In the Linux kernel, a vulnerability has been discovered and resolved related to the ksmbd (Kernel-based SMB (Server Message Block) server). The vulnerability involves unsetting the binding mark of a reused connection. This issue was reported by Steve French, who uncovered a null pointer dereference error that originates from the sha256 library.
When the cifs.ko module sends session setup requests on a reused connection, a problem arises. If the reused connection is used for binding the session, the conn->binding variable can remain true, causing generate_preauth_hash() not to set sess->Preauth_HashValue. As a result, the value will be NULL. This NULL value is then used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey, leading to a null pointer dereference error when the crypto_shash_update() function is called.
The error details can be found in the kernel crash logs
BUG: kernel NULL pointer dereference, address: 000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(x000) - not-present page
PGD P4D
Oops: 000 [#1] PREEMPT SMP PTI
CPU: 8 PID: 429254 Comm: kworker/8:39
Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 )
Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
RIP: 001:lib_sha256_base_do_update.isra.+x11e/x1d [sha256_ssse3]
<TASK>
...
</TASK>
To address this issue, the binding mark of a reused connection must be unset in the Linux kernel. The patch applied to resolve the vulnerability ensures that the conn->binding variable is set to false when a connection is reused, which prevents the null pointer dereference error from occurring.
This vulnerability has been assigned CVE-2024-46795. It is crucial for Linux kernel users, especially those using the ksmbd module, to update their kernel to a version containing the fix to prevent potential exploitation.
For more information on this issue, please refer to the following original references
- Linux Kernel Mailing List: Patch resolving the vulnerability
- GitHub Commit: Resolved vulnerability in the Linux kernel repository
By addressing this vulnerability (CVE-2024-46795), the integrity and stability of Linux-based systems using the ksmbd module can be maintained, reducing the risk of potential crashes or exploits stemming from the issue.
Timeline
Published on: 09/18/2024 08:15:06 UTC
Last modified on: 09/20/2024 18:21:04 UTC