption into a single iov in smb2_set_next_command().\nSMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the\nSMB2_IOCTL request in the first iov, and if the user passes an input\nbuffer that is greater than 328 bytes, smb2_set_next_command() will\nend up writing off the end of @rqst->iov[0].iov_base as shown below:\nmount.cifs //srv/share /mnt -o ...,seal\nln -s $(perl -e \"print('a')for 1..1024\") /mnt/link\nBUG: KASAN: slab-out-of-bounds in\nsmb2_set_next_command.cold+0x1d6/0x24c [cifs]\nWrite of size 4116 at addr ffff8881148fcab8 by task ln/859\nCPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n1.16.3-2.fc40 04/01/2014\nCall Trace:\n\ndump_stack_lvl+0x5d/0x80\n? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\nprint_report+0x156/0x4d9\n? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n? __virt_addr_valid+0x145/0x310\n? __phys_addr+0x46/0x90\n? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\nkasan_report+0xda/0x110\n? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\nkasan_check_range+0x10f/0x1f0\n__asan_memcpy+0x3c/0x60\nsmb2_set_next_command.cold+0x1d6/0x24c [cifs]\nsmb2_compound_op+0x238c/0x3840 [cifs]\n? kasan_save_track+0x14/0x30\n? kasan_save_free_info+0x3b/0x70\n? vfs_symlink+0x1a1/0x2c0\n? do_symlinkat+0x108/0x1c0\n? __pfx_smb2_compound_op+0x10/0x10 [cifs]\n? kmem_cache_free+0x118/0x3e0\n? cifs_get_writable_path+0xeb/0x1a0 [cifs]\nsmb2_get_reparse_inode+0x423/0x540 [cifs]\n? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs]\n? rcu_is_watching+0x20/0x50\n? __kmalloc_noprof+0x37c/0x480\n? smb2_create_reparse_symlink+0x257/0x490 [cifs]\n? smb2_create_reparse_symlink+0x38f/0x490 [cifs]\nsmb2_create_reparse_symlink+0x38f/0x490 [cifs]\n? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs]\n? find_held_lock+0x8a/0xa0\n? hlock_class+0x32/0xb0\n? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs]\ncifs_symlink+0x24f/0x960 [cifs]\n? __pfx_make_vfsuid+0x10/0x10\n? __pfx_cifs_symlink+0x10/0x10 [cifs]\n? make_vfsgid+0x6b/0xc0\n? generic_permission+0x96/0x2d0\nvfs_symlink+0x1a1/0x2c0\ndo_symlinkat+0x108/0x1c0\n? __pfx_do_symlinkat+0x10/0x10\n? strncpy_from_user+0xaa/0x160\n__x64_sys_symlinkat+0xb9/0xf0\ndo_syscall_64+0xbb/0x1d0\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f08d75c13bb", "A flaw was found in the cifs module in the Linux kernel. When building SMB2_IOCTL requests using encryption, either enforced by the server or using the 'seal' mount option, an out-of-bounds write can be triggered when the user passes an input buffer greater than 328 bytes, resulting in memory corruption and a kernel crash." ], "statement" : "To exploit this flaw, an attacker needs local access to the system and SMB encryption must be enabled, limiting the impact of this issue. For these reasons, this flaw has been rated with a moderate severity.\nThe cifs module in the Linux kernel as shipped in Red Hat Enterprise Linux 8 is not affected by this vulnerability because the vulnerable code was introduced in a newer version of the Linux kernel.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-50151\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50151\nhttps://lore.kernel.org/linux-cve-announce/2024110745-CVE-2024-50151-f52b@gregkh/T" ], "name" : "CVE-2024-50151", "mitigation" : { "value" : "Consider temporarily disabling SMB encryption and monitor the system for unusual behavior, such as crashes, as it may indicate exploitation attempts.", "lang" : "en:us" }, "csaw" : false }