From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D3DE614D43E for ; Thu, 29 Feb 2024 15:53:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709222008; cv=none; b=rHu0g6xSy4GnLXd3IaDMk2RjtELUmN4IrE8FgHGiIjIZaT+FsYc5vZ+emK2zX8r/XDxTCAECr14Qlb7PAb2f8GoFKDFVaniA/83H5ZYV6elt/DL3guue2wUFnTjm7lpO5domFL4Qz5o0bf0nBtMMZq/XTLciF+2jiuwmBYkbj1Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709222008; c=relaxed/simple; bh=iJswLs06cWOULMW/A4gM/aE3Sf6jEgvi9QYSy+/+qsA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=BF0kWaF9Dg9lZu5mnW/PwxFvO5W5GI2dPJMrLEfJKnbdCaxxfMGNXy+7/vvksot5lZXER6W4qF6g0G4kdYNmMMKbys+Yf3NEFiOdVHq5bB/mYLWQ/vJUhmQwp5RdIR83puy7Ot5guK7DXsePwwP0+EZA5qVcT1yKovzKUEV/uac= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=TvUwJqoh; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="TvUwJqoh" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 13CBBC433F1; Thu, 29 Feb 2024 15:53:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1709222008; bh=iJswLs06cWOULMW/A4gM/aE3Sf6jEgvi9QYSy+/+qsA=; h=From:To:Cc:Subject:Date:Reply-to:From; b=TvUwJqohkmHKVdyqNeV01QeXCgrNX4KhQblhWbfWGWI095isDVRIroiGRc2Aw7RSG DNd1r3BlLhjMmI3AqjhCgftmLGksJpcuzwnqzfqPNiSjVm/DCyDGoEZ7Qk7ZkgOe6j 2iaxp+Qz9VGknxxrHTkNh9rlpsTIBVsDK2+TD2YgIjHsnshFM0c7YeLa755goN63F0 RoB+iPe8V7qSuhWwRj4rLLhnlQkVcKJIhsv3qyrTgw19RzTYvUjUkhCtpAbV9DfYgp yIWzi5gvT1h4AJKEnJO1/cpHT4kdBVz3EKvfZR0+DqC3uktoGE+RtNhK0USQPV+6vi CYbSXw/6+SyuA== From: Lee Jones To: linux-cve-announce@vger.kernel.org Cc: Lee Jones Subject: CVE-2024-26608: ksmbd: fix global oob in ksmbd_nl_policy Date: Thu, 29 Feb 2024 15:52:59 +0000 Message-ID: <20240229155245.1571576-40-lee@kernel.org> X-Mailer: git-send-email 2.44.0.rc1.240.g4c46232300-goog Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=6098; i=lee@kernel.org; h=from:subject; bh=iJswLs06cWOULMW/A4gM/aE3Sf6jEgvi9QYSy+/+qsA=; b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl4KhPFXz+HVS6mONTOzD1BJ2BnBRDtfX+IufVB /ODlGoCE8mJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZeCoTwAKCRBRr4ovh/x3 YcmbEACaHzn74MdeT13NUw152mJLKeOY1uSMMGx6IsEf/cPSTbPvdE0GBhUsYXmPAnMKZELdPqm V2pJJ+EWuehZ9DS2bxFczfxMqregTLwxhD9+Fo9o39wSrU1ZF3Ovl6hJ3FVL5CkUTGlMLjEqUVu SogDiE178S+uRILHjXG2w9xxFvb6+TIfY6bXm8oIVOPZIygQAHB4JDzharTeGkz9AYuA0/Pne3T ffNR8ajifqUF0K46gCXddsCeDRHas1X6ZZ1KdEF/lZnK54Pp+P5RaZ1yhhuU3inXfCU3Aq0LBG/ oj973L6okUpKHcmqh/PnSoNAtG+LsskCjs7WaV6f04MuOSBuZ5yO866QRbxGONc4U2Jdw1xUi0w wR2GCUIZ3wrOR8l7Di4CGUvm3zhxr/Ug5P7Ihf5lHRqncaPO950t0V1rb6iFKY1AkoadeZ3D9kF AZY1wno3a1XNPHpV9oQDqrQah2wGkNFnEF9Hh9y2sgfJ0P5AaFgL+ZOpRJd7Imbe/l+NN0qiF2E yOrxCrsPGYwnYPMalDpRS9bG20HU/hmYDEf1lYot7XUKckPpJKl3aSgpYj6nQAMHay1rbRN5MuP KO9YcUj3E5HQbHh7HNY+bNvzR5dgJS8m/AW7A1OSdqvofP1x7CsSj/zSAXoz6sP8pfRXZ7lfXPq TwcDv2/xxT8fp9A== X-Developer-Key: i=lee@kernel.org; a=openpgp; fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix global oob in ksmbd_nl_policy Similar to a reported issue (check the commit b33fb5b801c6 ("net: qualcomm: rmnet: fix global oob in rmnet_policy"), my local fuzzer finds another global out-of-bounds read for policy ksmbd_nl_policy. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810 CPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 __nlmsg_parse include/net/netlink.h:748 [inline] genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565 genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdd66a8f359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003 RBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000 The buggy address belongs to the variable: ksmbd_nl_policy+0x100/0xa80 The buggy address belongs to the physical page: page:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9 ^ ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05 ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9 ================================================================== To fix it, add a placeholder named __KSMBD_EVENT_MAX and let KSMBD_EVENT_MAX to be its original value - 1 according to what other netlink families do. Also change two sites that refer the KSMBD_EVENT_MAX to correct value. The Linux kernel CVE team has assigned CVE-2024-26608 to this issue. Affected and fixed versions =========================== Issue introduced in 5.15 with commit 0626e6641f6b and fixed in 5.15.149 with commit aaa1f1a2ee80 Issue introduced in 5.15 with commit 0626e6641f6b and fixed in 6.1.76 with commit 2c939c74ef0b Issue introduced in 5.15 with commit 0626e6641f6b and fixed in 6.6.15 with commit 9863a53100f4 Issue introduced in 5.15 with commit 0626e6641f6b and fixed in 6.7.3 with commit 6993328a4cd6 Issue introduced in 5.15 with commit 0626e6641f6b and fixed in 6.8-rc2 with commit ebeae8adf89d Please see https://www.kernel.org or a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-26608 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/smb/server/ksmbd_netlink.h fs/smb/server/transport_ipc.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/aaa1f1a2ee80888c12ae2783f3a0be10e14067c5 https://git.kernel.org/stable/c/2c939c74ef0b74e99b92e32edc2a59f9b9ca3d5a https://git.kernel.org/stable/c/9863a53100f47652755545c2bd43e14a1855104d https://git.kernel.org/stable/c/6993328a4cd62a24df254b587c0796a4a1eecc95 https://git.kernel.org/stable/c/ebeae8adf89d9a82359f6659b1663d09beec2faa