CVE CyberSecurity Database News

CVE-2024-46686: Patching the Linux kernel smb/client Vulnerability - smb2_new_read_req() NULL Dereferencing Exploit

Poster -

In the world of cybersecurity, it's crucial to stay up-to-date on the latest vulnerabilities and exploits - especially when it comes to widely-used software like the Linux kernel. Today, we will be exploring CVE-2024-46686, a recently-patched vulnerability in the Linux kernel affecting the Server Message Block (SMB) client.

Overview of the Vulnerability

This specific vulnerability affects the smb2_new_read_req() function in the Linux kernel SMB client. This function is responsible for creating new read requests in the SMB2 protocol while using Remote Direct Memory Access (RDMA). The issue arises when the function is called from SMB2_read() with the rdma_readwrite_threshold reached, causing the rdata pointer to be NULL, leading to a NULL pointer dereference and subsequent crash or potential exploitation.

For a more detailed view of the vulnerability, let's look at the providing code snippet before the patch:

/* Before Patch */
static struct smb2_read_req *smb2_new_read_req(struct cifs_tcon *tcon,
        struct cifs_io_parms *io_parms,
        struct cifs_readdata **ret_data)
{
    ...
    rdata = cifs_readdata_direct_alloc(&req);
    ...
    if (!rdata) {
        ...
        return ERR_PTR(rc);
    }
    ...
}

Here, cifs_readdata_direct_alloc() may return a NULL pointer if certain conditions are met while using RDMA. Later in the function, there is no check for a NULL pointer before using rdata, which causes the crash.

Exploit Details

An attacker can exploit this vulnerability by triggering a series of conditions that lead to reaching the rdma_readwrite_threshold, then sending a malformed read request to the SMB client.

Patch

Fortunately, the Linux kernel community was quick to address this vulnerability, and a patch has been released to fix the issue. The patch adds a crucial NULL check to prevent dereferencing a NULL rdata pointer.

Here's the patched version of the code snippet

/* After Patch */
static struct smb2_read_req *smb2_new_read_req(struct cifs_tcon *tcon,
        struct cifs_io_parms *io_parms,
        struct cifs_readdata **ret_data)
{
    ...
    rdata = cifs_readdata_direct_alloc(&req);
    ...
    if (!rdata) {
        ...
        return ERR_PTR(rc);
    }
    ...
}

By applying this patch, the Linux kernel SMB client is protected from this particular vulnerability, greatly reducing the risk of a crash or potential exploitation.

Original References

For more information, you can refer to the following links for details about the vulnerability and patch:

1. Linux Kernel Git Commit Fixing CVE-2024-46686
2. CVE-2024-46686 on the National Vulnerability Database

Conclusion

In conclusion, CVE-2024-46686 highlights the importance of keeping your systems up-to-date and paying close attention to the latest vulnerabilities and patches. By applying the proper patches, your Linux kernel SMB client will be protected against potential exploits arising from NULL pointer dereferences. Stay safe and remain vigilant against new threats as they emerge!

Timeline

Published on: 09/13/2024 06:15:13 UTC
Last modified on: 11/05/2024 09:44:39 UTC