CVE-2023-52434

smb: client: fix potential OOBs in smb2_parse_contexts()

Severity Score

8.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix potential OOBs in smb2_parse_contexts()

Validate offsets and lengths before dereferencing create contexts in
smb2_parse_contexts().

This fixes following oops when accessing invalid create contexts from
server:

BUG: unable to handle page fault for address: ffff8881178d8cc3
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 4a01067 P4D 4a01067 PUD 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]
Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00
00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7
7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00
RSP: 0018:ffffc900007939e0 EFLAGS: 00010216
RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90
RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000
RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000
R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000
R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22
FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die+0x23/0x70
? page_fault_oops+0x181/0x480
? search_module_extables+0x19/0x60
? srso_alias_return_thunk+0x5/0xfbef5
? exc_page_fault+0x1b6/0x1c0
? asm_exc_page_fault+0x26/0x30
? smb2_parse_contexts+0xa0/0x3a0 [cifs]
SMB2_open+0x38d/0x5f0 [cifs]
? smb2_is_path_accessible+0x138/0x260 [cifs]
smb2_is_path_accessible+0x138/0x260 [cifs]
cifs_is_path_remote+0x8d/0x230 [cifs]
cifs_mount+0x7e/0x350 [cifs]
cifs_smb3_do_mount+0x128/0x780 [cifs]
smb3_get_tree+0xd9/0x290 [cifs]
vfs_get_tree+0x2c/0x100
? capable+0x37/0x70
path_mount+0x2d7/0xb80
? srso_alias_return_thunk+0x5/0xfbef5
? _raw_spin_unlock_irqrestore+0x44/0x60
__x64_sys_mount+0x11a/0x150
do_syscall_64+0x47/0xf0
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f8737657b1e

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: smb: cliente: corrige OOB potenciales en smb2_parse_contexts() Valida compensaciones y longitudes antes de desreferenciar crea contextos en smb2_parse_contexts(). Esto corrige los siguientes errores al acceder a contextos de creación no válidos desde el servidor: ERROR: no se puede manejar el error de página para la dirección: ffff8881178d8cc3 #PF: acceso de lectura del supervisor en modo kernel #PF: error_code(0x0000) - página no presente PGD 4a01067 P4D 4a01067 PUD 0 Ups: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 1736 Comm: mount.cifs No está contaminado 6.7.0-rc4 #1 Nombre de hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2 -3-gd478f380-rebuilt.opensuse.org 04/04/2014 RIP: 0010: SMB2_PARSE_CONTEXTS+0XA0/0X3A0 [CIFS] Código: F8 10 75 13 48 B8 93 AD 25 50 9C B4 11 E7 49 39 06 0f 84 D2 00 00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7 7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00 RSP: 0018:ffffc900007939e0 EFLAGS: 00010216 RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90 RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000 RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000 R10: ffff8880180cc000 R11: 00000000000000024 R12: 0000000000000000 R13: 0000000 000000020 R14: 00000000000000000 R15: ffffc90000793c22 FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8881178d8cc3 CR3 : 00000000181ca000 CR4: 0000000000750ef0 PKRU: 55555554 Seguimiento de llamadas: ? __morir+0x23/0x70 ? page_fault_oops+0x181/0x480? search_module_extables+0x19/0x60? srso_alias_return_thunk+0x5/0xfbef5? exc_page_fault+0x1b6/0x1c0? asm_exc_page_fault+0x26/0x30? smb2_parse_contexts+0xa0/0x3a0 [cifs] SMB2_open+0x38d/0x5f0 [cifs] ? smb2_is_path_accessible+0x138/0x260 [cifs] smb2_is_path_accessible+0x138/0x260 [cifs] cifs_is_path_remote+0x8d/0x230 [cifs] cifs_mount+0x7e/0x350 [cifs] cifs_smb3_do_mount+0x128/0x7 80 [cifs] smb3_get_tree+0xd9/0x290 [cifs] vfs_get_tree+ 0x2c/0x100? capaz+0x37/0x70 path_mount+0x2d7/0xb80? srso_alias_return_thunk+0x5/0xfbef5? _raw_spin_unlock_irqrestore+0x44/0x60 __x64_sys_mount+0x11a/0x150 do_syscall_64+0x47/0xf0 Entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f8737657b1e

A flaw was found in the smb client in the Linux kernel. A potential out-of-bounds error was seen in the smb2_parse_contexts() function. Validate offsets and lengths before dereferencing create contexts in smb2_parse_contexts().

*Credits: N/A

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-20 CVE Reserved
2024-02-20 CVE Published
2024-03-16 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (9)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/6726429c18c62dbf5e96ebbd522f262e016553fb	2024-05-25
https://git.kernel.org/stable/c/13fb0fc4917621f3dfa285a27eaf7151d770b5e5	2024-03-01
https://git.kernel.org/stable/c/890bc4fac3c0973a49cac35f634579bebba7fe48	2024-03-01
https://git.kernel.org/stable/c/1ae3c59355dc9882e09c020afe8ffbd895ad0f29	2024-02-23
https://git.kernel.org/stable/c/17a0f64cc02d4972e21c733d9f21d1c512963afa	2023-12-20
https://git.kernel.org/stable/c/af1689a9b7701d9907dfc84d2a4b57c4bc907144	2023-12-11

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-52434	2024-09-24
https://bugzilla.redhat.com/show_bug.cgi?id=2265285	2024-09-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.4.277 Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.277"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.10.211 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.211"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.15.150 Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.150"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.1.79 Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.79"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.6.8 Search vendor "Linux" for product "Linux Kernel" and version " < 6.6.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.7 Search vendor "Linux" for product "Linux Kernel" and version " < 6.7"		en		Affected