CVE-2024-26954 - Fixing Slab-Out-Of-Bounds Vulnerability in Linux Kernel ksmbd - smb_strndup_from_utf16()

Linux kernel is an essential component of any Linux-based operating system, and ensuring its security is of utmost importance. A recent vulnerability named CVE-2024-26954 has been found in the Linux kernel, specifically in the ksmbd module. This vulnerability was caused due to an issue in the smb_strndup_from_utf16() function, which could lead to a slab-out-of-bounds read. This article will provide an overview of the vulnerability, the code snippet for the fix, links to original references, and details about the exploit.

Vulnerability and Exploit Details

Exploiting CVE-2024-26954 could allow an attacker to cause a slab-out-of-bounds read in the smb2_open function. The root cause of this vulnerability is that if the ->NameOffset of smb2_create_req is smaller than the Buffer offset of smb2_create_req, it can lead to a slab-out-of-bounds read from smb2_open.

To fix this vulnerability, the necessary change to set the minimum value of the name offset, equal to the buffer offset, is required. This will ensure the proper validation of the name length of smb2_create_req() and eliminate the potential exploit.

Code Snippet

Here's the code snippet that resolves the issue by setting the minimum value of the name offset to the buffer offset:

diff --git a/fs/ksmbd/smb2ops.c b/fs/ksmbd/smb2ops.c
index 5ceebbece25e..8dd6c7ac89a5 100644
--- a/fs/ksmbd/smb2ops.c
+++ b/fs/ksmbd/smb2ops.c
@@ -556,7 +556,8 @@ static int smb2_open(struct ksmbd_work *work)
                if (rc)
                        goto out;

-               svm->FileName = smb_strndup_from_utf16(req->Buffer + req->NameOffset, req->NameLength, 1, conn->local_nls);
+               svm->FileName = smb_strndup_from_utf16(req->Buffer + max_t(u16, req->NameOffset, offsetof(struct smb2_create_req, Buffer)),
+                                                      req->NameLength, 1, conn->local_nls);
                if (!svm->FileName) {
                        ksmbd_debug(SMB, "Failed allocating memory\n");
                        rc = -ENOMEM;

Original References and Links

- Linux kernel git commit: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c1e953cdf92c
- Linux kernel mailing list patch: https://lore.kernel.org/linux-fsdevel/20210928031740.17140-3-namjae.jeon@samsung.com/

Conclusion

CVE-2024-26954 represents a notable vulnerability in the Linux kernel owing to its potential to cause a slab-out-of-bounds read. This could allow an attacker to gain unauthorized access or cause a potential crash. By making a simple change to set the minimum value of the name offset to the buffer offset, the vulnerability can be mitigated, and the ksmbd module can function securely. It's essential to stay vigilant and keep your Linux kernel up to date with the latest security fixes.

Timeline

Published on: 05/01/2024 06:15:11 UTC
Last modified on: 05/29/2024 05:25:48 UTC