CVE CyberSecurity Database News

CVE-2024-26936 - Linux Kernel Vulnerability Patch: Preventing Potential Out-of-Bounds in Request Buffer

Poster -

In the Linux kernel, a vulnerability pertaining to the improper validation of the request buffer size in ksmbd has been discovered and resolved. This vulnerability could potentially lead to out-of-bounds issues in the request buffer. Identified as CVE-2024-26936, this particular vulnerability concerns the function smb2_allocate_rsp_buf(). In this blog post, we discuss the details of the vulnerability and the steps taken to address it.

Exploit Details

The vulnerability in question resides in the way the smb2_allocate_rsp_buf() function, which is a part of the Linux kernel's ksmbd functionality, validates the size of the request buffer. The response buffer should ideally be allocated before validating the request. However, the fields in the payload, along with the smb2 header, are being used in the smb2_allocate_rsp_buf() function. As a result, the possibility of encountering potential out-of-bounds issues may arise.

To avoid this, a patch has been applied to add a simple buffer size validation that effectively prevents any out-of-bound exploits in the request buffer.

Original code of smb2_allocate_rsp_buf()

struct smb2_rsp_hdr *smb2_allocate_rsp_buf(struct ksmbd_work *work)
{
    struct smb2_hdr *req_hdr = (struct smb2_hdr *)REQUEST_BUF(work);
    struct smb2_rsp_hdr *rsp_hdr;
    int hdr_size;
    unsigned int size;

    hdr_size = sizeof(struct smb2_hdr);
    size = hdr_size + le32_to_cpu(req_hdr->PayloadSize);

    rsp_hdr = alloc_response_smb2_ksmbd_pdu(work, size);
    if (!rsp_hdr)
        return rsp_hdr;

    rsp_hdr->smb2_buf_length = cpu_to_be32(size - 4);
    return rsp_hdr;
}

Applied patch to add a simple buffer size validation

struct smb2_rsp_hdr *smb2_allocate_rsp_buf(struct ksmbd_work *work)
{
    struct smb2_hdr *req_hdr = (struct smb2_hdr *)REQUEST_BUF(work);
    struct smb2_rsp_hdr *rsp_hdr;
    int hdr_size;
    unsigned int size;

+   if (!ksmbd_pdu_size_valid(work, sizeof(struct smb2_hdr)))
+       return NULL;

    hdr_size = sizeof(struct smb2_hdr);
    size = hdr_size + le32_to_cpu(req_hdr->PayloadSize);

    rsp_hdr = alloc_response_smb2_ksmbd_pdu(work, size);
    if (!rsp_hdr)
        return rsp_hdr;

    rsp_hdr->smb2_buf_length = cpu_to_be32(size - 4);
    return rsp_hdr;
}

Original References

1. The Official Linux Kernel Repository
2. Linux Kernel Mailing List (LKML) Patch Submission

Conclusion

With the application of the patch, the Linux kernel is now fortified against potential buffer overflow vulnerabilities that could stem from improper validation in the ksmbd's smb2_allocate_rsp_buf() function. It is important for developers and system administrators to keep their Linux kernel installations updated to avoid potential exploits or security vulnerabilities. As a crucial piece of software that powers a vast array of systems across the globe, it is essential that the kernel remains as secure as possible.

Timeline

Published on: 05/01/2024 06:15:08 UTC
Last modified on: 05/29/2024 05:25:29 UTC