Bug 218218
| Summary: | Out-Of-Bounds Read vulnerability in smbCalcSize | ||
|---|---|---|---|
| Product: | File System | Reporter: | j51569436 |
| Component: | CIFS | Assignee: | fs_cifs (fs_cifs) |
| Status: | RESOLVED CODE_FIX | ||
| Severity: | normal | CC: | hissrna11, lsahlber, pc, smfrench |
| Priority: | P3 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 6.7.0 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
| Attachments: |
POC of bug
patch 1 patch 2 |
||
Created attachment 305536 [details]
POC of bug
Created attachment 305616 [details]
patch 1
Created attachment 305617 [details]
patch 2
Thanks for the report. Does the attached patches fix your problem? fix upstream |
[1] Retrieve WordCount and add offset*2 to the data part of smb [2] Retrieve a 16-byte value from the calculated pointer ```c unsigned int smbCalcSize(void *buf) { struct smb_hdr *ptr = buf; return (sizeof(struct smb_hdr) + (2 * ptr->WordCount) + 2 /* size of the bcc field */ + get_bcc(ptr)); } ... static inline __u16 get_bcc(struct smb_hdr *hdr) { __le16 *bc_ptr = (__le16 *)BCC(hdr); return get_unaligned_le16(bc_ptr);//[2] } ... static inline void * BCC(struct smb_hdr *smb) { return (void *)smb + sizeof(*smb) + 2 * smb->WordCount; //[1] } ``` [2] cifs_demultiplex_thread → standard_receive3 → cifs_handle_standard → checkSMB → smbCalcSize ```c int checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server) { struct smb_hdr *smb = (struct smb_hdr *)buf; __u32 rfclen = be32_to_cpu(smb->smb_buf_length); __u32 clc_len; /* calculated length */ cifs_dbg(FYI, "checkSMB Length: 0x%x, smb_buf_length: 0x%x\n", total_read, rfclen); /* is this frame too small to even get to a BCC? */ if (total_read < 2 + sizeof(struct smb_hdr)) { ... } /* otherwise, there is enough to get to the BCC */ if (check_smb_hdr(smb)) return -EIO; clc_len = smbCalcSize(smb); ```